The industry has long sought consistency and in their approach to Operational Resilience the PRA and FCA have mostly delivered it, if not what had been hoped for in their co-ordinated Policy Statements released on 29th March. For those firms who are dual-regulated, this will be a welcome approach that more closely aligns key definitions between the FCA and PRA. But the obligations remain distinct and firms will still need to report separately on the work undertaken. For solo-regulated firms, there is now clarity on what is required and when.
The recent history of Operational Resilience stretches back to July 2018, when the PRA, FCA and Bank of England released a joint Discussion Paper on the subject of Operational Resilience, “Building the UK financial sector’s operational resilience”. In the foreword, Andrew Bailey, Jon Cunliffe and Sam Woods talked about the risk of harm being caused to consumers through operational disruption within firms. What we have seen in the Consultation Papers and now in the Policy Statements is all aligned to ensuring firms take action to mitigate those risks of harm to consumers.
With so many of the outcomes well sign-posted from an early stage, many firms have already initiated programmes to implement their approach to Operational Resilience and the lack of change between consultation and Policy Statement will provide those firms with some reassurance. The Covid-19 pandemic has had an impact and in recognition of this, the PRA and FCA have moved the deadlines for implementation which is very helpful. A deadline of 31st March 2022 has now been set for firms to complete the first phase of work and 31st March 2025 for having a fully implemented Operational Resilience programme that is a ‘dynamic activity’ within their business. Many insurance associations however, responded in depth to the consultation. The general feeling in the market was that many of the regulators’ concerns were more appropriate for other elements of the financial services sector and less appropriate for insurance but these responses have not met with the sort of changes sought.
The Policy Statements – The Approach
In keeping with normal practice, the PRA and FCA have both avoided a prescriptive approach to Operational Resilience, adopting something more principles-based within which firms are expected to chart their own course. In some ways this seems to be at odds with their own requirements that Operational Resilience be beneficial to the market as a whole but set against this it could be argued that to set prescriptive market-wide standards could lead to a systemic risk.
Consequently, the insurance market, a diverse set of businesses, must consider how harm may be caused to customers on a firm by firm basis in the event of some operational failure even if, for example in the London market, the same disruption may impact many firms. Factors to consider may include:
- The specific type of product or service provided;
- The expectations of their customers;
- The nature, duration and severity of consequences if they are unable to provide that element of their service to customers;
It is for the Board of Directors to decide what is critical and to set the impact tolerances for that service. The expected approach will be to:
- Identify the ‘Important Business Services’ (IBS);
- Set Impact Tolerances for those IBS – the extent of disruption that can be tolerated before it might be considered that ‘harm’ is being caused to a consumer;
- Undertake ‘Mapping’ of the IBS to the people, processes, technology, facilities and information in their business that support the delivery of these IBS, including third parties;
- Undertake ‘Testing’ of their ability to remain within the ‘Impact Tolerances’ set for each IBS; and
- Create a framework and process which sees the approach existing as a living and embedded cycle within the business and functions with ongoing updating and monitoring a regular event.
The Accepted Approach To Operational Resilience
Before we look at what the FCA and PRA have said in their respective Policy Statements, it is worth looking at what has become the accepted approach to managing Operational Resilience risk. It is the approach that both regulators have adopted.
- Set your Governance framework and controls – ensure that your Operational Risk programme is effectively managed from the outset. Many firms have done this by incorporating significant elements of the framework within their risk assessment framework so as to not duplicate or overcomplicate the approach to what is required.
- Identify your ‘Important Business Services’, recognising that the PRA and FCA have slightly different definitions of these.
- Map your business services and vulnerabilities against those IBS.
- Identify and assess the role of all third-party service providers in the provision of your IBS.
- Identify the severe but plausible scenarios that, if they occurred, could give rise to significant interruptions to those IBS and plan your scenario testing.
- Set Impact Tolerances that define the maximum tolerable disruption to an IBS.
In terms of pulling a programme of works together many of the firms we have interacted with have adopted the following approach:
- Set up a project team, agree budgets and obtain approval from the Board (while at the same time educating the Board on Operational Resilience).
- Define IBS within the firm at a high level. Some firms have found it helpful to first draw up a list of all services and then assess their importance to the customer. As firms are required to be able to evidence and justify their decision making on how IBS were selected, this can be a key step.
- Map at a high level the services provided by function and/or line of business or by IBS, particuarly in businesses where the same distribution platform may be used for several products or lines of business and, if it fails, it fails for all (using the opportunity to commence the education of the relevant business individuals).
- Select an IBS for undertaking a pilot. It is best here to select an IBS which may cut across multiple functional areas including one or more third parties as this can increase the learning experience from undertaking the pilot and create efficiencies later.
- Undertake the pilot by mapping all of the resources, identifying the relevant scenarios and testing the IBS.
- Report back to the Board on the outcome and agree the next phases of the programme or works required.
- Move to a full mapping exercise of all the firm’s IBS.
- Commence development of the oversight and governance framework for BAU.
- Identify the scenarios for each.
- Test the scenarios.
- Revisit IBS and Tolerances if necessary.
- Implement the oversight and governance framework for BAU.
What Constitutes an Important Business Service?
The regulators have confirmed that internal services such as HR and payroll are not of themselves included, except to the extent they may support the provision of an IBS. The focus is entirely on the services and outcomes for customers in the event of a disruption. The focus is on ensuring firms build the resilience of the most important business services with the most critical elements of those to be operationally resilient.
It is at the point of considering what does constitute an IBS that the FCA and PRA first deviate, albeit less than they did before the consultation process. There is an acknowledgement that this is driven by different statutory objectives.
FCA definition of IBS:
“means a service provided by a firm, or by another person on behalf of the firm, to one or more clients of the firm which, if disrupted, could:
cause intolerable levels of harm to one or more of the firm’s clients; or
pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of financial markets.”
PRA definition of IBS:
“A service provided by a firm, or by another person on behalf of the firm, to another person which, if disrupted, could pose a risk to:
(where the firm is an O-SII/where the firm is a relevant Solvency II firm) the stability of the UK financial system; or
the firm’s safety and soundness; or
(for Solvency II firms) an appropriate degree of protection for those who are or may become the firm’s policyholders.”
The PRA has changed its definition to align more closely with the FCA definition so that both now include a service which is provided by the firm or by someone else on their behalf to a person (PRA) or a client (FCA). It is worth noting that in the view of the PRA and FCA, whilst the definitions are different, they expect that the work of a firm in achieving one should assist in achieving the other.
The PRA and FCA have also changed their respective definitions of Impact Tolerances to be more aligned. Both now refer to a length of time as well as other metrics and both now use the phrase “the maximum tolerable level of disruption to an important business service”.
It is worth noting that the language talks about individual Important Business Services. With Impact Tolerances linked to the IBS, firms should be aware that these must be set for each individual IBS – there is no need or requirement for an impact tolerance to be defined separately to cover the eventuality of disruption to multiple IBS concurrently. The reality is that scenarios likely to result in disruption to IBS will affect multiple services, or there could be multiple scenarios disrupting an IBS in different ways and some firms which are in the pilot phases have appropriately accounted for these possibilities while designing testing. But your planning needs to consider each IBS individually as Impact Tolerances are required on an IBS by IBS basis.
The PRA and FCA have confirmed that Impact Tolerances are likely to have a time-based metric but that it should not be the only metric. Others might include impact to a certain number of customers/impacted transactions or a certain level of complaints. The Regulators have been clear that they expect firms to make informed judgements using their own knowledge of their firm’s individual position vis a viz its customers.
“As with other areas of the policy, we consider firms are best placed to set their impact tolerances at the appropriate level. Firms should use the considerations we have provided to help inform their judgements when setting impact tolerances. This flexible and proportionate approach is important given the wide range of firms from different sectors and with varying customer bases which are in scope.”
It is worth noting that in this context, and in response to a specific question, the FCA have confirmed that it does anticipate scenarios where different legal entities in the same overall Group of companies may end up setting their own Impact Tolerances for the same IBS. It sees no specific problem with this happening, provided it has been duly considered by the Board.
In our view though, firms will and have been seeking to align high level tolerances as much as possible to create efficiencies and ensure clarity in governance. This is certainly possible where a group is utilising the same IT, human resources etc to provide the IBS through different regulated entities. What firms have to watch out for is the possibility of a bias caused by proportionality. If one regulated entity had 10,000 travel clients and the other 1million, account may need to be taken of the approach. The smaller group company could not set its tolerance level at 10,000 impacted customers (100%) whereas the larger group company may consider 10,000 (1%) to be acceptable. Perhaps the approach could be to share other tolerances, for example, the time-based tolerance (say 3 days of disruption to an IBS) or another such as tolerance levels for customer complaints set as a percentage rather than a real number metric dealing with number of customers impacted. Of course, some firms will be dealing with large corporate clients while others will have retail clients, including vulnerable customers which in each case will warrant different metrics.
FCA definition of Impact Tolerances
“means the maximum tolerable level of disruption to an important business service, as measured by a length of time in addition to any other relevant metrics, reflecting the point at which any further disruption to the important business service could cause intolerable harm to any one or more of the firm’s clients or pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets.”
PRA definition of Impact Tolerances
“The maximum tolerable level of disruption to an important business service or an important group business service as measured by a length of time in addition to any other relevant metrics.”
Where a service is an Important Business Service under both definitions it will be possible that one Impact Tolerance may be set even though the definition differs between FCA and PRA as the work to ensure resilience under one definition should be leveraged to meet the other. In what we see as the limited number of cases where there may be different tolerances because of the different definitions, firms will need to identify clearly why and how they differ, monitor both separately and identify how their recovery may be different. We would expect that scenario testing may also differ where there are different impact tolerances.
Our own experience and work so far has indicated that there will, in all likelihood, be very few instances where the differences in Impact Tolerance are so great that there is a need for a different impact tolerance level because firms are likely to find it more appropriate to set the tolerance at a high level.
Scenarios and Scenario Testing
The PRA and FCA have further aligned their language on scenario testing. The PRA has made it clear that scenario testing must include “lessons learned” during testing and day to day operations which aligns the approach of both and makes it clear Operational Resilience is to be a dynamic activity.
The final policy now provides more guidance on what is a severe/extreme but plausible event and that previous incidents or near misses both within the firm and within the market should be considered. This is of course in line with good risk management practice so should come as no surprise to most firms. However, because different business models and proportionality comes into play the PRA and FCA have not given detailed guidance. They have however suggested that perhaps firms will discuss the issue with their supervisors to understand the scenarios selected. We see this as potentially a similar approach to Solvency II when the PRA would require firms to change their approach because they were not in line with their peers and cohorts. There is in our view a risk that this could create rather than reduce a concentration of risk and we would encourage firms to consider this aspect when taking on feedback from their supervisors.
The PRA and FCA have confirmed that firms are not required to map the services provided by their outsourced service providers. They have again clarified that if the service provided by an outsourced provider forms a critical element of an IBS the firm must monitor the outsourced service provider to ensure that the service they provide can be delivered within the impact tolerances for that IBS. The level of monitoring or assurance required will depend on the materiality of the third-party element of the IBS and the risk it presents to delivery of the IBS, along with the consequential harm a failure might cause to the customer.
This does however require work from firms. Monitoring of third parties will clearly require a change in approach and a new dashboard of MI as well perhaps as a change in auditing of those third parties. There is no doubt going to be some work for the lawyers as well because outsourcing agreements are going to need to reflect these new monitoring requirements particularly those included in Supervisory Statement 2/21 Section 4 on Governance of outsourced arrangements.
Timetable and Ongoing Responsibilities
The timetable for implementation of Operational Resilience by firms has been moved. The FCA and PRA now both require that firms must have completed the following by 31 March 2022:
- identified their Important Business Services;
- set their Impact Tolerances;
- commenced a programme of scenario testing; and
- have a developed plan which includes prioritisation of mapping and scenario testing to identify vulnerabilities.
A 3 year transitional period begins on 31st March 2022 for firms to remain within their impact tolerances. Firms are not expected to use the whole 3 year period, but to complete this work as soon as reasonably practicable. By 31st March 2025 Operational Resilience must have become a “dynamic activity” in the business, one that is fully operational and managed on an ongoing basis as the business and risks evolve.
The guidance offered is that mapping should be updated annually – this is very helpful as in our experience, firms have been taking different approaches, and in some cases have created large unwieldy frameworks with supporting human resources which may not be necessary. That said, the requirement remains for mapping to be updated at any time when there have been significant operational changes. This may be an acquisition, reorganisation, introduction of new IT or changes in products which result in new services and therefore new IBS. One method of ensuring there is a focus on any changes is to include an agenda item on a Board Committee, perhaps the Risk Committee if the Risk Function is being given responsibility for Op Res assessments and testing, by which material changes to the business model or products is reported raising awareness for all who may then need to be involved in reviewing the Operational Resilience Framework.
We are also guided that testing should be “regular” but not unduly burdensome. Each firm will need to consider what is appropriate for its own circumstances and document its reasons for that decision. Perhaps that might mean quarterly or bi-annually which would be helpful as it would allow for alignment of the process with the risk assessments required for Risk Committee reporting and Board reporting. Given that some firms are leveraging their risk assessment framework for testing this could be a sensible approach and is one we are discussing with firms we are advising. An alternative, depending on proportionality, might be for testing to form a part of the ORSA process.
The sporting use of the phrase “double-header” is well known, but the phrase can also be used to describe a train pulled by two locomotives, which seems a rather apt analogy here. The PRA and FCA are most certainly both heading in the same direction and pulling insurance firms with them on Operational Resilience – but each has their own engine pulling firms independently towards that destination. For those firms that are dual regulated, the final Policy Statements from the FCA and PRA will mostly be a very welcome conclusion that should help them make practical and sensible decisions on the way that they approach Operational Resilience in their business. Our own experience working with firms who have already begun their programmes on Operational Resilience suggests that the final amendments to the language used will help firms take a more pragmatic approach that satisfies the requirements of each Regulator.
Join us on 26th May for our fourth webinar in a series on Operational Resilience, when we will be looking at Impact Tolerances.
ICSR is supporting the Insurance Community initiative 'Computers4Schools'. Find out more about the way you and your organisation can support this by watching this video narrated by Huw Evans, Director General of the ABI.