Operational resilience: getting ready for 2025

As we hit the home stretch before the FCA's rules on building operational resilience come into force, the regulator has published "insights and observations" to help in-scope firms with their preparations. In this article, written for Compliance Monitor, Michael Lewis and Emma Radmore look at the FCA's requirements and what it's urging firms to do now.

The FCA gave firms notice back in March 2021 that it wished to see improvements in firms' approach to operational resilience. It made its new rules, which will cover all dual-regulated and enhanced scope SMCR firms, as well as recognised investment exchanges and all payment and E-money institutions, whether registered or authorised. The new rules finally take effect in March 2025, although the FCA expected significant preparatory actions by March 2022. It has now become clear to the FCA that some firms are not as prepared as it might like.

Background

The drive towards the new requirements started with a discussion paper in 2018. The FCA, in conjunction with the Bank of England (as financial market infrastructure supervisor) and the PRA, then consulted in 2019 on changes firms could usefully make to the way in which they approach their operational resilience and in doing so protect not only themselves but also the UK's financial sector. While this initiative preceded the pandemic, the FCA has since noted that the pandemic provided a clear example of the kind of severe but plausible event its proposals (and now requirements) want firms to consider.

The new requirements

The final rules, made on 29 March 2021 apply to:

• Dual authorised firms which are banks, building societies, designated investment firms and insurers;
• Solo authorised firms which are enhanced scope SMCR firms;
• Recognised Investment Exchanges; and
• Entities that are authorised or registered as payment or e-money institutions.

The key requirements of the new rules, within SYSC 15A of the FCA's Handbook, are that firms:

• Identify: Identify their important business services;
• Set Tolerance: Set an impact tolerance for each identified important business service;
• Processes: Have in place sound, effective and comprehensive strategies, processes and systems to enable it to comply with its relevant obligations, which are comprehensive and proportionate;
• Map: Identify and document the people, processes, technology, facilities and information necessary to deliver each important business service in a way that allows the firm to identify vulnerabilities (which it calls "mapping") and remedy them as appropriate;
• Test: Develop and keep up to date a testing plan that details how it will be assured that it can remain within the identified impact tolerances and carry out testing to assess this ability in the event of a severe but plausible disruption in operations;
• Learn: Carry out a "lessons learned" exercise after each scenario test or event of operational disruption;
• Self-assess: Keep a written record of its assessment of its compliance with the operational resilience requirements, which must be approved and regularly reviewed by the firm's governing body; and
• Communicate: Have an internal and external communication strategy that will allow quick and effective action in the event of anticipated harm from operational disruptions.

For most of the requirements, there is an expectation that the conclusions and actions be reviewed at least annually.

The FCA gave a long transition period for firms to fully implement the new requirements. Firms need to have carried out all their initial assessments and testing and performed the mapping and testing to ensure they remain within impact tolerance levels.

FCA's concerns

With less than a year to the long-stop deadline of March 2025, the FCA published some further information for firms in late May 2024. It wanted to set out for firms its observations on what firms had been doing to prepare, which firms could in turn use to review their own approaches and assess their readiness to comply with the new requirements.

The FCA divided its observations into key sections:

Important business services

Clearly it is critical that firms correctly identify what their important business services are, and that they have a process in place to keep the list up to date as business evolves. It seems that some firms had misunderstood the requirement – for example, the FCA found examples of firms that thought that if services could be substituted with services from competitor firms to the provider, then because the services would still be provided, they could exclude them from their categorisation. The FCA stressed that determination of relevant services should not be done by references to response or recovery capabilities, and that firms should evidence in writing with clear justifications their reasons for excluding services either initially or on review.

So what is an "important business service"? The FCA's Glossary definition says it is a service provided by a firm, or another person on its behalf, to one or more clients of the firm which, if disrupted, could cause intolerable levels of harm to any one or more of the firm's clients, or could pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets. And within the rules in SYSC 15A.2 the FCA sets out factors firms should consider when identifying these services. From the recent comments, it is clear that firms should view services in a granular manner, and should take into account a wide range of factors when assessing services.

Impact tolerance

The FCA is concerned about the narrow range of metrics and the lack of rationale firms have been using and evidencing when setting their impact tolerance for each important business service. The FCA's definition of "impact tolerance" notes that this is the "maximum tolerable level of disruption to an important business service, as measured by a length of time in addition to any other relevant metrics, reflecting the point at which any further disruption… could cause intolerable harm…" However, it seems some firms have taken this too literally. The FCA particularly noted that time-bound tolerances should not be the only measure and that firms could complement them by considering, for example, types of customers, types of transactions, criticality or value of transactions and similar factors. It also noted that recovery time objectives are not the same as impact tolerances, and so should in fact be set well within the impact tolerance so that appropriate action can be taken within tolerance levels once recovery is complete.

Mapping and third parties

To borrow a phrase from the Consumer Duty, operational resilience mapping is not a "once and done" exercise or something that should be seen as tick-box regulatory compliance. Instead, it should be a way of working that is embedded into firms' overall culture.The FCA expects to see firms' mapping processes maturing over time. It also notes the importance of keeping constant tabs on third party providers, since, if they fall below tolerance, that becomes a problem for the firm.

Scenario testing

Firms need to be on the front foot in devising testing scenarios that are severe but plausible, and as an example of how the FCA expects firms to have been working on this for some time already, it says it expects to see that scenario testing and mapping, and the format and type of testing, will have matured and developed throughout the transition period.

Vulnerabilities and remediation

The FCA expects that all remediation activities should have reached a point whereby all vulnerabilities will be within impact tolerances by the end of the transition. Firms should have in place approved remediation plans which are fully funded and appropriately governed.

Response and recovery plans

Although testing of plans is a fundamental way of understanding a firm's ability to say within tolerance levels, the FCA has seen only limited evidence that firms have been testing their response plans, and that firms have mainly relied on recovery when making their tolerance assessments.

Governance and self-assessment

It is clear that both evidencing reasons for decisions and actions as well as seeing that the self-assessment is an iterative document are critical. Since the governing body of the firm needs to approve the document, it must contain all the information needed to allow it to understand the firm's position, vulnerabilities identified, scenarios tested, test results, remediation plans, and strategy. They should also identify any further remedial work that may be needed if any concerns remain about the firm's ability to stay within some impact tolerances.

Embedding operational resilience

The FCA hopes to see operational resilience frameworks embedded within enterprise-wide risk frameworks in future.

Risk scenario scanning

And, of course, because operational resilience need constant assessment and review, it is important that firms keep an eye on new and emerging risks, and that they refresh their risk scenarios regularly.

Key takeaways

All in all, then, it seems that while firms have been trying to prepare for the end of the transitional period, they have often been looking through a lens that is too narrow, and have not appreciated the bigger picture.. As a result, many firms risk not having place policies and procedures that have set and tested appropriate impact tolerances for all the services the FCA expected them to have included in their assessment of their important business services. The key messages from the FCA's update are:

• If a service is important, then treat it as an "important business service" regardless of how easy it would be to obtain it from elsewhere if needed;
• Evidence everything in the self-assessment, especially when excluding a service from the list of important business services and when explaining how impact tolerances are set;
• Ensure changes to important business services, impact tolerances and mapping are clearly explained in the self-assessment;
• Build operational resilience into wider firm-wide risk management policies and procedures; and
• Build scenario testing into BAU.

Looking forwards to March 2025 and beyond, the FCA has not made any key speeches specifically focussed on operational resilience for some time. However, it is clear from a number of speeches this year that good operational resilience practices are critical to the UK's increasingly evolving digital landscape. Also, more recent initiatives such as the critical third parties regime introduced into UK law by the FSMA 2023 play in strongly to regulated firms' operational resilience systems and controls. It also of course plays into the Consumer Duty, with the requirement to identify the effects of failures on vulnerable customers. And as with the Consumer Duty, it's essential to have the right internal team engaged to cover each area the FCA requirements touch.

It's not too late. While there is much that should already have been done, and firms who have not prepared properly are on the back foot, there is now a good opportunity to take stock, and assess whether what has been done to date meets the FCA's expectations.