The enhancement of operational resilience


It’s no wonder that the FCA and the PRA have come together to call for the enhancement of operational resilience in firms and financial market infrastructures (FMIs).

May you live in interesting times

We certainly are at the moment. Financial service providers and regulators are wrestling with the uncertainty of what the UK’s exit from the European Union means, the threat of pandemics is leading to the isolation of workers and a reduction in productivity, and continuing oversight failures by companies and fund managers are creating huge financial losses and losses to confidence.

In addition cybersecurity breaches are leaving companies vulnerable to being held to ransom (which threatens to destabilise our electronic support systems) and we should not forget the seemingly humdrum day-to-day challenges caused through the widespread adoption of the Conduct Rules (COCON) under the regulators’ Senior Managers and Certification Regime (SMCR), the transitioning from LIBOR to SONIA (or ESTER or SOFR or SARON, etc.), the adoption of the fifth Anti-Money Laundering Directive (5AMLD) with its inclusion of cryptoassets and ultimate beneficial ownership registers, not to mention the huge shift of focus from traditional methods of valuation to ones that incorporate environmental, social and governance (ESG) values. I am sure you could also add many more.


Firms and FMIs need to identify and document the people, processes, technology, facilities and information (resources) that support their important business services in a resources map.

CP19/32 (FCA) and CP29/19 (PRA) were released in December 2019 launching a consultation into Building operational resilience: impact tolerances for important business services. In these papers, the regulators strongly encourage firms to take ownership of their own operational resilience and to prioritise their resources based on the impacts to the public interest, as represented by the authorities’ objectives. A risk management approach to operational resilience that requires firms to focus more effort and resources on achieving the continuity of their important business services, and not just on recovery of the underlying systems and processes.

The regulators outline their approach as follows:

Identify important business services

Important services are those that, if disrupted, could cause intolerable harm to consumers or market integrity, threaten the viability of firms or cause instability in the financial system. That is, they pose a threat to one or more of the regulators’ statutory objectives. The regulators will not create a list of these services, stating that this should be something that firms decide themselves individually and collectively.

They do state, however, that an investment service should be an identifiable service. For example, an ATM providing the ability to withdraw cash and check balances should be treated as two separate services. The user of the investment service must also be clearly identifiable.

Set impact tolerances

Firms and FMIs need to set maximum tolerable disruption limits. This could be based on, among other things, a maximum duration of the disruption, the number of clients that are likely to be impacted, the financial loss to clients and impact on market confidence.

Map resources that support important business services

Firms and FMIs need to identify and document the people, processes, technology, facilities and information (resources) that support their important business services in a resources map.

This resources map should assist in the prioritisation of investment in operational resilience. For example, it may more prudent to replace newer electronic equipment in areas where disruption could pose a threat to the continuity of important business services, than to replace older equipment in areas that would not.

The mapping will also allow firms and FMIs to identify any gaps in the resources they use, which can be remedied as appropriate.

Test the resilience

A range of severe but plausible disruption scenarios should be used to test the resilience of the existing resources and the impact tolerances set.

The regulators emphasise that impact tolerances assume a disruption has occurred. Testing the ability to stay within impact tolerances, therefore, should not focus on preventing incidents or the probability of the incident taking place.

The regulators, again, leave the details of events chosen up to individual firms, but these could include: corruption, deletion or manipulation of critical data; unavailability of facilities or key people; unavailability of third-party services; and loss or reduced provision of technology.

Learn from the tests

Firms and FMIs should use the results of the tests to identify any areas of weakness, prioritise those for improvement and invest where necessary. The focus should be placed on continuity of the most important business services, not just the ability to respond and recover from disruptions.

Governance and Self-assessment

Under the SMCR, the Chief Operations Function (SMF24) is the senior manager responsible for managing the internal operations of the firm. Within the SMCR there are prescribed responsibilities for senior managers, which include the management of the firm’s risk management processes, and managing and reporting on the firm’s internal stress tests. Where firms do not have an individual performing the SMF24 function, it will be for the firm to determine the most appropriate individual within the firm who is accountable for operational resilience.

To demonstrate appropriate and effective oversight, boards should be able to evidence that they are satisfied the firm is meeting its responsibilities in respect of operational resilience. This includes aspects relating to the identification of important business services, mapping and setting impact tolerances, as well as the firm’s ability to remain within these tolerances. This should form part of the firm’s self-assessment document, which needs to be available for the regulators on request.

CISI Diploma in Investment Operations

The Chartered Institute for Securities and Investment (CISI) understand the need for a sound understanding of operational management. Their Diploma in Investment Operations is a Level 6 qualification that culminates in the Global Operational Management (GOM) paper. GOM is designed for operations managers seeking to qualify their experience through a formal exam or enhance their understanding of the many areas of operations management.

It is considered the most appropriate specialist qualification for those who hold a supervisory level position and are aspiring to hold a senior management role in investment operations.


About Author

Part of the Fitch Group, Fitch Learning partner with clients to enhance knowledge, skills and conduct. Our areas of expertise include: Professional Qualifications Public Courses Corporate Solutions

Leave A Reply