Third parties still a challenge as operational resilience deadline approaches

Since March 2021, when the FCA, the PRA and the Bank of England published their long-awaited policy statements on operational resilience, financial firms have been focussed on understanding and mapping their important business services, setting impact tolerances and making decisions on scenario testing in preparation for providing a self-assessment. This has been an ongoing journey of self-discovery.

Trade body UK Finance has been helping its members prepare for the new regulations. The organization surveyed a working group in May 2021 to assess their progress and carried out the same exercise again in September. The survey revealed some interesting trends emerging ahead of the March 2022 deadline.

First, the number of important business services identified by financial firms has reduced as the year progressed. Firms have been crystalising the definition of what’s important and closely analysing what could cause ‘intolerable harm’ if a service failed. Naturally, there has been a knock-on effect on the impact tolerances involved. As firms come to grips with their important business services, maximum disruption times have also been revised.

Secondly, a number of companies have delayed the self-assessment. When UK Finance members were surveyed in May, most expected to test their plans in October. It now appears many postponed the exercise to January 2022. There are two reasons: mapping important business services and impact tolerances has been more complicated than expected, and the self-assessment planning process is taking longer too.

At the UK Finance COO Forum in December, participants were asked how their plans were progressing. Many are still in the early stages, finalising the mapping of important business services and setting impact tolerances; only a few had completed scenario testing and documented a self-assessment. With the deadline approaching, they had much to share with each other about their challenges and the lessons learned so far.

Important business services

Firms have delineated what constitutes an important business service in different ways. But nearly all followed the trend of revising their important business services and reducing the overall total number. One COO said he focussed on one question: would failure of this specific service cause intolerable harm to customers? It was tempting to look at existing operational risk frameworks and business continuity plans, but he acknowledged that while there is overlap, they aren’t the same thing. By targeting its efforts, the firm reduced its number of important business services to five.

The same COO also developed a scoring mechanism to support the self-assessment, which was created from the firm’s information security framework. Here’s how it works: A small group of people from the senior management team score each important business service and develop a risk rating. These are tested and sent to the board for review. When seeking approval for the mapping of important business services, it’s been agreed that the board won’t be presented with detailed maps; instead, they will review the approach taken, key decisions made, and sign offs provided by key stakeholders along the way.

Scenario testing

Firms will need to mature their scenario testing over time, in line with the strategies currently being documented, according to Laura Moore, director at Protiviti UK, who hosted the event. According to Moore, many have developed libraries of hypothetical situations that could impact their organizations, from plausible scenarios, such as the failure of a key supplier, to more severe situations, such as terrorist threats. Firms typically start with desktop scenario testing to provide a level of assurance over response and recovery for important business services, and to identify any action needed, she said.

During the forum, one COO described how her firm was currently using desktop testing. The team explored replicating existing testing used in the business, including stress testing, to support its operational resilience plans. This process led to questions about what causes intolerable harm, and the possibility of the whole organisation failing, and how they could even test that scenario.

Another participant explained how his firm used real-life events to inform the process. Specifically, a recent evacuation of the head office as a result of the pandemic created an ongoing scenario and an opportunity to assess what could be done if the same thing happened again.

Third parties

The issue of third parties was a key area of discussion at the forum. As firms have progressed their understanding of the new regulations, they have largely focussed on their own operations. But the impact of their suppliers and their ability to meet the firm’s impact tolerance(s) remains an area that requires more engagement and focus.

Most COOs are falling back on existing agreements with suppliers. They are using contracts to determine how they would respond in the event of a disruption. However, this is not always easy to control, especially when it comes to technology infrastructure and its network effect. If a broadband supplier goes down, for example, then the ripple effect would move across firms and industries very quickly, with these suppliers outside of the remit of the regulators.

Firms and regulators acknowledge that mapping and testing are iterative and will become more sophisticated as the regulations unfold. But most COOs believe that conversations about third party suppliers will dominate in the months and years ahead. There is a trend to work with third parties especially technology platforms and their ability to recover from disruption will remain closely linked to many industries.

Management information and reporting

Firms are learning to strike a balance when reporting on operational resilience. To date, they have typically focussed on project reporting to meet the March 2022 deadline. As firms identify their important business services, they are seeking to develop key metrics and dashboards, updated in real time, to report when these services come under distress, using a traffic light system to indicate when information should be escalated to senior executives. Some COOs are keen to keep any warnings in perspective.

One participant warned of firms over reporting because operational resilience is of great interest. He suggested that tolerances could be set too low for internal reporting, especially considering the notion of ‘intolerable harm’. There is a well-trodden path of incident reporting and problem management, but that doesn’t feel the same as what’s needed here, he said, adding that there is a risk of firms being on a permanent state of alert.

What’s next?

The UK Finance COO Forum revealed what’s happening behind the scenes as firms prepare to meet the first deadline for operational resilience regulations in March 2022. The event showed that COOs are making good progress, but they continue to grapple with the challenge of third parties. They have been able to focus on their own resilience, but less so when it comes to their suppliers. This will be an area for improvement in 2022 and beyond.

As the deadline approaches, conversations about operational resilience across industries with key providers such as cloud and broadband companies will continue to dominate discussions. Many firms are also heavily invested in third party platforms to help them with payments, compliance, and service delivery.

It’s going to be a fascinating period of time ahead for firms and regulators too to truly understand how operational resilience can work outside the four walls of their respective organizations.

UK Finance’s COO Network event, which was held in association with Protiviti, took place on 7 December 2021 online. For more information and to find out more about the work of UK Finance, contact head of member communities Zoe Bailey.

For more information on Protiviti’s work on operational resilience, please contact Laura Moore.

Click below to read key takeaways from previous sessions