In recent months, regulators have been cracking down on operational risk management and governance failures relating to Operational Resilience. Fines have already been handed out to large market institutions, with penalties even targeted to accountable individuals at these organisations for their breach of PRA Senior Manager Conduct Rule 2.
Firms have been busy mobilising resources and launching large scale implementation programmes to comply with the new requirements since the publication of the operational resilience policy statements (PS21/3 and PS6/21) in March 2021. Despite this, and even with the next compliance deadlines not for another 24 months, regulators continue to scrutinise firm’s progress in addressing the subject.
Regulators are on the lookout for tangible evidence of progress in building resilience measures, and to reacting to the findings of the original assessments conducted by firms. Continuous evolution of a firm’s Operational Resilience framework is key to limit additional regulatory scrutiny. To achieve this, firms must take into consideration the fact that:
1) Firms are expected to review the number of Important Business Services subject to changes in offering or strategy, ensuring a holistic approach is taken during each annual review cycle.
2) Previously determined Impact Tolerances are expected to be tightened. Firms are expected to assume that a disruption will occur and for the metrics to be well defined and time-based. Further detailed comparisons should be undertaken across peer groups with further dialogue amongst industry participants is expected.
3) In carrying out the ongoing Scenario Testing, firms must identify new appropriate adverse circumstances, relevant to the overall risk profile and business. Significant follow-on work is required for firms to coherently test their frameworks.
However, Operational Resilience is no longer the only regulation that firms need to be conscious of when addressing this subject area. The development of new frameworks could end up complicating compliance efforts for firms who aren’t thorough in their approach to each regulation. Two key frameworks in this space are DORA and the CTP Oversight Framework:
Digital Operational Resilience Act (DORA):
- Represents the European response to Operational Resilience, impacting European-based firms with operations in the UK.
- IT continuity, Cyber and IT 3rd-parties monitoring, and resilience are key focus areas.
- Firms must implement incident reporting procedures, IT risk management governance & testing programs.
- Information regarding cyber threats is required to be shared with other financial entities.
Critical Third-Party (CTP) Oversight Framework:
- Financial services firms and financial market infrastructure firms (FMIs) increasingly rely upon third-party services to support their operations.
- Firms must implement incident reporting procedures, IT risk management governance & testing programs.
- The supervisory authorities hold firms and FMIs responsible, and ultimately accountable, for their operational resilience, regardless of whether or not they rely upon third parties to support the delivery of their important business services.
How can Delta Capita help?
The Delta Capita team offer a comprehensive end-to-end Operational Resilience Health Check, performing quality assurance assessments and benchmarking against industry best practice, to ensure your organisations Operational Resilience programmes’ maturity and detail aligns to regulatory expectations. Our experienced team of Operational Resilience experts also provide remediation support and ongoing impact tolerance and scenario testing verification in accordance with the Self-Assessment requirements. Backed by technology partnerships, experienced industry SMEs, and project and programme delivery capabilities, the Delta Capita team provide support across the full lifespan of Operational Resilience, delivering industry best practice in regulatory compliance and project and programme delivery capabilities.
To learn more about our range of Operational Resilience services, please contact:
Karan Kapoor (Global Head of Regulatory Consulting), karan.kapoor@deltacapita.com or Michael Robertson (UK Head of Consulting), michael.robertson@deltacapita.com.
.jpg)
.png)
.jpg)
.jpg)