New Operational Resilience rules about to come into effect
The FCA were reminding firms again today about their new Operational Resilience rules which will go live at the end of March 2022. Key takeaways for firms that should be in place by this date and allow them to have a credible self-assessment document in place include:
Identify important business services – to note these are services that affect consumers and not internal ones such as payroll. Additionally, the rationale as to how you decided on what made the list is important to document – including metrics.
Set impact tolerances and plan to avoid breaching them – rather than focusing on how you’d recover. When setting them ensure the focus is on the effect on consumers and markets, not your own firm. And avoid using your recovery time objectives as your impact tolerances. Similar to the above – evidence your workings – how do you get to your final position?
Map and test to a level of sophistication that enables you to gain comfort around your answers to No. 1 & No. 2 and identify vulnerabilities. Lessons learned should be documented. The FCA noted that firms should very much be in the testing phase right now.
Develop internal and external communications plans both in terms of how you are complying with the new rules, and also how you will deal with breaches.
Prepare your self-assessment document. To note, that the FCA and PRA supervision teams can and will be asking for this document from firms from 1 April 2022 onwards.
Boards needs to:
Review, understand and once satisfied, approve the self-assessment.
Regularly review and challenge senior management regarding the approach to operational resilience.
Do get in touch if you have any questions regarding complying with the new rules.