Prudential Regulation Authority sets out next steps in UK operational resilience roadmap
- Published: Wednesday, 04 May 2022 08:25
In a recent speech, the PRA’s David Bailey set out the regulator’s view of the progress that firms have made in terms of operational resilience and looked ahead to the 2025 full compliance deadline.
David Bailey, Executive Director for UK Deposit Takers Supervision, is responsible for the Prudential Regulation Authority’s (PRA) supervision of the UK’s banks, building societies and credit unions. In ‘Operational Resilience: Next steps on the PRA’s Supervisory roadmap’ a speech given recently to a UK Finance Webinar, Mr. Bailey set out the PRAs expectation for how its regulation of operational resilience will develop.
Key points in the speech include:
- While clear progress has been made, there is still distance to travel to a point where firms across the sector reach the level of operational resilience that is expected of them.
- For the recent March 2022 deadline, regulated firms had to identify their important business services (IBS) and set impact tolerances. Looking ahead to the next key deadline, which is in 2025, firms will have to prove that they are able to remain within the impact tolerances that they have set out, and this is where the assurance gained from high quality testing will be key.
- There is an important interaction of the above expectations with the PRA’s outsourcing and third party risk management policy, which was published at the same time as the policy on operational resilience. Whilst firms can outsource services, their boards and senior management cannot outsource their ultimate accountability and responsibility for their resilience. The identification of IBS, determining the maximum tolerable level of disruption to those services and taking measures so that firms can remain within those tolerances under severe but plausible scenarios, means firms and their boards need to assess in detail the dependencies that they have on other parties.
- In terms of initial feedback on the progress that UK banks and building societies (firms) have made in meeting operational resilience expectations, the analysis and engagement with firms is still at a relatively early stage. However, there are some important themes that are already emerging from the review of the board-approved lists of IBS and impact tolerances which were received.
- On IBS, firms have generally made positive progress against expectations for identifying these services. Firms have taken a wide variety of approaches to the granularity with which they have identified their IBS. The expectation is that differences in approach will narrow over time.
- On impact tolerances, whilst progress has again been made, firms have found this more challenging than identifying IBS. This is in part due to the complexity of defining tolerances for the different regulatory objectives of customer harm or market integrity versus safety and soundness, and – for the largest firms – financial stability.
- Firms will be pushed to justify their judgements and more detailed comparisons across peer groups will be undertaken. This will help individual firms understand where they are outliers and to consider if that is appropriate and justifiable. Getting this right over time will be key in supporting robust scenario analysis and, ultimately, firms’ resilience.
- The operational resilience policy set the expectation that, by the end of March 2022, firms would have done enough mapping and testing to identify IBS and set impact tolerances, but mapping and testing frameworks were not expected to be fully developed. From conversations on this topic so far, it appears that firms have typically leveraged existing frameworks and tools at this stage. It is also clear that the maturity of firms’ thinking in these areas varies significantly. This may be understandable, as firms still have time before the final deadline in March 2025, but it indicates that significant further work is required in the next three years for firms to embed fully coherent mapping and testing frameworks.
- Looking ahead to the full implementation of all aspects of the operational resilience policy, no later than the end of March 2025, firms will be expected to proactively develop and progress their approaches to mapping and testing. In line with this, firms will also need to take forward the investment necessary to remediate the vulnerabilities they identify through their testing to ensure they can remain within their impact tolerances.
- Other areas of regulation will have an impact on operational resilience developments. In particular, the Bank of England’s Cyber Stress Test and the work the Bank of England, FCA, and PRA are undertaking with HM Treasury on potential ways to address the risks posed by Critical Third Parties (CTPs).