How OpRes Answers Global Operational Resilience Policies, Regulations & Guidance

Published by Ben Saunders - OpRes Founder

Roughly a 4-minute read

Introduction:

Regulation, regulation, regulation. Like taxes and death, it's a sure-fire thing to expect in life. Particularly in financial services! For some, regulation can be seen as a hindrance to delivering great products and subsequent change at speed. Whilst for others, regulation can be seen as an opportunity to put in place safeguards and intelligent ways of working that protect the customer, the firm, and the wider market. 

The challenges many firms face, particularly those that operate across borders. Is that there are multiple regulatory requirements to administer. Some are more complex than others. Whilst in some instances, regulations may contradict or supersede one another. Resulting in months, if not years of effort to implement responses and solutions to placate regulators. Only for the changes to be obsolete or diminished in importance over time. 

Last week, we were talking with a potential customer about OpRes and were discussing the regulatory requirements set forth by the PRA & FCA regarding operational resilience. Slowly but surely, we veered into discussing the Digital Operations Resilience Act (DORA). Whilst touching on material outsourcing to the public cloud and the wider third party risk management agenda. Indeed, we see these various regulatory requirements as being intertwined and implicit to ensuring sound operational resilience for firms moving forward. 

Over the course of this blog, we will tease out various regulatory requirements and their respective policies as stipulated by bodies across the globe. Whilst explaining how OpRes is enabling firms to build strategies that fulfill their operational resilience obligations. In short, we will discuss how OpRes supports firms in demonstrating compliance with the following regulations, guidelines, and proposals: 

1. PRA Policy SS1/21 - Operational Resilience: Impact Tolerances for Important Business Services 

2. PRA Policy SS1/22 - Outsourcing & Third-Party Risk Management

3. FCA Policy PS21/3 - Building Operational Resilience 

4. EBA/GL/2019/02 - Guidelines on Outsourcing Arrangements 

5. FG16/5: Guidance for Firms Outsourcing to the ‘Cloud’ and Other Third-Party IT Services

6. European Union - COM/2020/595 - Regulation of the European Parliament and Of The Council on Digital Operational Resilience for the Financial Sector and Amending Regulations

1. Mapping Important Business Services: PRA Policy SS1/21, SS1/22 & FCA Policy PS21/3

Both the FCA & PRA have set their expectations that firms must if they have not already done so, begin to map their important business services. The FCA defines important business services as those that, if disrupted, could potentially cause intolerable harm to the consumers of the firm’s services or risk to market integrity”. 

With OpRes firms are able to map their important business services end to end. Breaking down each of the steps, sub-processes, and workflows that comprise the important business service. Irrespective of its channel. Furthermore, firms are able to map the technology systems, service providers, and key subject matter experts. As well as identifying their key third & fourth-party suppliers that underpin the important business service and its operational requirements. Finally, each business service can be assigned a tier or categorisation. Whilst the user is also able to define material risk-takers and the data classification of the important business service.

2. Setting Impact Tolerances: PRA Policy SS1/2 & FCA Policy PS21/3 

If you are not familiar with the operational resilience policy updates published by the FCA and PRA, then the term “impact tolerance” may well be a new concept to you. In their joint publication, the PRA and FCA define an impact tolerance as “The maximum acceptable tolerable level of disruption to an important business service or an important group of business services as measured by a length of time in addition to any other relevant metrics”. Firms have until March 2022 to set these initial impact tolerances. So the clock is ticking!

By using OpRes, firms can set what we call an initial set of Impact Tolerance Baselines. These are essentially indicators or trigger alerts. Which in turn, enables firms to identify early warning signals across their important business services against a set of pre-defined operational measurements. We do this provisionally across:

• Service Level Agreements

• Service Level Objectives

• Recovery Point Objectives

• Recovery Time Objectives

• The Volume of Transactions Per Second

• Transaction Response Times

• Incident Notification Timeframes (Sev 1-4)

• Incident Restoration Timeframes (Sev 1-4)

We have made a conscious decision to start with these initial baselines, as we believe they are the key data points that will allow firms to build a dynamic operational resilience framework. A target that has been set by both the PRA & FCA leading in 2025.

By using OpRes, firms can also document their actual impact tolerances and capture their justifications (i.e., the point at which intolerable could be caused to the customer, the market, or the firm). Whilst we are also able to demonstrate periodical reviews and amendments of impact tolerances based on the requirements set out by the PRA and FCA. 

In addition, firms can validate impact tolerances using the Resilience Calculator where we calculate data points such as total transactions, the total volume of customers, and a product’s financial volume on the firm’s balance sheet. In order to determine the potential impact of a severe, yet plausible scenario.

3. Identifying Critical & Important Functions: EBA Guidelines - GL/2019/02 

In 2019, the EBA published a guidance paper and a series of standards aimed towards material outsourcing of critical and/or important functions that could “impact on the financial institution’s risk profile or on its internal control framework”. Namely, which systems and suppliers would cause intolerable harm to the firm, its customers, or the market if a significant service disruption were experienced. The EBA  stated that firms should consider a function to be deemed as critical or important in the following scenarios: 

“Where a defect or failure in its performance would materially impair: 

1. Their continuing compliance with the conditions of their authorisation or its other obligations under Directive 2013/36/EU, Regulation (EU) No 575/2013, 34 See also Article 30 Commission Delegated Regulation (EU) 2017/565 of 25 April 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council as regards organisational requirements and operating conditions for investment firms and defined terms for the purposes of that Directive. FINAL REPORT ON THE GUIDELINES ON OUTSOURCING 27 Directive 2014/65/EU, Directive (EU) 2015/2366 and Directive 2009/110/EC and their regulatory obligations.

2. Their financial performance. 

3. The soundness or continuity of their banking and payment services and activities.”

By using the important business service mapping capabilities within OpRes, firms can break down each step of an important business service. Whilst within each step they can add multiple systems and suppliers and deem whether they are critical or important to the delivery of normal service operations to customers. 

4. Measure Cloud Concentration Risks: FCA Guidance FG16/5

In a recent blog, we discussed the PRA’s heightened concern around a growing reliance on a trusted subset of cloud service providers. As well as heightened scrutiny on software vendors delivering critical services across financial services (e.g. Bank in Box, Core Insurance Products, Trading Systems). In their policy guidance, the FCA points out that firms must “monitor concentration risk and consider what action it would take if the outsource provider failed”. 

With OpRes firms are able to identify their critical and important service providers that underpin business services. Whilst they are also able to capture, at a component level, which cloud services are being leveraged across the likes of AWS, Azure, and GCP. For example, which 3rd party SaaS supplier is using AWS and is consuming S3, EC2, and RDS? Or alternatively, across the firm's self-built and maintained Azure Landing Zone; Which important business services are using Azure Blob Storage, Azure DB for My SQL, and Azure DevOps? 

Furthermore, firms are also able to use OpRes to demonstrate evidence regarding their exit strategies from a respective supplier or cloud service provider. They can do this by adding supporting documents via the Supplier Compliance Portal which we covered in a recent blog. 

5. Scenario Testing of Extreme & Plausible Scenarios: PRA SS1/2 & FCA Policy PS21/3 

We previously outlined the key considerations firms should analyse when building a scenario testing framework for their important business services. Whilst we also covered the data points that help to underpin a sound scenario testing strategy. Particularly during early-stage simulations. With OpRes, firms will be able to conduct scenario testing simulations in order to ascertain the material impact of losing a critical technology system or supplier. Further enabling the firm to understand how this material impact would cascade across the firm, based on system or supplier relationships with other important business services.

Users can correlate both operational, financial and economical data points to validate the impact of a service disruption to an important business service.

Users can execute simulations for scenario testing to determine the financial impact on the both potential customers and active customers. As well the material impact on the firm over the course of service disruption. Whether this lasts for seconds, minutes, hours or days.

Users are able to identify wider impacts to additional business services when a service disruption has been experienced to single or multiple systems and suppliers. As well as understanding the potential financial and economical risk and impact on the firm.

6. Digital Operational Resilience Act (DORA) Compliance: European Union Regulatory Proposal - COM/2020/595 

The DORA aims to establish a clearer underpinning for EU financial regulators and supervisors to be able to expand their focus from ensuring firms remain financially resilient to also making sure they are able to maintain resilient operations through a severe operational disruption. By establishing DORA, it is expected that firms will establish, or mature oversight frameworks for their information technology systems. However, rather than the typical siloed and fragmented approaches, you would expect on a firm by firm basis. DORA is aiming to harmonise practices around digital resilience testing and risk management.

DORA places an emphasis on operational resilience. Specifically third-party risk management. By ensuring firms focus on their 3rd & 4th party technology suppliers and validate that they are aware of any risks associated with their technology solutions. To support this task, firms can use the workflow management capabilities within OpRes to track resilience gaps with their suppliers. 

Whilst once again they can use the Compliance Documentation Portal to track evidence of successful/unsuccessful BCP/DR testing. Or alternatively, ensure that a firm is ISO/PCI/DSS compliant. And if not, what is the pathway back to compliance, and what is the firm's mitigation strategy with the suppliers? 

In addition, by using OpRes, firms can start to establish the sound underpinnings of a unified service management framework by documenting their service level targets and objectives. This is imperative, as DORA aims to bring together standardised incident classification & reporting across financial services in the EU. And finally, last but by no means least… Firms can use the OpRes Resilience Calculator to support their digital resilience testing strategies. 

Conclusion: 

In the space of ~1500 words, we have covered 6 critical compliance and regulatory policies that firms must be cognizant of. Each of these policies and/or consultation papers have their own respective compelling timelines. However, we hope that this blog has brought to light, not just how intertwined these domains are. But, also highlighted how OpRes can be applied to support firms as they formulate their respective responses and strategies. 

In short, the TLDR version of this blog would be:

OpRes enables financial services firms of all shapes and sizes to:

1. Map their important business services.

2. Set impact tolerances for each of these important business services. 

3. Conduct and demonstrate scenario testing for their important business services. 

4. Understand and report on their adoption of public cloud services and the concentration of this adoption across their important business services. 

5. Track and ensure compliance of their third-party and fourth-party suppliers in line with the firm’s risk appetite. 

6. Monitor and report upon operational resilience indicators and gaps across their important business services. 

Thanks for reading and stay tuned in the coming weeks as we hope to share more about our MVP launch. 

All the best, 

Ben