{{item.title}}
{{item.text}}
Download PDF - {{item.damSize}}
{{item.title}}
{{item.text}}
The Bank of England, Prudential Regulation Authority and the Financial Conduct Authority have committed to publication during the first quarter of 2021. We have previously commented that we do not foresee any major changes in the policy as a result of current coronavirus (COVID-19) pandemic, nor given the subsequent papers from other regulatory bodies and standard setters[1]. Firms will need to review:
Based on what we know now, the timeline for implementation for the regimes is short. Firms are expecting to have twelve months to implement the policies plus an additional “reasonable period” up to a maximum of three years in which to be able to remain within impact tolerances.
Based on our discussions with a range of firms on this topic we see firms characterise themselves into one of three buckets: starting out, work in progress, or leading edge. Below we set out some practical steps that firms should take when the final policies come out.
Third parties are cited as one of the five resources which financial services firms rely upon to deliver their services, alongside people, premises, technology and data. Looking more closely at that list you will realise that third parties actually provide these other four resources, which only increases the importance of managing third party risks for all firms. It also perhaps explains why supervisors have started focusing more and more attention on how firms manage their supply chains.
For those firms which are PRA-regulated they can expect to see a supervisory statement on outsourcing and TPRM alongside the operational resilience policy. While this statement applies only to PRA-regulated firms directly, it nevertheless provides a useful view for all firms about how supervisors view the risks emanating from third party arrangements and how they expect them to be managed. The draft supervisory statement gave a clear indication that the PRA will look at TPRM through the overall lens of how it affects a firm’s operational resilience. Supervisors will tend to be agnostic of how the service is delivered as long as it can be demonstrated that the risks are being managed proportionately, and subject to appropriate senior management control and oversight.
Our service offerings have been built to help you set up and run a fit for purpose and digitally enabled operational resilience capability. Our teams and propositions can support you on all fronts, from getting assurance on the direction of travel in the early days of a newly initiated Operational Resilience Programme to helping established Operational Resilience functions implement cutting edge capabilities.
With international regulators requiring a step-change in approaches to resilience, we are able to work with our clients to develop and implement well informed and sustainable resilience methodologies and delivery. Often driven by deploying a pilot approach, we have a track record of helping our clients establish their list of important business services, undertake mapping, establish impact tolerances, put in place scenario testing and drive out resilience reporting and insights.
Using simulation technology we can help you to build a “digital twin” of one or more important business services to enable you to set impact tolerances and objectively assess your operational resilience through scenario testing.
Where firms are already making strides in these areas, we are also able to provide a quick ‘health-check’ on your approaches to allow you to move forward with confidence, or make adjustments as necessary.
We can transform your approach to delivering your operational resilience, including end-to-end important business service analysis, business continuity, incident response and disaster recovery processes.
The challenges of the traditional ‘in-house’ delivery models for resilience are well known and common across financial services organisations. We see the opportunity to do things differently and can help you operate a robust resilience framework with effective risk oversight.
Our approach utilises our managed service capability to run your resilience functions and activities (i.e. planning, documentation, testing and ongoing maintenance) in an integrated, scalable and cost-effective manner. We can take on the day-to-day operational processes, allowing you to focus on key decisions and overall accountability.
We have an industry-leading framework for the assessment of the maturity of firms’ resilience capabilities. Covering the whole range of resilience disciplines (13 in total including change management, service operations, third party, management, crisis, physical security, and culture) we are able to provide a specific and quantified view of your capabilities against your peers and other FS organisations.
We also have our ORMA ‘lite’ approach. This enables us to provide insights in a more concentrated manner. These are delivered through a focused set of workshops and review of documents. This gives our clients an independent and quick view of their capabilities and the opportunity to take action on recommendations quickly.
A key challenge for any business is demonstrating to internal and external stakeholders that its operational resilience framework is fit for purpose and fully implemented. Similar to a controls report for financial reporting (e.g. AAF 01/20 and ISAE 3402) or technology platforms (e.g. SOC 2), this is an independent assurance report over the maturity of controls in the client's operational resilience framework, providing a granular view on the relative control effectiveness and strength to key stakeholders. This enables greater transparency and provides confidence in how operational resilience risks are being managed for important business services.
We provide a range of services to our clients to help them manage outsourcing and third party risk effectively and to meet evolving global regulations on this topic. We support the design, build and implementation of TPRM frameworks from establishing strategy through to the end-to-end lifecycle of outsourcing and third party arrangements, and effective governance models to oversee them. Where appropriate this can involve the selection and implementation of new tools to support TPRM.
We regularly perform assessments of current practices against regulatory requirements and industry good practice and help clients with their remediation work driven either by regulatory findings or, increasingly, the desire to maximise value out of existing arrangements. As with our broader operational resilience offering we also provide third party assurance as a managed service, taking on the day-to-day operational processes on your behalf.
[1] Aside from the operational resilience papers the PRA is also updating its approach to Operational Continuity in Resolution (PRA CP20/20)