Becoming operationally resilient: preparing for new UK policies

What should firms expect?

The Bank of England, Prudential Regulation Authority and the Financial Conduct Authority have committed to publication during the first quarter of 2021. We have previously commented that we do not foresee any major changes in the policy as a result of current coronavirus (COVID-19) pandemic, nor given the subsequent papers from other regulatory bodies and standard setters[1]. Firms will need to review:

  • FCA solo-regulated firms: FCA operational resilience policy
  • PRA dual-regulated firms: FCA & PRA operational resilience policies and PRA supervisory statement on outsourcing and TPRM
  • Bank of England (BoE) regulated firms: BoE operational resilience policies by firm type

Based on what we know now, the timeline for implementation for the regimes is short. Firms are expecting to have twelve months to implement the policies plus an additional “reasonable period” up to a maximum of three years in which to be able to remain within impact tolerances.

What should firms do when the final policy is published?

Based on our discussions with a range of firms on this topic we see firms characterise themselves into one of three buckets: starting out, work in progress, or leading edge. Below we set out some practical steps that firms should take when the final policies come out.

Starting out

Those firms which have not yet taken decisive action to start applying the new policy. They may not yet have internal buy-in from senior management and the board which is essential to ensure the appropriate resources are brought in from across the firm.

Recommended actions

  • Establish a sponsor for the programme of work and secure the mandate from the firm’s governing body to allocate appropriate resources
  • Set clear roles and responsibilities across first line (of defence) and second line functions to ensure the right input and oversight
  • Review published guidance to understand how the policies will apply to the firm
  • Scope the size of the effort by quickly advancing work on defining important business services and piloting the whole approach for one service
  • Work out where using existing material can help to accelerate your work, for example repurposing existing process maps.

Work in progress

Those firms which have already started applying the new regulatory concepts in some form. Typically this will include activities such as establishing an operational resilience programme, designing an operational resilience framework, and defining their list of important business services. Some may also have chosen to pilot a full end-to-end assessment of an important business service (including mapping, setting impact tolerances and scenario testing) which can help to gain wider stakeholder buy-in and to define repeatable methodologies.

Recommended actions

  • Consider how any amendments to the policy may affect the current work programme
  • Consider what tools will be used to capture and maintain relevant data on important business services
  • Where a decentralised model is in place, finalise guidance for business service owners to complete the work for their important business service
  • Identify metrics, and corresponding data sources, to form indicators of resilience for ongoing monitoring
  • Agree roles for second line risk and compliance functions and third line audit functions, and build operational resilience aspects into review cycles.

Leading edge

Those firms which have made significant progress in meeting the new regime and already have an established culture driving operational resilience. They will have defined their important business services, mapped them and already established impact tolerances for most if not all of their services. They will be starting to run scenario tests and may already be looking at how to integrate the operational resilience framework into their existing governance structure.

Recommended actions

  • Consider how any amendments to the policy may affect the current work programme
  • Commence second line and third line reviews where appropriate, to gain internal assurance on the approach taken to meet regulatory expectations
  • Identify how and where operational resilience will align with existing risk and governance frameworks
  • Embed operational resilience considerations into existing processes (e.g. change management toll gates, investment sign-offs)
  • Start preparing the self-assessment document as an opportunity to gain early buy-in from senior stakeholders.

Improving resilience through strengthening Third Party Risk Management (TPRM)

Third parties are cited as one of the five resources which financial services firms rely upon to deliver their services, alongside people, premises, technology and data. Looking more closely at that list you will realise that third parties actually provide these other four resources, which only increases the importance of managing third party risks for all firms. It also perhaps explains why supervisors have started focusing more and more attention on how firms manage their supply chains.

For those firms which are PRA-regulated they can expect to see a supervisory statement on outsourcing and TPRM alongside the operational resilience policy. While this statement applies only to PRA-regulated firms directly, it nevertheless provides a useful view for all firms about how supervisors view the risks emanating from third party arrangements and how they expect them to be managed. The draft supervisory statement gave a clear indication that the PRA will look at TPRM through the overall lens of how it affects a firm’s operational resilience. Supervisors will tend to be agnostic of how the service is delivered as long as it can be demonstrated that the risks are being managed proportionately, and subject to appropriate senior management control and oversight. 

Recommended actions for outsourcing and TPRM professionals

  • Consider how any amendments to the supervisory statement may affect the firm’s current frameworks and work programmes, including EBA Outsourcing Guidelines remediation
  • Identify third party services, and connected sub-outsourcing arrangements, which support the delivery of the firm’s important business services and ensure these are recorded appropriately and support traceability of third parties and sub-contractors to services, data and systems
  • Ensure the firm’s existing remediation programme for legacy contracts remains within supervisory expectations. Where possible, prioritise outstanding contracts proportionate to risk, such as those impacting important business services
  • Agree an approach to testing the resilience of third party arrangements in the context of how they support important business services. This can be done through testing exit plans and assessing the third party’s business continuity plans and testing approach
  • Evaluate existing oversight activities to ensure that third party arrangements fundamental to the provision of important business services are subject to review, approval and oversight by senior management.

How PwC can help

Our service offerings have been built to help you set up and run a fit for purpose and digitally enabled operational resilience capability. Our teams and propositions can support you on all fronts, from getting assurance on the direction of travel in the early days of a newly initiated Operational Resilience Programme to helping established Operational Resilience functions implement cutting edge capabilities.

Responding to increasing regulatory expectations

With international regulators requiring a step-change in approaches to resilience, we are able to work with our clients to develop and implement well informed and sustainable resilience methodologies and delivery. Often driven by deploying a pilot approach, we have a track record of helping our clients establish their list of important business services, undertake mapping, establish impact tolerances, put in place scenario testing and drive out resilience reporting and insights.

Using simulation technology we can help you to build a “digital twin” of one or more important business services to enable you to set impact tolerances and objectively assess your operational resilience through scenario testing.

Where firms are already making strides in these areas, we are also able to provide a quick ‘health-check’ on your approaches to allow you to move forward with confidence, or make adjustments as necessary.

Operational Resilience as a Managed Service

We can transform your approach to delivering your operational resilience, including end-to-end important business service analysis, business continuity, incident response and disaster recovery processes.

The challenges of the traditional ‘in-house’ delivery models for resilience are well known and common across financial services organisations. We see the opportunity to do things differently and can help you operate a robust resilience framework with effective risk oversight.

Our approach utilises our managed service capability to run your resilience functions and activities (i.e. planning, documentation, testing and ongoing maintenance) in an integrated, scalable and cost-effective manner. We can take on the day-to-day operational processes, allowing you to focus on key decisions and overall accountability.

Operational Resilience Maturity Assessment (ORMA)

We have an industry-leading framework for the assessment of the maturity of firms’ resilience capabilities. Covering the whole range of resilience disciplines (13 in total including change management, service operations, third party, management, crisis, physical security, and culture) we are able to provide a specific and quantified view of your capabilities against your peers and other FS organisations.

We also have our ORMA ‘lite’ approach. This enables us to provide insights in a more concentrated manner. These are delivered through a focused set of workshops and review of documents. This gives our clients an independent and quick view of their capabilities and the opportunity to take action on recommendations quickly.

Operational resilience assurance

A key challenge for any business is demonstrating to internal and external stakeholders that its operational resilience framework is fit for purpose and fully implemented. Similar to a controls report for financial reporting (e.g. AAF 01/20 and ISAE 3402) or technology platforms (e.g. SOC 2), this is an independent assurance report over the maturity of controls in the client's operational resilience framework, providing a granular view on the relative control effectiveness and strength to key stakeholders. This enables greater transparency and provides confidence in how operational resilience risks are being managed for important business services.

Third Party Risk Management services

We provide a range of services to our clients to help them manage outsourcing and third party risk effectively and to meet evolving global regulations on this topic. We support the design, build and implementation of TPRM frameworks from establishing strategy through to the end-to-end lifecycle of outsourcing and third party arrangements, and effective governance models to oversee them. Where appropriate this can involve the selection and implementation of new tools to support TPRM.

We regularly perform assessments of current practices against regulatory requirements and industry good practice and help clients with their remediation work driven either by regulatory findings or, increasingly, the desire to maximise value out of existing arrangements. As with our broader operational resilience offering we also provide third party assurance as a managed service, taking on the day-to-day operational processes on your behalf.


[1] Aside from the operational resilience papers the PRA is also updating its approach to Operational Continuity in Resolution (PRA CP20/20)

{{filterContent.facetedTitle}}

{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}
{{contentList.loadingText}}

Contact us

Kelechi  Igboko

Kelechi Igboko

Director, Technology Risk and Resilience, PwC United Kingdom

Follow us