Claire Garrett
Head of Retail, Financial Institutions, Marsh Specialty UK
The PRA's (Prudential Regulation Authority) published Statement of Policy "Operational Resilience" came into effect on 31 March. In a world that is now all too familiar with the extreme disruption that could be around the corner, what does this mean?
The Statement of Policy is relevant to all UK banks, building societies, and PRA-designated investment firms, as well as UK Solvency II firms, the Society of Lloyd's, and its managing agents. It focuses on four key areas of the regulatory framework: governance, operational risk management, business continuity planning, and management of outsourced relationships.
The resonating message is that the PRA expects operational resilience throughout a risk—whether demonstrated by preventing a disruption, adapting during a disruption in order to continue to provide services, returning to normality rapidly, or evolving the business to reflect lessons learned. The focus shifts from risk appetite to impact tolerances—addressing the likelihood and impact of operational risks occurring. This shift in focus by the PRA makes it imperative for firms to take a risk-based approach to protecting their critical services.
The actions of directors and senior management are core to the PRA's operational resilience policy. The PRA's expectation is that appropriate reporting andaccountability will be in place to allow a firm to deliver business services within their impact tolerances. If this is lacking, the leadership of the firm is expected to prioritise change. Directors will need to think carefully about operational resilience when making decisions and be able to demonstrate to the PRA that the board has the skills and knowledge to provide the oversight needed from an operational resilience perspective.
This expectation is a real shift from a siloed and internal view of resilience and business continuity, and requires a move away from the traditional view that a firm's resilience is a middle management issue to giving it a top-down mandate. Getting senior buy-in to managing resilience and business continuity matters has been a struggle for many firms in the past because it is not a revenue-generating activity. Of course, in reality, there is a high return on investment over time and this potential should be harnessed.
Already, the PRA expects firms to have reduced the likelihood of operational incidents occurring, limited losses from severe disruption, and held sufficient capital to mitigate the impact of operational risks. Going forward, the PRA's operational resilience policy extends these expectations. Now, the PRA expect firms to assume failures will occur and focus on their ability to recover from them. In addition, the PRA's focus is firmly on the public interest, with a requirementthat firms must be able to provide their important business services within their impact tolerances through severe disruptions.
To date, many firms have employed business continuity management or crisis management activities and processes. How these structures, policies, and information are transitioned to meet the new resilience requirements will be a challenge and cannot be approached in isolation, given other risk issues high on firms’ radars, such as cyber resilience. It is critical that firms do not leave their preparation until the last minute–the sooner they address it, the more efficiently they can capitalise upon the opportunity the changes offer.
The Statement of Policy signals an evolution in the approach to operational risk. The message delivered is that a firm's approach to operational resilience should be over-arching—encompassing the culture of the firm, decision making at the highest level, and overlying more specific business continuity planning. Focus has shifted from trying to manage risk and prevent the worst-case scenario happening to acceptance that severe disruption events will occur and ensuring a firm can be as operationally resilient as possible throughout that disruption. With only 12 months to implement operational resilience, there is much work to be done.
Our Financial Institutions and Resilience experts have developed a "tried and applied" approach to operational resilience—already adopted by a number of firms—and will be happy to guide you through.
Head of Retail, Financial Institutions, Marsh Specialty UK