Building operational resilience across financial services
From Thursday 31 March 2022, firms must comply with new FCA rules on operational resilience. Here John Rouffas, Chief Information Security Officer at intelliflo, explains what the rules are, how they impact financial advice professionals and the steps you need to take to comply.
The operational resilience story so far
If we’ve learned one thing over the last two years, it’s that anything can happen. At the start of the first lockdown businesses of all sizes across the financial services sector scrambled to adapt so they could continue meeting the needs of those who rely on them. Some were more successful – and more prepared – than others.
Yet while the pandemic has reinforced the need for reliable and robust means to withstand and learn from future disruptions, regulatory interest in operational resilience pre-dates Covid-19. The first step towards new rules for building operational resilience was a joint discussion paper1 issued by the three UK regulators – the Financial Conduct Authority (FCA), the Prudential Regulation Authority (PRA) and the Bank of England (BoE) – in 2018. It made clear the importance to the financial services sector, consumers and the wider UK economy of protecting the continuity of key business services.
That discussion paper has resulted in two policy statements. One joint statement from the three regulators2 and one from the FCA alone. For the majority in our sector, the FCA rules are the ones that matter, as detailed in PS21/3 Building operational resilience: Feedback to CP19/32 and final rules.3 As we have come to expect by now, the requirements are not prescriptive – the FCA is clear on what is to be achieved but it’s up to firms how they go about it.
The new rules come into effect on 31 March 2022 and by that point firms must have:
- Identified their important business services i.e. where disruption could cause harm to clients as well as threating the stability of the UK financial system or markets
- Set impact tolerances for each important business service i.e. the maximum amount of impact where the business could still continue to operate
- Mapped the resources that support business services, whether or not they are under the firm’s control.
As soon as possible after 31 March 2022, and no later than 31 March 2025, firms must make sure they can work within their impact tolerances. As is often the case with the FCA, the key lies in record keeping. It’s not enough to comply; firms must demonstrate, record and document their compliance.
These new requirements don’t replace any existing rules for operational risk or business continuity planning and so should work alongside existing rules. The UK appears to be leading the way with this policy statement, making it likely that other regions could subsequently base their operational requirements on those outlined here.
Let’s take a closer look at what these changes mean for advice firms on a practical level.
Operational resilience: what’s new?
According to the BoE, FCA and PRA, operational resilience is ‘the ability of firms and FMIs (financial market infrastructure) and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions’. The regulators’ collective position is that major disruptions will occur and while some may be preventable and some can be foreseen, as we have all seen over the last two years, some will be beyond our control and cannot be prevented.
However, by putting steps in place to build operational resilience, your firm should have tested, robust and reliable means to deal with disruptions, minimise their impact and then learn for the future. The learning element is crucial as there will be times when dependencies will only become clear in the aftermath of an event.
An important point to note is that operational resilience refers to ‘important business services’ that deliver specific functions to external consumers and for whom the loss of which would have a serious impact. Consumers in this context will usually be either direct users of your services or dependent on them in some other way. Your firm’s own commercial interests are not of significance here; the regulator is concerned with the potential impact on clients, the market and the wider economy.
Corrective actions to deliver operational resilience will cover a wide scope but could include addressing key person dependencies or infrastructure weaknesses highlighted by the mapping process, improving customer communications by checking/updating contact information and remedying actual or potential system capacity issues. Whatever remedial action is identified should be treated as a priority to prevent potential harm to consumers or the broader market environment.
Identifying important business services
So how do you identify which services are ‘important’ and covered by the rules? The FCA’s full definition of an important business service is one ‘provided by a firm, or by another person on behalf of the firm, to one or more clients of the firm which, if disrupted could cause intolerable harm to one or more of the firm’s clients, or pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets.’
The negative impact of services having to shut down has been repeatedly made clear at various points of the pandemic. Detail is essential here, with important business services broken down sufficiently to fully understand, set and test impact tolerances.
Setting impact tolerances
Under the new rules, as you’d expect from the FCA, you need to be able to demonstrate and document how you can carry on servicing your clients during major operational disruptions to either the economy as a whole or your specific operations. How you plan to recover from the event is of less importance. The idea here is to identify the maximum extent and duration of operational disruption to an important business service your firm could stand before there was an impact.
To be clear, impact tolerance assumes a risk has come to pass and is distinct from risk appetite which is a measure of the risk considered acceptable to achieve a particular objective.
Vulnerable consumers
The FCA has issued separate guidance for firms on the fair treatment of vulnerable customers , but in terms of operational resilience, they are an important group to consider and should be central to the process of setting impact tolerances. Where disruptions do happen, you need to ensure that you communicate effectively with vulnerable customers, including using ‘alternative mechanisms’ if necessary, to minimise potential harm.
Scenario testing
Testing your ability to remain within the impact tolerance (so keep functioning) for each of your important business services should be a key part of your preparation. ‘Severe but plausible’ is the name of the game. Here too the pandemic has had an interesting impact on our perspective, given that something like total remote working may once have seemed an unrealistic level of disruption, but is now commonplace. It’s a hard-earned lesson, but this recent experience should help to strengthen assumptions and scenario testing.
In each case, you need to form a set of adverse circumstances, the nature, severity and duration of which will vary based on their potential impact and your risk profile. The severity of scenarios can be flexed (increasing the number of services affected or the duration for example) and failures may be within or outside your control. However, the FCA warns that while you may wish to look at real-world events for learning, you should not be overly concerned with the probability of any particular event happening or not. The working assumption is that anything could happen and you must prepare as much as possible. This whole process should be ‘systematic, transparent and open to supervisory challenge’.
Mapping resources
Once you have identified your important business services and set your impact tolerances, the next step is mapping. This involves identifying and documenting the people, processes, technology, facilities and information the you need to continue delivering each important business service. Doing so will surface how each service is provided and exactly how major operational disruptions could manifest.
While outcomes may vary, they should include:
- Identifying vulnerabilities in delivery of important services within an impact tolerance
- Taking action to remedy vulnerabilities as appropriate
- Testing the firm’s ability to remain within the impact tolerances
Spending time on this will give you a clear and detailed picture of exactly how your important business services function. According to the FCA, firms that mapped their important business services ahead of the pandemic found themselves in a much stronger position.
How intelliflo is supporting UK financial advice firms
As a trusted supplier of financial services, intelliflo is highly supportive of a resilient financial system and we work diligently to monitor, maintain and develop our own resilience to operational and financial issues. We know that the availability and integrity of intelliflo’s solutions is paramount to the infrastructure that supports the financial activities of our customers and the financial wellbeing of their customers.
To this end, our security and risk programs are geared towards:
- Making sure intelliflo identifies, articulates and monitors its important business services and the assets that form our services and solutions
- Making sure intelliflo augments its visibility of our business services through documentation and verification of our processes, technologies, facilities and information that support business services for our customers
- Regular revision of our activities in these areas to maintain awareness and make sure intelliflo continues to support the business regulatory requirements provided by the FCA, PRA and BoE
- Identifying and reviewing our impact tolerances for each of our business services, with actions in place to review and test our ability to remain within these impact tolerances
How do we do this in practice? Well, intelliflo’s governance and security programs with their simple vision that “We cannot protect what we cannot see” plays an intrinsic role. To this end, our programs are geared towards establishing visibility in key areas including asset registers, asset maintenance programs, third-party assurance programs and the monitoring of these areas for any operational or security issues.
In addition, we carry out regular assurance and monitoring of our processes and capabilities, with testing of our recovery processes and effective disaster recovery and business continuity initiatives. Our work builds around these actions to review and identify our risk tolerances as well as the programs that surround our risk and security measures that build on these risk tolerances. This process is fundamental to the support and security of our customer programs and activities. For that reason it’s not static but dynamic, constantly evolving.
As intelliflo’s new Chief Information Security Officer, I am keen to build on these activities for two good reasons. First to make sure we continue to provide the optimum level of safety and support to our customers and anyone who may benefit directly or indirectly from our services. Second, to be recognised as a leader in operational resilience in financial SAAS organisations.
[1] FCA – Building the UK’s financial sector’s operational resilience discussion paper, 05/07/2018
[2] Bank of England – PS6/21, CP29/19, DP1/18 Operational resilience: Impact tolerance for important business services, 29/03/2021
[3] FCA – PS21/3 – Building operational resilience, 29/03/2021
[4] FCA – FG21/1 Guidance for firms on the fair treatment of vulnerable customers, February 2021
[5] FCA – PS21/3 – Building operational resilience, 29/03/2021
[6] FCA – PS21/3 – Building operational resilience, 29/03/2021