What does this mean?
The FCA outlined its insights and observations across nine core elements of its operational resilience rules.
Important Business Services (IBS)
The FCA notes variability in how firms are identifying IBS. It urges firms to take a comprehensive approach to their assessments, ensuring they do not rely on one factor alone, for example, substitutability by competitors.
The FCA expects justifications for identified and excluded services to be well-documented in the firm's self-assessment.
Impact Tolerance
The FCA observes a need for firms to have clearer rationales for the setting of tolerances. It indicates that firms should consider using additional metrics - for example types of customers, values and types of transactions, criticality of transaction, estimated losses - beyond the use of time-bound tolerances.
The regulator also highlights the importance of firms differentiating between impact tolerances and recovery time objectives, emphasising that recovery plans need to fall within set tolerances.
Mapping and Third Parties
The FCA expects firms’ mapping of resources and processes to mature over time, and that this supports the identification of vulnerabilities.
The FCA emphasises the importance of managing third-party relationships to ensure resilience, reiterating that responsibility for meeting impact tolerance remains with the firm.
Scenario Testing
The FCA reminds firms that they must develop detailed testing plans that are continuously updated to ensure they can remain within impact tolerances under severe but plausible scenarios.
Firms’ testing is expected to have matured and developed in sophistication, evolving from judgement-based to more empirical testing. This should also include third parties in order to gain a comprehensive understanding of their resilience capabilities.
Vulnerabilities and Remediation
The FCA expects firms’ mapping and scenario testing should identify vulnerabilities that may breach impact tolerances. In particular, it expects any remediation activity for vulnerabilities identified in the early part of the transition period to have significantly progressed.
It adds that as firms’ mapping and scenario testing matures, firms should prioritise addressing vulnerabilities that significantly impact their ability to remain within impact tolerances. Firms should also ensure that regular reviews are conducted to identify new vulnerabilities
Firms’ remediation plans should be approved, fully funded, and verified through repeated scenario tests.
Response and Recovery Plans
The FCA expects firms to maintain effective response and recovery plans that provide alternative actions during disruptions to avoid breaching impact tolerances.
It found limited evidence of response plan testing in self-assessments and encouraged more comprehensive testing.
Governance and Self-Assessment
The FCA notes that firms’ self-assessments should detail the firm's journey to operational resilience, including vulnerabilities found, scenarios tested, remediation plans, and its overall strategy. These assessments should be reviewed and approved by firms’ governing bodies.
Embedding Operational Resilience
The FCA wants to see operational resilience embedded within the firm's overall risk frameworks, including change management and strategic planning. It should be a cultural way of working, not just regulatory compliance.
Horizon Scanning
The regulator expects firms to regularly refresh their understanding of risks through horizon scanning, to ensure appropriate testing and controls for current and future operational disruptions are maintained.