The 31 March 2022 deadline for implementing operational resilience frameworks is drawing closer. We share our observations on activity so far, and offer our tips on what firms should focus on in the coming weeks.
Following much consultation and development, the regulatory requirements for operational resilience are rapidly approaching. For insurance intermediaries, this applies to enhanced scope SM&CR firms. By the end of March these firms should have:
identified their important business services
set impact tolerances
performed mapping and scenario testing to a sufficient level to identify vulnerabilities.
Firms must also have conducted ‘lessons learned’ exercises, developed communication plans and documented their self-assessment, providing a snapshot of the firm’s operational resilience at a specific point in time.
Although the regulator has allowed for proportionality in its rules, and a transition period to 31 March 2025 for full implementation, there is still a lot for firms to do ahead of the 31 March 2022 deadline. In a recent FCA webinar, the key message was to “make sure you comply with the first policy milestone by 31 March this year”, showing the FCA will not accept any delays or non-compliance at that date.
How are you doing?
Through our regular interactions with firms and assurance work in this area, here’s what we’ve observed:
Important business services
Most firms have identified their important business services and, in many cases, concluded they only have a few.
Some firms have mistakenly identified processes or systems, rather than services. The rules require identification of services, with the supporting processes and systems captured in the mapping.
In identifying important business services, many firm have focused more on potential harm to their customers rather than risks to the financial system or market. Firms should demonstrate that they have adequately considered both customers and the market.
Sometimes the rationale for important business services is lacking or too high-level. The FCA has also highlighted this. In particular, it expects rationale to be well thought out and distinct for each important business service – and supported by metrics (e.g. market share, number and type of customers, transaction volumes).
Most firms have set impact tolerances, the majority using metrics of duration/time (e.g. x hours/days) as mandated in the rules.
Firms have faced some challenges identifying the point at which intolerable harm to customers and the market is reached. This has led to some good discussion and debate. But the rationale and conclusions are not always well articulated and documented.
Some firms are failing to adopt the external view of operational resilience the FCA requires. These firms are focusing on the impact of disruption on the firm itself rather than on customers and the market.
The recent FCA webinar stressed firms must have a clear process for setting impact tolerances and be able to explain their thinking.
Mapping (processes, people, technology, facilities and information)
Mapping exercises are at different levels of completion across firms. Levels of detail and granularity vary. For the 31 March 2022 deadline, the regulator requires the mapping to be at a level of sophistication to identify important business services, set impact tolerances and identify any vulnerabilities in operational resilience.
In some cases, the mapping is simply too high level. For example, for ‘technology’, citing ‘IT infrastructure’ rather than the individual underlying systems which support the provision of the service. Similarly, for ‘people’, failing to specify any key persons necessary for service delivery. Although the mapping process will likely be iterative during the transition period, firms won’t be able to identify specific vulnerabilities nor design suitable scenario tests without sufficient detail at the start.
We’ve seen very little scenario testing, and few ‘lessons learned’ exercises, communication plans or self-assessment documents. While it seems some work is happening on these behind the scenes, the output isn’t yet ready and we envisage firms will continue to focus on these areas right up to the March deadline.
On the whole, though, we are seeing firms taking the topic of operational resilience seriously with good levels of board and senior management engagement. So this is positive.
What should firms focus on in the time remaining?
Reflect on our feedback in this article and from the recent FCA webinar, and review the outputs you have completed so far in light of this. In particular, we encourage firms to assess the level and quality of documentation and rationale for decisions taken to date on important business services, impact tolerances and mapping.
Consider the remaining actions you need to take before the 31 March 2022 deadline and develop a clear plan. In particular, allow enough time for the final steps which you may not have focused on so far – scenario testing, ‘lessons learned’ exercises, communication plans and the self-assessment document.
Allow for board or committee review and approval (where needed) of key outputs, and sufficient time to implement any feedback. The FCA requires boards to show they are satisfied the firm is meeting its operational resilience responsibilities. So they must demonstrate suitable oversight and hold senior management to account.
Allocate sufficient resources to complete the remaining actions and don’t delay – the FCA has said that firms must “act now to ensure you are ready for the 31 March deadline”. Although there is a transition period, the FCA has been clear on the actions firms need to take ahead of the 31 March 2022 deadline and this may require some additional effort and resource in these final weeks.
Finally, we encourage firms to consider their ongoing assurance needs in relation to operational resilience. Some firms have already approached PKF for assurance work on their operational resilience frameworks in Q2/3 this year. The focus is on whether firms have met the key requirements of the FCA and whether the documentation and outputs satisfactorily demonstrate compliance and the level of detail and rationale the FCA is expecting to see.
Our assurance work will also provide insights and help firms to identify priorities and next steps for the transition period to 31 March 2025. If you would like to discuss your assurance needs, please contact our Governance, Risk & Control Assurance team.