Impact tolerances – crystallising risk

Regulatory focus turns to how boards and senior management oversee enhanced operational resilience.

Operational resilience is the ability of financial institutions – and the finance sector as a whole – to prevent, adapt to, respond to, recover and learn from disruptions to their ‘important’ business services; services that, if disrupted, could cause intolerable harm to consumers or risks to market integrity.

Last year, the Bank of England (BoE), Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) together published a new UK regulatory regime focused on the operational resilience of financial institutions. The regime builds on existing requirements and expectations and, both in word and practice, shows that regulators are focused on a key topic: putting boards and senior management at the heart of their firms’ operational resilience enhancement programs.

The regulatory timeline has also been communicated. To meet the 31 March deadline, boards have just had to approve their firms’ self-assessments, describing how they identified important business services, set impact tolerances – not to be confused with risk appetites – mapped their resources and scenario tested to identify vulnerabilities. However, by 31 March 2025, institutions need to have enhanced their capabilities and sophistication to show they can stay within those impact tolerances.

In our experience with clients since the regime’s introduction, it’s clear that the regulators expect to see developing evidence of truly integrated operational resilience programmes, with board and senior management engagement with how vulnerabilities, risks and threats to firms’ resources are managed. This includes where these resources are provided by outsourcers and other third parties. Taken together, this means that the operational resilience and associated outsourcing and third-party risk requirements need to be regular items on senior management’s corporate governance agenda.

A new regime

The regulators declared that firms' operational resilience is a priority that is ‘no less important than financial resilience,’ reflecting growing global concerns about the financial sector’s preparedness for operational disruption, whether from cyber incidents or other causes.

COVID-19 recently brought home the importance of operational resilience as the marketplace worked to address increased privacy concerns, money laundering risks and market-abuse issues resulting from a newly remote workforce.

Incidents stemming from failed information technology migrations, software changes and hardware failures have left retail customers unable to access their accounts, make payments or use their debit and credit cards. There is also an increased risk of fraud perpetrated by criminals seeking to profit from the disruption, exacerbated by a lack of communication with those impacted, as detailed in the Treasury Select Committee report on IT Failures in the Financial Services Sector.

Meanwhile, customer expectations have evolved – particularly with the entry of FinTech challengers – so that they look for providers to be always ‘on’ and available 24/7. This has transformed the traditional banking model. As institutions grapple with the operational problems that arise from complexity, they change how they use technology – often based on legacy systems – and turn to outsourcing to respond to consumer needs and grow their businesses.

The role of boards and senior management

Impact tolerances

The UK regulators have said that the roles of boards and senior management are central to the operational resilience requirements and aligned this with the focus on individual accountability under the Senior Managers Certification Regime (SM&CR). Boards are specifically required to approve the important business services identified for their institutions and the impact tolerances that have been set for each of these, while overseeing senior management’s actions to tackle any vulnerability that would prevent the firm from remaining within the set impact tolerances.

The BoE, PRA and FCA are looking for evidence that, from 2022, businesses are developing a strategy for operational resilience integrated into the firm’s wider corporate strategy and aligned to business decisions. This is in line with the European Banking Authority’s (EBA) Information Communication Technology (ICT) and Security Risk Management Guidelines.

While risk appetite is the amount of risk that an entity is willing to take on to deliver its strategy and business objectives, an impact tolerance is essentially the maximum amount of harm that can be withstood before becoming an intolerable threat to a firm’s clients, safety and soundness or financial stability.

Impact tolerances are externally focused and based on the assumption that severe but plausible events have happened, rather than focusing on the likelihood and impact of risks occurring. In addition, the impact tolerance is based on severe but plausible scenarios that would exceed a risk appetite because they represent a degree of risk that a firm would not normally wish to undertake.

Critically, impact tolerances can measure vulnerabilities and test the key resources – people, processes, technology, information and facilities – that support a firm’s important business.

Self-assessments

As part of the self-assessment, an institution must map these resources and their interdependencies, document the identified vulnerabilities, record compliance with the operational resilience requirements and detail planned remediation activity. The holistic nature of this mapping should be noted – operational resilience should not be seen as an information technology (IT) issue alone. The board must sign off on the completed self-assessment and ensure it meets all the required elements. The assessment should be reviewed regularly and maintained as a living document.

Boards and senior management must then turn to the new issues and challenges that inevitably will have emerged through the self-assessment process.

The regulators expect boards and senior management to prioritise investment and culture change in mitigating any identified issues. This will likely be the first major programme of operational resilience activities that boards and senior management will need to oversee and can be expected to be a regular touchpoint in a firm’s regulatory engagement.

Board understanding

Boards hold ultimate accountability for an institution remaining within its impact tolerance, but we’ve seen that ensuring boards have a sufficient understanding of operational resilience can be a major compliance challenge. Boards must demonstrate the necessary knowledge, skills and experience of operational resilience and must be capable of articulating and maintaining a culture of risk awareness and ethical behaviour for the entire organisation.

Without the relevant knowledge, skills and experience, boards will be unable to satisfy the regulatory expectations or to provide constructive challenge to senior management.

To comply, boards must conduct proactive and regular reviews of progress against their operational resilience programmes to ensure that important business services, impact tolerances and related documentation remain fit for purpose.

Management information

Board members need access to appropriate management information (MI) to fulfil their obligations. This information should be clear, consistent, robust, timely and contain an appropriate level of technical detail to facilitate effective oversight and challenge.

MI can be generated and communicated in several ways. Firms may consider building on existing data and applying a resilience lens to areas such as business continuity, third-party risk management and cyber security. Still, new MI may also need to be developed.

It is also critical that the board has the relevant knowledge, skills and experience to use MI to provide constructive challenge to senior management and inform decisions that have consequences for the firm’s operational resilience.

Governance

The regulators want to see roles and responsibilities clearly articulated and effectively implemented, but they allow firms the flexibility to choose how to structure their operational resilience governance. This could mean repurposing existing committees and roles or establishing new ones.

If a firm has a chief operations senior management function (the SMF24 under the SM&CR regime), it would be expected to hold overall responsibility for reporting to the board and overseeing the implementation of operational resilience policies.

The SMF24 role encompasses responsibility for managing the internal operations, systems and technology, change management, information security and outsourcing of a firm. The SMF24 function may be shared or split among up to three individuals to accommodate different organisational structures.

Firms are also expected to have plans to ensure key responsibilities can be fulfilled should the SMF24 become unavailable. To help SMF24s discharge their responsibilities, they will need to engage closely with important business-service owners to implement and oversee the operational resilience programme.

Outsourcing and third-party risk management

Many firms choose to use third-party providers to support the delivery of important business services. When this happens, regulators are clear that firms cannot outsource their responsibility to remain within impact tolerances for their important business services. As a result, outsourcing should be a key agenda item for boards and senior management because it is an area of increasing regulatory scrutiny.

Ultimately, boards bear responsibility for overseeing the effective management of all risks to the firm, including those posed by third-party providers. This principle is enshrined in the SM&CR. Firms must nominate an SMF with specific responsibilities to oversee the institution’s regulatory obligations for outsourcing, covering the firm’s overall framework, policy and systems and controls relating to outsourcing.

The PRA has published new requirements for outsourcing and third-party risk management, effective from 31 March 2022, and boards again have a key role. Likewise, the FCA has stated that it will comply with the EBA outsourcing guidelines through its rulebook. Under the new outsourcing regulations, boards will be responsible for setting a firm’s control environment, defining appetite and tolerance levels regarding outsourcing, and the overall third-party risk management framework.

The PRA also requires that boards demonstrate that they have identified the firms’ dependencies on third-party providers of important business services and are aware of and have approved any material outsourcing arrangements. The FCA also has requirements for material outsourcing.

Boards should be aware that material outsourcing can occur throughout the business-service chain and should ensure this is managed appropriately. Additionally, firms are expected to notify the regulator before entering into or changing any material outsourcing arrangements.

Firms will need to ensure that there are appropriate and effective risk-management systems and strategies in place to manage their third-party providers from the board level down.

Outsourcing can take many forms, for example, using cloud service providers. The business benefits of cloud are well-recognised: the opportunity to improve innovation and resilience. However, it remains important to ensure risk is managed effectively throughout such processes.

Firms must also ensure that third-party providers are aware of relevant internal documentation, such as policies on outsourcing, information communications technology (ICT), information security and operational resilience.

While responsibility for compliance remains with the firm, sharing such policies and information is intended to help third-party service providers better understand and manage firm regulatory obligations.

Establishing a firm-wide, board-approved outsourcing policy is key to addressing these issues. This policy should be informed by other policies and strategies present within the institution and should be reviewed regularly.

Benefit realisation

Boards and senior management have three years to implement enhancement programmes and ensure appropriate resource and investment is in place to address vulnerabilities; they should act to maintain the momentum their firms have generated from developing their first self-assessments.

Boards should make sure they are armed with the resources needed to understand the programme, the firm’s operational health and the regulatory expectations. They should receive regular MI on operational resilience measures and third-party assessments. Company secretaries can have a key role in allocating adequate agenda time for operational resilience discussions, including reporting from executive-level committees.

Operational resilience is now a core board-level responsibility, reflecting the importance regulators have placed on it. Building the sophistication of a firm’s operational resilience is no simple task and will require focused and sustained collaboration between many different business areas. Boards should be aware of their responsibilities and ensure appropriate governance and reporting structures are in place to enable them in their roles and to realise the benefits that building a resilient business brings.

Promontory, a business unit of IBM consulting, operates at the intersection of strategy, risk management, technology and regulation advising on and implementing robust business and technology strategies for operational resilience. Find out more at promontory.com

Chris Redmond, Director, Operational Resilience and Cloud, David Chadwick, Analyst, and Clara De Montfort, Analyst, Prashant Jobanputra, Managing Director, and Tony Boorman, Managing Director, Promontory Financial Group a business unit of IBM Consulting

Search CGI