The FCA published its view of the financial sector’s preparedness to meet its operational resilience rules (PS21/3) on 28 May 2024. The update was published as a reminder of FCA expectations and steps for firms to take to comply by the end of the transition period on 31 March 2025.
The publication is designed to aid firms in reviewing their approach to key areas of the policy: important business services, impact tolerance, mapping and third parties, scenario testing, vulnerabilities and remediation, response and recovery plans, governance, self-assessment, embedding operational resilience, and horizon scanning.
The FCA outlined its insights and observations across nine core elements of its operational resilience rules.
The FCA notes variability in how firms are identifying IBS. It urges firms to take a comprehensive approach to their assessments, ensuring they do not rely on one factor alone, for example, substitutability by competitors.
The FCA expects justifications for identified and excluded services to be well-documented in the firm's self-assessment.
The FCA observes a need for firms to have clearer rationales for the setting of tolerances. It indicates that firms should consider using additional metrics - for example types of customers, values and types of transactions, criticality of transaction, estimated losses - beyond the use of time-bound tolerances.
The regulator also highlights the importance of firms differentiating between impact tolerances and recovery time objectives, emphasising that recovery plans need to fall within set tolerances.
The FCA expects firms’ mapping of resources and processes to mature over time, and that this supports the identification of vulnerabilities.
The FCA emphasises the importance of managing third-party relationships to ensure resilience, reiterating that responsibility for meeting impact tolerance remains with the firm.
The FCA reminds firms that they must develop detailed testing plans that are continuously updated to ensure they can remain within impact tolerances under severe but plausible scenarios.
Firms’ testing is expected to have matured and developed in sophistication, evolving from judgement-based to more empirical testing. This should also include third parties in order to gain a comprehensive understanding of their resilience capabilities.
The FCA expects firms’ mapping and scenario testing should identify vulnerabilities that may breach impact tolerances. In particular, it expects any remediation activity for vulnerabilities identified in the early part of the transition period to have significantly progressed.
It adds that as firms’ mapping and scenario testing matures, firms should prioritise addressing vulnerabilities that significantly impact their ability to remain within impact tolerances. Firms should also ensure that regular reviews are conducted to identify new vulnerabilities
Firms’ remediation plans should be approved, fully funded, and verified through repeated scenario tests.
The FCA expects firms to maintain effective response and recovery plans that provide alternative actions during disruptions to avoid breaching impact tolerances.
It found limited evidence of response plan testing in self-assessments and encouraged more comprehensive testing.
The FCA notes that firms’ self-assessments should detail the firm's journey to operational resilience, including vulnerabilities found, scenarios tested, remediation plans, and its overall strategy. These assessments should be reviewed and approved by firms’ governing bodies.
The FCA wants to see operational resilience embedded within the firm's overall risk frameworks, including change management and strategic planning. It should be a cultural way of working, not just regulatory compliance.
The regulator expects firms to regularly refresh their understanding of risks through horizon scanning, to ensure appropriate testing and controls for current and future operational disruptions are maintained.
Identify gaps in current approaches and assess readiness.
Prioritise action to address the key gaps that would impact the ability to remain within tolerance.
Integration of operational risk with operational resilience and testing strategies to enable robust horizon scanning.
Firms need to ensure they adhere to the operational resilience policy (PS21/3) and that capabilities are built utilising the FCA Handbook. Where firms identify any gaps in their approaches based on the FCA’s observations, they should take steps to address them as a priority.
Firms need to make sure that they have integrated operational resilience into their day-to-day operations, in line with the overall risk frameworks of the entire enterprise. This includes areas such as change management and strategic planning, with the necessary governance structures in place.
Boards and senior management of firms should thoroughly evaluate their approach to managing risks, ensuring that all remediation plans are approved, adequately funded, and subject to appropriate governance. It is important to ensure that these plans are effectively implemented and verified through repeated scenario tests, providing evidence of vulnerability resolution.
Firms must establish a clearly defined testing strategy that enables them to assess the scenario and severity at which the IBS can operate within the defined tolerance. This strategy should take into account incident and testing data from various sources within the firm, such as penetration tests, disaster recovery testing, and other component testing. This data should be considered when conducting scenario testing to ensure a comprehensive understanding of the IBS capabilities and any vulnerability required to be remediated.
The operational resilience policy (PS21/3) transition period ends on 31 March 2025. Ahead of this deadline, firms must ensure that they can remain within impact tolerance in severe but plausible scenarios for any identified important business services, and have your plans approved by your Board in good time.
In this episode, host Tessa Norman is joined by two PwC Directors: Julia Ramsay, a specialist in Third Party and Supply Chain Risk, and Tom Kohler, a specialist in Financial Services Resilience and Risk Management, to explore the regulation of critical third parties (CTPs).
In this episode, host Andrew Strange analyses the Operational Resilience regulatory agenda alongside two expert guests. Duncan Scott, from PwC’s Crisis and Resilience practice, and Paul Williams, a specialist adviser on Operational Resilience for PwC, join the podcast to take a look at regulatory landscape, the challenges facing firms, and the importance of embedding resilience in an increasingly volatile environment.
