Understanding FCA Operational Resilience | Skillcast

Those regulated by the FCA are expected to have identified vulnerabilities in their operational resilience. But where do you start?

Since March 2022, firms need to have identified their important business services and mapped out the processes that enable those services to function. Firms then need to determine how much disruption those important business services could tolerate and test their ability to endure that disruption to set their impact tolerances.

The FCA also want a 'lessons learned' exercise completed and a communications plan in place. Finally, the regulator wants the self-assessment document finalised and approved by the board.

To help, we explain what is needed to create a compliant operational resilience programme in the UK and the requirements in context.

10 Steps to FCA Operational Resilience

1. Operational disruptions
2. Operational risk vs resilience
3. Operational resilience programmes
4. Identifying important business services
5. Establishing impact tolerances
6. Operational resilience mapping
7. Scenario testing plans
8. Lessons learned exercises
9. Self-assessments & communications plans
10. Board approval & review
    
    While the regulator doesn't expect firms to have their full operational resilience programme rolled out, they want firms to have a clear picture of their operational resilience. The next major milestone is in March 2025. Between now and that date, firms should continue "mapping, testing and investing" to ensure they operate consistently within their impact tolerances.
    

1. Operational disruptions

The UK Financial Conduct Authority (FCA) defines operational resilience as "the ability of firms, financial market intermediaries (FMIs), and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions."

Operational disruptions include:

• A physical attack on an office, such as a bomb
• Cyberattacks
• IT system outages
• Third-party supplier failure
• Natural hazards such as fire, flood, and severe weather
• Pandemic
• War

2. Operational risk vs resilience

Operational risk management is a process that results in the acceptance, mitigation or avoidance of risk. However, operational risk management does not eliminate risk – risks can still turn into loss events.

Operational resilience is different because the regulator sees it as an outcome. It focuses on what happens if a loss event occurs. The UK FCA expects firms to be forward-looking and make decisions today that help prevent harm tomorrow.

The Bank of England notes that operational resilience extends beyond business continuity and disaster recovery because "financial firms and FMIs must have robust plans in place to deliver essential services, no matter what the cause of the disruption." In contrast, business continuity and disaster recovery usually focus on delivering "business as usual at the earliest opportunity."

Also, operational resilience expands business continuity management programs to focus on an event's impact on stakeholders beyond the firm itself. It also connects business continuity more directly with a business' risk appetite.

Back to top of page

3. Operational resilience programmes

The FCA says that financial services firms in scope for operational resilience compliance:

"Must have in place sound, effective and comprehensive strategies, processes and systems to enable it to comply with its [operational resilience] obligations."

and that these

"Must be comprehensive and proportionate to the nature, scale and complexity of the firm's activities."

Let's unpack this statement. The FCA outlines several components that make up an operational resilience programme. The final policy document on the topic lists these elements.

• Identify important business services – Boards and senior management must identify and prioritise services that, if disrupted, would impact customers and/or would harm financial stability.
• Set impact tolerances – Firms must say to what extent they would continue to provide important business services following a severe but plausible disruption.
• Conduct an operational resilience mapping exercise – Firms must identify and document the people, processes, technology, facilities and information needed to deliver each of its important business services. The mapping must be sufficient to allow firms to identify vulnerabilities and mitigate these where possible.
• Undertake operational resilience scenario testing – A firm must carry out scenario testing of its ability to remain within its impact tolerance for each of its important business services in the event of a severe but plausible disruption of its operations.
• Determine and act on lessons learned – Firms must, following scenario testing or operational disruption, conduct a 'lessons learned' exercise that allows them to identify weaknesses and take action to improve their ability to respond and recover from future disruptions effectively. Following the lessons learned exercise, firms need to make necessary improvements to address the weaknesses identified to remain within their impact tolerances in the future.
• Deliver the self-assessment – This is a package of documents and outputs from the operational resilience process. The FCA requires sign-off of this by the board.
• Provide appropriate communications – Firms must maintain an internal and external communication strategy to reduce the potential harm caused by operational disruptions.
• Ensure proper governance – The board and senior management need to approve and regularly review the self-assessment and lessons learned documentation for operational resilience. These stakeholders should be involved in other ways, too.

At first, firms may need to work through these requirements sequentially. However, once their programmes have matured, they may need to work on or revise individual steps as needed.

Who is responsible for operational resilience?

As with operational risk management, organisations may have a team dedicated to implementing the framework and running the programme. However, responsibility for operational resilience stretches far beyond just that team.

As with risk management, this team nurtures and supports operational resilience. Across the organisation, individual employees are responsible for operational resilience related to their roles. For example, individuals whose roles touch an important business service may have particular, named responsibilities.

4. Identifying important business services

Firms need to identify the important business services that they provide. From here, firms should set an impact tolerance for each important business service.

"Important business service" is a term the FCA defines as:

"a service provided by a firm, or by another person on behalf of the firm, to one or more clients of the firm which, if disrupted, could: (1) cause intolerable levels of harm to any, one or more of the firm's clients; or (2) pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets."

Firms should particularly note the outward orientation in assessing the impacts – this is in contrast to most risk management and business continuity management processes, which tend to focus on internal impacts within the firm.

The FCA lists 13 factors firms should consider when identifying important business services.

Key factors when identifying important business services:

• The nature of the client base, including vulnerable clients who are more susceptible to harm from a disruption
• The ability of clients to obtain the service from other providers
• The sensitivity of data held
• The potential to inhibit the functioning of the UK financial system
• The potential to cause reputational damage to the firm
• Whether disruption to the services could amount to a breach of a legal or regulatory obligation
• The importance of that service to the UK financial system, which may include market share, client concentration and sensitive clients

When documenting important business services using the full 13 elements, the FCA wants to see firms naming each important business service and providing a "sufficient, distinct rationale" for each, including metrics.

The regulator has also said that internal functions, such as HR, should not be identified as important business services.

5. Establishing impact tolerances

As part of operational resilience, firms need to ensure they can remain within the impact tolerances they set for each important business service in the event of "a severe but plausible disruption to its operations".

'Impact tolerances' are defined as:

"The maximum tolerable level of disruption to an important business service – as measured by a length of time, in addition to any other relevant metrics – reflecting the point at which any further disruption to the important business service could cause intolerable harm to any one or more of the firm's clients or pose a risk to the soundness, stability, or resilience of the UK financial system or the orderly operation of the financial markets."

- UK Financial Conduct Authority

Firms must review their impact tolerances at least annually or if there is a relevant change to the firm's business or markets. Also, firms need to notify the FCA of any failure to stay within an impact tolerance.

The FCA lists some factors that firms should consider when setting their impact tolerance for an important business service.

These factors include:

• The number of clients that may be adversely impacted and the nature of the impact on them
• The potential financial loss to the firm
• The potential level of reputational damage to the firm
• The potential impact on market or consumer confidence
• The potential spread of risks to their other business services, other firms, or the UK financial system
• Any potential loss of confidentiality, integrity or availability of data.

  
  As with the important business services, the FCA wants firms to document their thinking as to how they set these and avoid simplistic shortcuts such as relying on recovery time objectives as impact tolerances.

In setting them, the regulator also wants firms to focus on developing plans to avoid breaching their impact tolerances, and in this, prioritise the effect on consumers and markets rather than on the firm itself.

Back to top of page

6. Operational resilience mapping

Firms need to identify and document the necessary people, processes, technology, and information to deliver their important business services. By undertaking this mapping, firms should be able to identify any vulnerabilities in delivering those important business services within their impact tolerances. Firms should be able to test their ability to remain within their impact tolerances. The regulator has not set a specific methodology for mapping.

Full mapping of all important business services is a significant undertaking for many firms. The FCA has recognised this, and so it has broken down compliance with this requirement into two stages.

Firms need to have undertaken mapping to the point at which it supports their identification of important business services and impact tolerances. It should also have enabled them to identify any vulnerabilities in their operational resilience. The regulator expects full mapping to be complete by its second deadline of the 31st of March 2025.

In conducting mapping, the FCA has flagged three areas that firms should pay particular attention to:

1. Granularity – Firms need to conduct mapping in a proportionate manner, which means that the level of granularity is going to vary between firms. However, regulators have said that firms need to reach a level of granularity that is sufficient for them to be able to identify everything that supports the operation of their important business services. The granularity should also support identifying vulnerabilities, fixing them, and conducting scenario testing.
2. Third parties – Mapping should also include the third parties that firms work with to deliver important business services. The FCA has always said that firms retain responsibility for risk and compliance for processes that they outsource or use third parties for in other ways, and the same holds true for operational resilience. The FCA has said that firms are finding applying operational resilience to third parties particularly tricky but that firms need to be able to do this to ensure they stay within their impact thresholds.
3. Assurance – As with the other elements of the operational resilience framework, firms need to document all that they do, including the methodology they are applying to do mapping and the mapping process and outcomes. Mapping is a substantial exercise. Large and complex financial firms, in particular, should not underestimate the scale of the challenge. In addition, robust mapping information is fundamental to performing scenario testing.

Back to top of page

7. Scenario testing plans

Financial firms need to carry out scenario testing of their ability to remain within their impact tolerances for each of their important business services in the event of a severe but plausible disruption of their operations. Firms also need to create and maintain a regular testing plan – scenario testing is not a "one-time" event but rather an ongoing programme, much like it is in operational risk.

Testing plans should include

• The type of scenario testing undertaken – is it paper-based, using simulations or conducted on live systems
• The frequency of the testing
• The availability and integrity of the supporting materials

To perform the scenario testing, firms need to identify a range of adverse circumstances of varying nature, severity and duration relevant to their business and risk profile and consider the risks to the delivery of the firm's important business services in those circumstances.

The FCA says that firms should consider the following scenarios:

• Corruption, deletion or manipulation of data critical to the delivery of its important business services
• Unavailability of facilities or key people
• Unavailability of third-party services critical to the delivery of important business services
• Disruption to other market participants, where applicable
• Loss or reduced provision of the technology underpinning the delivery of important business services

Firms need to think creatively about the scenarios that they may face. It might be helpful to explore external operational risk loss databases and news databases for event descriptions that may provide insight into the kinds of possible operational resilience scenarios the firm might face.

Back to top of page

8. Lessons learned exercises

The FCA is keen for firms to develop and retain institutional memory regarding operational resilience, so they have baked in a "lessons learned" section into the operational resilience regulation. This seems to be something that other regulators are noting.

For example, The Board of the International Organisation of Securities Commissions (IOSCO) has requested feedback on the lessons learned about the operational resilience of trading venues and market intermediaries during the COVID-19 pandemic.

So, following scenario testing or after an operational disruption, firms need to conduct a lessons-learned exercise that enables them to identify issues and improve their ability to respond and recover in the future. Firms also need to address weaknesses identified to remain within their impact tolerances in the future. Lastly, firms need to document the process, including the methodology used and the outcomes.

Back to top of page

9. Self-assessments & communications plans

The FCA require firms to have self-assessment documentation and provide clear, timely and relevant communications to stakeholders in the event of operational disruption.

Self-assessments need to be approved by senior management and the board, and the FCA suggests a pattern of regular communication with these stakeholders about operational resilience.

For operational resilience, the FCA says a self-assessment for firms will include:

• A summary of the vulnerabilities they have identified to the delivery of their important business services
• An outline of the scenario testing performed and the findings from the tests
• An indication of what actions are planned to improve firms' ability to remain within impact tolerances
• Evidence that the timing for these actions is reasonable and in proportion to the systemic importance of the firm's important business service.

Firms need to keep this self-assessment up-to-date – it's not a one-off exercise. Plus, firms need to ensure they retain supporting documentation for all of the actions taken to support these various elements of their operational resilience programme, including the self-assessment.

Items that should be included are:

• Justification for the important business services identified
• Justification for the level that the impact tolerances are set at
• The firm's approach to mapping
• Justification for the firm's scenario testing plan and details of the scenario tests carried out
• The details of lessons learned exercises
• The vulnerabilities that threaten their ability to deliver important business services within the impact tolerances set
• Its operational resilience communication strategy

The FCA also wants documentation of the firms' methodologies for all the different parts of the operational resilience programme.

Communications planning in operational resilience

The FCA puts a great deal of emphasis on communicating quickly and effectively to prevent the potential harm that operational disruptions could cause.

The regulator also makes it clear that developing a communications strategy in the teeth of a crisis is a bad idea. As part of its operational resilience rules, the FCA expects firms to:

• Consider, in advance of disruption, how they would quickly provide important warnings or advice to consumers and other stakeholders, including where there is no direct line of communication.
• Use effective communication to gather information about operational incidents' cause, extent, and impact.

  There are considerable benefits from putting resources into developing such a plan in advance. A robust communications plan can help prevent a situation from escalating further and provide crucial information about how the situation is impacting consumers and other stakeholders.

It can help firms fine-tune their response, improve risk management outcomes, and protect their reputations. So, although this is a requirement, having a good communications plan will deliver significant value in the event of operational disruption.

Back to top of page

10. Board approval & review

The FCA makes it clear that the board (or the organisation's governing body) should review and approve the self-assessment, including lessons learned. The regulator warns that "if you present it to them at the very end and fail to take them on this journey, you're unlikely to get the buy-in you need."

In reality, this means the board should be involved in the operational resilience programme from the beginning, and in particular:

• Risk committee
• Audit committee

Board members who have experience in business continuity

The team building the operational resilience programme should consider, from the start, the materials they need to present to the board, alongside operational resilience metrics the board may wish to see regularly. As operational resilience programmes are ongoing, the team should ensure that the reporting cycle is sustainable from a resource perspective.

Want to learn more about FCA Compliance?

We have created an SMCR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of FCA Courses.

We also have over 100 free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!

Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.