The deadline for operational resilience measures mandated by the UK financial regulator the FCA is imminent.

From the end of March financial services firms must demonstrate they have a grip on operational risk in core services. The rules are wide-ranging, covering risks to customers, market integrity and financial sustainability.

Operational risks

In fact, risks that could impact organisations are fast moving. The change to home-working during the pandemic is just one example.

“Staff working remotely are at risk of severe disruption if the internet or power supply drops,” Andrew Lawton, CEO of Reskube, told the magazine Finextra. For example, the disruption caused by Storm Eunice and the potential impact the war in Ukraine could have on energy supplies shows operational risk needs to be at the heart of firms’ risk management strategies.

Firms must map the people, systems, and services that underpin important business services (including any third party suppliers on which firms rely for the performance of important business services),” said Rachel Kent at the law firm Hogan Lovells.

They must also undertake regular scenario testing to make sure that the impact of any events remains within expected tolerance levels. “They should also conduct ‘lessons learned’ exercises following any tests to understand the changes that need to be made in order to improve their ability to remain within impact tolerances,” she said.

In addition, third parties that provide services need to demonstrate operational resilience.

Board ownership

“The board must play a leading role in operational resilience,” Dan Thompson, Consulting Director at Xpedition told the Director of Finance magazine. “Implementing a sound approach to operational resilience, backed up by proven outcomes and capabilities, is key to supporting the board in this endeavour.”

In fact, boards must be backed by good quality reporting so that they can ask the right questions.

In March 2021, both the PRA and the FCA set out the rules on operational resilience: PRA SS1/21 and FCA PS21/3.

IRM’s partner organisation, The Institute of Operational Risk provides sound practice guides that cover all aspects of operational resilience.