The UK regulators have set out their Operational Resilience requirements and firms will be well into their implementation projects, but it’s worth taking a step back and checking if your project is set up correctly and actually delivering on the requirements. To meet the UK Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) requirements on operational resilience, here are the top 10 things financial institutions should focus on:
1. Embedding the Framework: Ensure that the operational resilience framework is fully integrated into the organisation’s governance structure, policies, and procedures. It should become an inherent part of the firm’s culture.
2. Impact Tolerance: Establish clear impact tolerances for each important business service, defining the maximum acceptable disruption and recovery time objectives. Regularly review and update these impact tolerances based on evolving business priorities and risks.
3. Mapping Important Business Services: Conduct a comprehensive mapping exercise to identify and understand the dependencies, interconnections, and critical components of important business services. This includes both internal and external dependencies.
4. Scenario Testing: Perform rigorous scenario testing to assess the resilience of important business services. Create realistic stress test scenarios and analyse the impact on operations, ensuring that the testing considers a wide range of disruptive events.
5. Communication and Coordination: Strengthen communication and coordination within the organisation, as well as with external stakeholders, such as regulators, clients, and third-party providers. Clearly define roles, responsibilities, and escalation procedures to enhance collaboration during disruptive events.
6. Governance and Reporting: Establish a robust governance framework to oversee operational resilience. Regularly report to senior management and the board, providing accurate and timely information on the firm’s operational resilience capabilities, risks, and progress.
7. Cyber Resilience: Enhance cyber resilience by implementing effective cybersecurity measures, regularly testing the security controls, and continuously monitoring for emerging threats. Cyber incidents can significantly impact operational resilience, so maintaining a strong cybersecurity posture is crucial.
8. Supply Chain Resilience: Assess and monitor the resilience of key suppliers and third-party providers. Understand their potential impact on important business services and establish contingency plans to mitigate any disruptions caused by supplier failures.
9. Staff Awareness and Training: Foster a culture of operational resilience among staff members. Provide regular training and awareness programs to educate employees about the importance of operational resilience and their roles in maintaining it.
10. Continual Improvement: Treat operational resilience as an ongoing process rather than a one-time exercise. Continually review and refine your operational resilience framework, incorporating lessons learned from incidents, feedback from regulators, and emerging industry best practices.By prioritising these key areas, financial institutions can strengthen their operational resilience capabilities and meet the requirements set forth by the UK PRA and FCA. Remember to stay updated with regulatory developments and adapt your approach accordingly to ensure ongoing compliance.
Author: Palvinder Gill our UK regulatory operational resilience expert
Find more of our latest news posts here.