Where resilience and resolution meet

Within the UK, operational resilience is recognised as being the third wave of regulation in modern times. The first wave focused on financial resilience in the aftermath of the global financial crisis, and the second wave focused on conduct risk in part triggered by the redress of PPI (personal protection insurance) products. A firm’s financial resilience and operational resilience are inherently intertwined as operational disruption can lead to an impact on the firm’s own safety and soundness through, for example, foregone revenue, customer remediation and regulatory sanctions.

The Basel Committee on Banking Supervision (BCBS) highlighted the relationship in its 2020 consultation paper on operational resilience[1] principles, suggesting that ‘internationally active banks may leverage their recovery and resolution plans for definitions of critical operations and should consider whether their operational resilience efforts are appropriately harmonised with the organisational mappings of critical operations and critical third-party services contained in their recovery and resolution plans’.

The UK has also set out its own expectations in how firms join up operational resilience and the most relevant UK recovery and resolution planning (RRP) regulation, namely OCIR, the Operational Continuity in Resolution regime[2]:

'The PRA therefore would expect firms to have a coherent narrative between what is ‘critical’ or ‘core’ for OCIR and what is ‘important’ for important business services. Work done to map and understand the interconnectivity of functions, business lines, and services should be leveraged to meet the requirements of both OCIR and operational resilience policies.'

In this article we bring together expertise from across both operational resilience and OCIR to answer the questions we are commonly asked about how they fit together. We hope that this will help to demystify some of the contrasting terminology used, bridge the understanding of these topics and bring together the individuals involved.

Let’s start with an easy one to help operational resilience practitioners out there...

How does OCIR fit within the wider RRP regime?

RRP was established in the aftermath of the financial crisis to address the need for authorities to have more effective tools and information to enable recovery options and the orderly resolution of financial institutions to avoid the need for taxpayer support in the future.

OCIR[3] is a key component of the UK’s RRP regime, focusing on the operational arrangements required to ensure the ongoing delivery of critical functions in recovery and resolution. Firm’s have been required to be compliant with the current OCIR Policy since January 2019. An updated OCIR Policy will take effect from January 2022 and we will discuss this further below.

It is also worth mentioning the UK Resolvability Assessment Framework[4] (RAF) that was established in July 2019 and requires firms to think holistically about removing barriers to resolution and capabilities that need to be in place to enable firms to be resolvable. One of the eight resolvability barriers identified in the RAF is OCIR and firms need to ensure that, together with measures taken for compliance with the OCIR Policy, they have the necessary operational continuity related capabilities to achieve the RAF’s continuity outcome and demonstrate resolution preparedness.

What is the relationship between OCIR and operational resilience?

Operational resilience is defined by the UK supervisory authorities as ‘the ability of firms and Financial Market Infrastructures and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.’ Disruption could be caused by a variety of different factors including, for example, a cyber attack or a third party failure to perform a service.

Put simply, operational resilience is designed to ensure the 'normal' operation of a set of important activities all of the time. OCIR was originally designed to ensure the continuity of a set of activities critical to the UK economy when the firm has moved into recovery and resolution. There will be significant overlap in those activities deemed important for operational resilience and critical for OCIR.

OCIR talks about critical functions and critical services, yet the operational resilience policy talks about important business services. What’s the difference?

It all sounds a bit baffling but the concepts are designed to look from different perspectives as we said before. To facilitate recovery and resolution planning, the Bank of England created a list of economic functions[5], some of which are critical to the financial system for firms. Critical functions are determined for each firm primarily by quantitative analysis (e.g. total assets or total number of counterparties) carried out by firms and shared with the PRA. Therefore, each firm has its own set of critical functions according to the extent to which it contributes significantly to a UK-recognised economic function and where, therefore, a failure could impact UK financial stability. Under the OCIR rules, firms then had to identify a list of services they operate which are critical to delivering those critical functions.

Under the operational resilience policy firms need to work out for themselves what their important business services are, namely those ‘services provided by a firm or FMI to an external end user or participant where a disruption to the provision of the service could cause intolerable harm to consumers or market participants; harm market integrity; threaten policyholder protection; safety and soundness; or financial stability.’

We’re dealing with two different-but-related concepts of critical services supporting critical functions, plus important business services. Is that it?

Not quite. The PRA is currently consulting on updates to the OCIR regime. PRA CP20/20[2] proposes that in addition to the continuation of Critical Functions in recovery and resolution, Core Business Lines would need to continue to support the franchise and future viability of a firm. The Consultation Paper proposes applying the existing OCIR concepts to services that ensure the continuity of Core Business Lines; these services will be called essential services. A Core Business Line is defined by the PRA as ‘a business line and its associated services which represent material sources of revenue, profit, or franchise value for an institution or for a group of which an institution forms part.’

The main difference between Critical Functions and Core Business Lines is that Critical Functions relate to what makes the functions performed systemic whereas Core Business Lines relate to key drivers of their business.

While this is a potential new element for OCIR, it’s worth pointing out that Core Business Lines are a pre-existing recovery and resolution definition and so we would expect firms to have already done some of the work here. This work will be useful in identifying essential services. It is expected that there will be considerable overlap between critical and essential services, with many services that are critical also being essential. 

Does this mean that the lists of critical / essential services and important business services are the same?

We would expect them to be related but not the same.

The expectation is that there will be consistency between the OCIR critical and essential services and the Operational Resilience important business services. This is because important business services are likely to be part of a firm’s Critical Functions or Core Business Lines. This is illustrated in the diagram and table below which shows examples of what each of the key OCIR and Operational Resilience terms would be at a bank.

Critical function Core Business Line Critical & Essential services[6] Important Business services
Derivatives Equities division

For example:

  • HR support - staff administration
  • IT - data storage and processing
  • IT - emergency and disaster recovery
  • Transaction processing
  • Trading / asset management - confirmation, settlement and payment

Cash equities (execution)
Retail Current Accounts Current accounts
  • Withdrawal of cash
  • Make a debit card payment
  • View my balance
Retail Mortgages Mortgages Issuing a loan
General Insurance General Insurance
  • Take out a new insurance policy
  • Making an insurance claim
Asset management Asset management
  • Equities portfolio management
  • Retail client reporting

Operational Resilience focuses on ensuring that a firm can continue to deliver important business services through operational disruptions. The focus is on the business services that a firm provides to an external user. Common to the determination of ‘critical’ under OCIR, these services are designated as important business services if their disruption could pose a risk to the firm’s safety and soundness or financial stability. There are additional determinants of importance, however, including policyholder protection for PRA-regulated insurers, and harm to consumers or market participants and harm to market integrity for FCA-regulated firms.

As an operational resilience practitioner, what should I be leveraging from existing OCIR work to do this?

As we mentioned at the outset, the PRA’s expectation is that there is a clear narrative between a firm’s critical and essential services under the OCIR regime and important business services under the Operational Resilience regime. We see a few areas where there are the clearest opportunities for alignment between OCIR and Operational Resilience.

  • Terminology and taxonomies: as there are now a number of similar terms relating to OCIR and Operational Resilience services, it is important that firms clarify and consistently apply the definitions and terminology. Where possible, service taxonomies should be aligned and used for OCIR and Operational Resilience purposes to enable consistency between the regulations and for communications both internally and externally. While it makes sense for firms to use the same taxonomy globally, critical functions, core business lines and in turn critical and essential services are likely to differ between different jurisdictions, depending on the amount of activity in each jurisdiction.
  • Reconciliation between ‘critical’ and ‘important’: in line with the PRA’s expectations, firms need to have a coherent narrative between what is ‘critical’ or ‘core’ for OCIR and what is ‘important’ for important business services. Differences should be investigated, and the rationale documented to provide an audit trail and evidence to the regulator, made available upon request.
  • Operational mapping: operational resilience practitioners should leverage maps of entities, functions, business lines, services, vendors, technology, employees and premises which were completed as part of previous OCIR work for compliance with SS9/16. Using the same ‘golden’ sources of data for OCIR and Operational Resilience will make it easier to align implementation of the two regulations.
  • Governance: in light of the alignment between what is ‘critical’ or ‘core’ for OCIR and what is ‘important’ for operational resilience we would expect firms to adopt a similar governance framework. This would see some of the same committees charged with the oversight of key reporting as this will improve understanding of the interconnectedness between the regulations and will create efficiencies. This will first come to light when boards of directors approve their first resolution assessment report under the RAF (by October 2021) and their first operational resilience self-assessment (estimated to be the end of the first quarter 2022).

Conclusion

The changing resolution and resilience regulations means that now is the right time for firms to work on an aligned approach to ensure complementary and mutually beneficial implementation programmes. There are clear benefits to firms in investing time and effort early to align resolution and resilience:

Better understanding of each firm's interconnectedness and operational complexity

Greater alignment (and articulation of the alignment) between OCIR and Operational Resilience would lead to increased understanding amongst staff and Board members on the interconnectedness of entities, business units, technology, people, premises, third parties etc. This is increasingly challenging to fully understand given the complexity of firms and is particularly important to ensure that firms’ internal governance frameworks can fully support OCIR and Operational Resilience regulations through implementation and into BAU.

Leveraging synergies and creating efficiencies


Both disciplines should draw upon a single golden source of data to help distinguish those services which may be critical / essential / important and the maps which outline their delivery. This approach can improve data quality and make maintenance simpler.

The need to explain the connection to regulators


The PRA has been clear that firms need to have a ‘coherent narrative’ between OCIR and Operational Resilience and that the expectation is that work will be leveraged between the two regulations. It will be easier for firms to articulate connections to the regulators if it has been built into implementation of the regulations from the outset.  


[1] https://www.bis.org/bcbs/publ/d509.pdf
[2] PRA CP20/20, Operational continuity in resolution: Updates to the policy
[3] In the US, Title I Resolution Plans include resolvability assessments and many of the UK OCIR concepts such as identifying resolution critical services and identifying and mapping operational mapping relating to critical services. Firms in scope have been able to leverage progress made between these regulations, particularly where firms had to submit a Title I Resolution Plan prior to the PRA OCIR rules coming into force.
[4] https://www.bankofengland.co.uk/paper/2019/the-boes-approach-to-assessing-resolvability
[5] The Bank of England has published a designated list of economic functions in SS19/13: Resolution planning
[6] Examples taken from the EBA’s Implementing Technical Standards, Annex II: https://www.eba.europa.eu/regulation-and-policy/recovery-and-resolution/implementing-technical-standards-on-procedures-forms-and-templates-for-resolution-planning

Contact us

Catherine Chatterton

Catherine Chatterton

Senior Manager, PwC United Kingdom

Tel: +44 (0)7947 165417

Follow us
Hide