Building Operational Resilience: PS21/3 - FCA Policy Analysis
Drafted by Ben Saunders: OpRes Founder
Roughly an 8-minute read
On the 29th March, the Financial Conduct Authority (FCA) in collaboration with the Prudential Regulation Authority (PRA) and the Bank of England (BoE) released its policy statement on Operational Resilience - “PS21/3 - Building Operational Resilience”. The statement was a follow-on publication that had seen several consultations and discussion papers issued, stretching as far back as July 2018.
Given the unexpected disruption that COVID-19 has caused firms for the last 12-months, the policies will come as a welcome shot in the arm for many organisations. As they now turn their attentions to identifying their critical business services and understanding how best they can continue to service their customers. Whilst coping with future unplanned disruptions to their business.
The policy document, which you can find on the FCA website is 76 pages long!
Hence, we decided to tease out the key points that organisations need to be aware of, as they embark on complying with the policies that have been issued. There is a lot to get through! So hopefully our succinct summary provides you with enough information to get started on readying your organisations response.
Putting Customers First in a New Era
In my previous blog, I spoke about putting our “customers, customer” at the heart of everything we do with OpRes.
It is clear with the FCA’s policy statement that their intention is to ensure firms are able to sustain important customer-facing business services. As opposed to a focus on a firm’s ability to survive a significant outage or event. We also sense that the earlier consultation periods conducted by the FCA, have been absorbed into much of the feedback from firms and subsequent policy statements. This is a positive step forward for the financial sector as a whole. Particularly at a time when a more forward-thinking and dynamic perspective is required to deliver innovative services to customers through digital channels, powered by modern IT architectures.
Indeed, there are a lot of new rules for organisations to demonstrate compliance with. However, for us at OpRes, it is pleasing to see that the structures and frameworks we are building into our proposition are symbiotic with the steps that the FCA is asking firms to adhere to.
The paper does very much lean towards supporting larger “enterprise” firms in understanding and preparing for their respective responses. However, many of these larger organisations are beginning to adopt smaller FinTech products, through SaaS consumption models. Therefore, it is equally important for those firms to scale up their “enterprise readiness” to ensure their respective houses are very much in order as well. Particularly as a greater level of scrutiny is being placed upon 3rd, 4th & 5th party suppliers in the policy amendments.
Coincidentally, this is where we believe OpRes can fit perfectly into the industry by being consumed either as a multi-tenant SaaS solution for Scale-Up FinTechs. Or through a more tailored installation model via a single-tenant, privately hosted proposition for our enterprise customers.
Critical Milestones Are Looming
The policy statement has a number of key milestones which firms need to meet, in order to implement their responses to the new rules. Over the course of the next year, firms are required to industrialise their respective responses and frameworks for operational resilience. This will mean mapping their important business services and understanding the people, process, technology, and facility requirements that need to be in place for them to function within their respective impact tolerances.
By the 31st March 2022, organisations are expected to have identified their important business services, set their tolerance thresholds, and identified any gaps that may cause harm to their customers. Over the course of the next 3 years, organisations are expected to remediate these gaps with interventions. And adequately document their understanding of potential disruptions through a series of scenario testing events. When you consider that many firms will have hundreds of business services, across multiple channels and products. The next few years will no doubt be a very busy period for the financial sector.
During this period, it is important to stress that whilst firms conduct this scenario testing they are expected to maintain “their impact tolerances as soon as reasonably practicable, but no later than 3 years after the rules come into effect on 31 March 2022”.
The Policy Statement provides examples of 3 types of firms, in order for organisations to relate their respective businesses to. Having studied the policies closely, it is of our opinion that there is a degree of flexibility for firms of different scales and sizes to ensure they can adhere to the rules without having to over-engineer their respective responses.
That said, there are a number of “Must Have” requirements that firms must follow. Whilst the recommendations submitted by some firms during the consultation process support the use of a wider set of metrics that orientate more towards “DevOps” and cloud-friendly data points. This is something that we at OpRes have advocated for many years, and we are pleased to see this step forward. See section 3.16 of the paper for more information on this respectively.
The vast majority of the policies sit very closely with the previous draftings published during the consultation process. We’ve unpacked some of the key data and information from the policy document over the next passage of this blog.
What does your organisation need to know?
The Clock is Ticking: Firms must, if they have not already done so, begin to map their important business services. The FCA defines important business services as those that “if disrupted, could potentially cause intolerable harm to the consumers of the firm’s services or risk to market integrity”.
Therefore as part of this mapping activity, it is wise to ensure that organisations understand the classification of data that is traversed and exchanged across their important business services as well. As a standard, the FCA recommended that the information captured on Important Business Services be reviewed every year for any material changes. Specifically, those that could cause a significant fluctuation in a firm’s ability to meet its predefined impact tolerances.
Set Impact Tolerances: Upon identifying their important business services, firms must set their defined impact tolerances “using time and duration as mandatory metrics, when measuring impact tolerances”. The impact tolerances that are set should also “specify that an important business service should not be disrupted beyond a certain period of or point in time”. Based on our experiences it is therefore essential that firms understand at the very least, the following data points across their internal IT teams, 3rd and 4th party suppliers, and the hand-offs between each team. Namely;
Service Level Agreements.
Service Level Objective.
Service Level Indicators.
Recovery Time Objectives.
Recovery Point Objectives.
Incident Notification Windows across all severity levels.
Incident Restoration Windows across all severity levels.
Jump Start Scenario Testing: Upon completion of these steps, firms should be in a much better position to ready themselves for scenario testing. Or at the very least, begin to consider the conditions that could significantly disrupt their business services’ everyday operations. If there is one thing the last 12-months have told us, on occasion, there are events that even the best-prepared organisations fail to have the foresight of. Whether those be socioeconomic, political, or pervasive events such as the global pandemic we have all faced. By asking themselves tough questions, firms will most certainly be able to identify the chinks in their armor across people, processes, technology, and facilities. Whilst they can begin to put in place the right treatment strategies as a coping mechanism.
3 Year Transition: Firms will have a 3 year transition period in which to sustainably operate within their impact tolerances. Whilst where required, put in place any required interventions. These interventions will vary drastically across each firm based on their preexisting technology investments, the complexity of their business services, and the scale of their operations. This will be a challenging undertaking. However, it can be seen as an opportunity for firms to truly reimagine how they architect their business services and provide operational capabilities across their routes to production.
Other Noteworthy Insights
Customers Want Stability: The FCA sighted that those organisations that are able to sustain their impact tolerances, will invariably have a competitive advantage over their industry peers. Yes, customers want ease and convenience for their everyday banking needs. However, they also want reliability and confidence that their hard-earned cash is in safe hands. The FCA goes so far as to say “We consider that consumers may be more likely to choose firms that are more resilient to operational disruptions.”
Resilience is Mission Critical: The FCA highlighted that “the disruption caused by the coronavirus (Covid-19) pandemic has shown why it is critically important for firms to understand the services they provide and invest in their resilience”. There is almost an undercurrent of the FCA encouraging firms to think more radically about the worst-case scenarios that could impact their operational resilience, throughout the document.
Supply Chain Dependencies: A great deal of emphasis is placed on 3rd party suppliers and this is most likely a consequence of the growing adoption of public cloud across financial markets and more broadly a deep dependency on outsourced managed services. Indeed, the FCA doesn’t ignore the necessity for firms to also understand their wider supply chain handoffs. Pointing out that “ultimately, if a third-party provider supplying an important business service to a firm fails to remain within impact tolerances, that failure is the responsibility of the firm”.
Established Frameworks: Perhaps most interestingly to us here at OpRes, were the requests by several firms for the FCA to “provide templates for various parts of the exercise”. This is something the FCA refused to do. Citing the unique nature, scale, and diversity of the firms covered by the policies. Whilst we understand their position on this front, we do believe that a standard framework for mapping business services end to end, can be applied across the industry. Perhaps even over time allowing firms to securely share information with one another regarding their own operational resilience posture, and one another’s supply chains. Particularly as we see more standard reporting frameworks being established under the European Commission’s proposed Digital Operational Resilience Act (DORA).
In Closing
In the coming weeks, we will share more insights around how OpRes enables firms to respond to the policies defined in “PS21/3 - Building Operational Resilience”. Whilst we will also start to cover the policies published by regulators in other regions and how our platform is mutually beneficial.
It is evident that there is a long road ahead for firms, as they build a deeper understanding of their operational resilience. Whilst it is understandable that the FCA is taking this set of policies seriously and have very clear expectations on firms to be compliant as soon as possible.
If you have any questions about OpRes, our product roadmap, and how your organisation can benefit from our product then please do not hesitate to get in touch via email: hq@opres.uk
Thanks for reading as ever!
Ben
