The Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) have published policy documents on operational resilience, which are the results of a long-running consultation period.
The regulators issued a number of documents on March 29th 2021, including:
- Operational Resilience Statement of Policy: this clarifies how the PRA’s operational resilience policy affects its approach to four key areas of the regulatory framework: governance; operational risk management; business continuity planning; and the management of outsourced relationships. Read the document (PDF)
- PS6/21 ‘Operational resilience: Impact tolerances for important business services’. This Policy Statement provides feedback on responses to the Bank of England, PRA, and FCA consultation documents on this area and also contains final policy in this area. Read the document (PDF)
- Individual Policy Statements and Supervisory Statements on the Bank of England’s operational resilience expectations for Central Counterparties (CCPs) and Central Securities Depositories (CSDRs).
- A Policy Statement, Supervisory Statement and operational resilience chapter of the Code of Practice for Recognised Payment System Operators (RPSOs) and Specified Service Providers (SSPs).
Documents for the above two areas can be downloaded from here.
The policies become effective on Thursday 31st March 2022.
The FCA’s parallel operational resilience Policy Statement, PS21/3 ‘Building operational resilience: Feedback to CP19/32 and final rules’ also comes into force on 31st March 2022. The FCA says that by then regulated firms must have identified their important business services, set impact tolerances for the maximum tolerable disruption and carried out mapping and testing ‘to a level of sophistication necessary to do so’. Firms must also have identified any vulnerabilities in their operational resilience. As soon as possible after 31st March 2022, and no later than 31st March 2025, firms ‘must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service. Firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances’.
The PRA also published SS2/21 ‘Outsourcing and third party risk management’, a Supervisory Statement that sets out the PRA’s expectations of how PRA-regulated firms should comply with regulatory requirements and expectations relating to outsourcing and third party risk management. This complements the requirements and expectations set out in the above operational resilience documents.