Regulatory Timeline: Operational Resilience
Status: Ongoing
Regulator: FCA, PRA and Bank of England
In July 2018, the Bank of England, PRA and FCA released a joint Discussion Paper titled “Building the UK financial sector’s operational resilience.”
By 31st March 2022, firms were expected to have completed the first set of milestones towards implementing a functional Operational Resilience framework; identifying their Important Business Services (IBS), setting Impact Tolerances for the maximum tolerable disruption, and having carried out initial mapping. Testing to an appropriate level of sophistication, with an ongoing evolution and enhancement of processes, was expected as time progressed. From the latest update at the end of 2023, firms are now also expected to have made the necessary investments to enable full operationalisation within Impact Tolerances. Lessons learnt exercises to identify, prioritise, and invest in the ability to respond and recover from disruptions as effectively as possible should, by now, have been conducted. The development of internal and external communications plans for when Important Business Services are disrupted should now also be completed. The latest annual Self-Assessment reports are due to be completed for 31 March 2024 with clear progress on implementation expected by the regulators.
This timeline provides key dates in the regulatory calendar and links to ICSR articles and webinars on the subject. If you would like to discuss any aspects of Operational Resilience, please contact us.
Deadline for mapping and testing
By no later than 31 March 2025, firms will need to have:
- performed mapping and testing so that you can remain within impact tolerances for each important business service;
- made the necessary investments to enable you to operate consistently within your impact tolerance
FCA Business Plan 2024/5
The FCA Business Plan for 2024/5 confirms their ongoing commitment to focus on “Minimising the impact of operational disruptions”. A consultation paper clarifying its expectations on how firms should report operational incidents is expected.
TSB Operational Resilience Fine – What Lessons Can Insurers Learn From This?
ICSR Risk & Compliance Director Claire King looks at the actions taken by the PRA following an IT systems and data migration project, moving its corporate and personal customer servicing onto a new platform. While this, in itself, was successful, technical failures were soon being flagged, causing significant disruption to TSB’s banking services; branch, telephone, online and mobile banking.
Deadline for compliance with the Policy Statement requirements.
“By 31 March 2022, firms must have identified their important business services, set impact tolerances for the maximum tolerable disruption and carried out mapping and testing to a level of sophistication necessary to do so. Firms must also have identified any vulnerabilities in their operational resilience.”
FCA Report: Operational resilience insights for insurance firms
The FCA asked a sample of 47 firms about its rules for strengthening operational resilience and published its observations on what it learned. Read its observations to review your firm’s approach.
ICSR Article: Outsourcing and Third-Party Arrangements – Creating Resilience In Your Operational Processes
This article takes a look at SS2/21 including its scope, aims, the key requirements and what firms need to do to ensure they are compliant.
ICSR webinar - Impact Tolerances
Webinar: Operational Resilience: Impact Tolerances with Kenneth Underhill
ICSR Article: Operational Resilience – A Regulatory Double-Header
ICSR Director Kenneth Underhill looks at the approach to Operational Resilience adopted by the PRA and FCA in their co-ordinated Policy Statements.
PRA Policy Statement PS6/21
The PRA have published their Policy Statement
FCA Policy Statement
The FCA have published their Policy Statement
ICSR Article: Mapping Important Business Services: When Does A Service Finish?
ICSR Director Kenneth Underhill considers questions about mapping claims and at what point in the service delivery process does the requirement for mapping cease.
ICSR webinar - Service and Activity Mapping
Webinar: Operational Resilience: Service and Activity Mapping with Kenneth Underhill
Consultation Period closes
Consultation period for CP19/32 closes. The original date of 3rd April 2020 has been extended to 1st October 2020 due to the coronavirus pandemic.
ICSR webinar - Technology and Operational Resilience
A webinar on Technology and Operational Resilience.
ICSR webinar - Introduction to Operational Resilience
ICSR Director Kenneth Underhill provides an overview of Operational Resilience.
ICSR Article: Coronavirus – The Long And The Short Of It
ICSR Director Kenneth Underhill considers the operational resilience implications of the coronavirus pandemic.
Consultation Papers Published
The Bank of England (the Bank), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have published a shared policy summary and co-ordinated consultation papers (CPs) on new requirements to strengthen operational resilience in the financial services sector.
Discussion period closes
The deadline for firms to submit their representations to the regulator.
Discussion Paper released
Building the UK financial sector’s operational resilience
- Bank of England DP01/18
- Prudential Regulation Authority (PRA) DP01/18
- Financial Conduct Authority (FCA) DP18/04