In a letter sent to Chief Executive Officers of PRA-regulated international banks active in the UK, the PRA set out key aspects of its regulatory expectations when it comes to operational risk and resilience.
Key points from the letter include:
- Enhancing the operational resilience of the financial sector remains a strategic priority for the PRA.
- The PRA will continue to assess firms’ progress in developing dynamic, effective operational risk and control frameworks to manage the threat of operational disruptions.
- The PRA expects firms to develop their security controls and capabilities to manage the increasing risk of cyber threats, as set out in Supervisory Statement (SS) 1/21.3 The PRA encourages all firms, regardless of size, to test their resilience against such threats.
- By Thursday 31 March 2022, firms must have identified and mapped their important business services; set impact tolerances for these; and initiated a programme of scenario testing.
- Impact tolerances provide a standard which boards and senior management should use for prioritising investment and making recovery and response arrangements. The PRA will continue to review firms’ programmes and their implementation.
- The PRA also expects third country branches in the UK to be able to demonstrate how they will deliver operationally-resilient outcomes.
- The PRA has observed a material increase in the services being outsourced, particularly to cloud providers, and it expects firms to manage the risk arising from this accordingly. Firms should maintain an updated register of their outsourcing arrangements and should also ensure their important business services can remain within impact tolerances even when they rely on outsourcing or on third party providers.
Read the complete letter (PDF).