UK PRA Deputy CEO sets out his views on operational resilience regulation
- Published: Friday, 07 May 2021 09:40
During a recent UK Finance Operational Resilience Webinar, Lyndon Nelson Deputy CEO of the Prudential Regulation Authority, explained how the regulator will approach operational resilience regulation.
In a speech covering ‘Operational resilience – outcomes in practice’ Mr. Nelson looked at the joint approach taken by UK regulators on operational resilience and how this links to the Basel approach to this area.
Mr. Nelson explained why the UK operational resilience regulation takes an ‘outcome-based’ rather than a 'safe harbour' approach, saying that the latter’s “rigid and overly prescribed regimes are just what we need to avoid for a risk that is constantly evolving, and where key parts of it (such as cyber-risk) actually has a conscious opponent seeking to do harm.”
Mr. Nelson also discussed timelines for operational resilience compliance recognising that there is much work to do for many organizations.
“The word in the policy documents that is doing a lot of work here is ‘sophistication’”, said Mr. Nelson. “Yes, we are asking and expecting firms to have done quite a bit by 31 March 2022, but is it ultimately going to be everything that we expect firms to do? No. We understand and expect that tasks such as mapping and testing will evolve and will grow in sophistication over time. So by 31 March 2022, I would expect that you will be able to set out a compelling gap analysis. You will know where your major shortcomings are and therefore which areas need more work.”
Looking ahead Mr. Nelson discussed impact tolerances, stating that it is too early to say how things will play out in this area “because each regulator has yet to determine their final approach”.
Turning to Basel Committee work in the area of operational resilience, Mr. Nelson said that the core approach was the same as the UK’s. He said that the key principles were:
- A clear distinction between operational risk and operational resilience;
- Operational resilience as an outcome;
- Financial stability and safety and soundness lenses for operational resilience (and customers too for FCA);
- An identification of what firm’s do that is important;
- A concept of tolerance for disruption or impact tolerance to define what might be acceptable; and
- The use of scenario testing to assure resilience.