As we last reported in our - Building Operational Resilience across the Financial Services Industry in 2021 and Beyond, The Bank of England (BoE), the Basel Committee on Banking Supervision (BCBS), and the Federal Reserve Board (FRB) have issued significant guidance related to Operational Resilience (OR) over the last several years.[1] The COVID-19 pandemic has served to expand the regulatory lens focusing on resiliency frameworks and readiness.
In the United States, the Board of Governors of the Federal Reserve System released SR 20-24 in November 2020, an interagency paper on Sound Practices to Strengthen Operational Resilience guidance.[2] In the UK, the Prudential Regulation Authority (PRA), Financial Conduct Authority (FCA), and Bank of England have been evaluating and assessing feedback received from industry participants on the proposed 2019 changes to the operational resilience guidelines. The final rule and guidance released in March 2021 incorporated the industry feedback, with the final rule clarifying how operational resilience policies intersect with governance, operational risk management, business continuity planning, and management of outsourced services.
The UK regulatory authorities jointly emphasized the need to identify important business services and the impacts of a service disruption on the firm and its external stakeholders. Once in force on March 31st, 2022, covered financial institutions and financial markets infrastructures (FMIs) will need disruption impact tolerances and operational resilience scenario test processes. By March 2025, firms will need to complete the detailed mapping and scenario testing, validate their risk tolerances and show an ability to continue to deliver essential services within those tolerances throughout a disruption.
Figure 1: Operational Resiliency – Emerging Regulatory Timelines
The lack of prescriptive guidance on how financial firms and FMIs should approach the March 2022 requirements places the burden of important business service identification and determination of impact tolerances on the covered institution. For guidance, firms may want to refer to the Financial Stability Boards (FSB) Identification of Critical Functions and Critical Shared Services in 2013.[3] This guidance provides a taxonomy on recovery and resolution planning that firms may find useful in defining their operational risk profiles and assessing the risk of an operation or service.
Firms also need to recognize that operational resilience is not static. It will evolve with changes to the business and operating models. Mapping and scenario testing need to be subject to regular evaluations. These processes and evaluations require sufficient resources, oversight, and governance. To satisfy both US and UK regulatory guidance, senior leadership will need to determine if operational resilience fits within current risk governance policies and frameworks.
Monticello Consulting Group (MCG) believes that the first step to achieving operational resilience is identifying important business services and assessing the sources and risks of disruption. The incorporation of operational resilience into an annual risk control self-assessment ensures that OR and related tolerances align with the size, complexity, and risk appetite of firm. Moreover, it provides a framework for regular review and modification to align with changes in the business and operating models.
Firms would be wise to begin assessments of resilience risks, operational risk resilience tolerances, and potential mitigation plans well in advance of the 2025 deadline. Credible assessments will cover the full scope of legal entities, lines of business, jurisdictions, technical and support infrastructures.
Monticello Consulting Group has experience advising clients in scoping regulatory compliance obligations and in designing OR frameworks. Monticello will partner with client’s stakeholders to review the current state of governance materials and make recommendations tailored to firm’s OR requirements. MCG Accelerators, developed through extensive engagement work, increase efficiency, reduce time and cost while being adapted to your institution’s scope and requirements.
About Monticello
Monticello Consulting Group is a management consulting firm supporting the financial services industry through deep knowledge and expertise in digital transformation, change management, and financial services advisory. Our understanding of the competitive forces reshaping business models in capital markets, lending, payments, and digital banking are proven enablers that help our clients remain in compliance with regulations, innovate to be more competitive, and gain market share in new and existing businesses. By leveraging our Operational Resilience Center of Excellence and Change Management Practice, Monticello will manage a shift in culture and mindset within your business to one where resilience takes center stage.
Sources
[1] Building Operational Resilience across the Financial Services Industry in 2021 and Beyond
[2] SR 20-24: Interagency Paper on Sound Practices to Strengthen Operational Resilience