In a year that has seen increased operational disruption caused by cyber-attacks, failed outsourcing and technological change, on 5 July 2018 the Bank of England, the Prudential Regulation Authority and Financial Conduct Authority published a joint discussion paper on an approach to improve the operational resilience of the financial system, individual firms and the financial market infrastructures (“FMI”) within it - “Building the UK financial sector’s operational resilience”.
The focus is on operational resilience, the ability of entities and infrastructures to respond to, recover and learn from operational disruptions, be that a cyber-attack, or any other cause of disruption, looking at the need to adapt and recover when things go wrong, ensure the continuity of the most important business services, and enable speedy and effective communication with people most impacted.
It is envisaged that boards and senior management can achieve better standards of operational resilience through increased focus on setting, monitoring and testing impact tolerances for key business services, which define the amount of disruption that could be tolerated (“impact tolerance” testing). Assurance is being sought from firms that they are taking steps to ensure the continuity of their most important business services, and that Boards and senior management are sufficiently engaged in ensuring that operational resilience is high up on boardroom agendas, noting that such resilience is a result of the governance, culture, corporate structure, controls and regulatory framework of the firm or FMI. It is thought that to ensure operational resilience, Boards and senior management need to agree the standards they expect the executive of a firm or FMI to meet. Directors and senior management need to be aware of the increased focus that will be put on their approach to this area of risk.
This approach is consistent with the Bank of England’s Financial Policy Committee’s recent Financial Stability Report, which is referenced in the paper. Whilst focussing solely on disruption following cyber incidents, it sets out an “impact tolerance test” which looks at the time after which disruption to services could cause material economic impact, and is expected to form a framework from which the UK’s financial regulators will build their own tolerances, expectations and approaches. Once such impact tolerance has been established, the FPC will measure the ability of other firms to meet the same standards, and a minimum level of service provision set, at least in the context of “key economic functions” and to “key providers”.
Questions are raised throughout the paper, the deadline for responses is 5 October 2018.
Further reading: Building the UK financial sector’s operational resilience.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.