Six months since the UK operational resilience rules started to apply, Sumit Indwar hosted a panel on the growing importance of operational resilience at GBRR Live: London 2022.
In the lead-up to the operational resilience rules taking effect earlier this year, UK banks and other financial institutions set impact tolerances for all their important business services. They also drew up documents evidencing how they comply with the new regime. Now the focus has switched to building out the sophistication of mapping and scenario testing. This is so that vulnerabilities can be addressed before the March 2025 deadline requiring firms to remain within impact tolerance levels in the event of severe but plausible disruption.
Other significant developments have included the PRA’s introduction of new guidance on outsourcing and third party risk management (SS2/21). These guidelines, together with the operational resilience regime, have given the industry a push to consider resiliency across supply chains. This was being done to some extent already, but regulatory change has driven the timeframe and resource levels.
As we have discussed on our operational resilience podcast, a significant headache for many firms is the challenge of implementing a global resilience strategy in a way which is compliant with local regimes. Several jurisdictions are developing their own rules aimed at building the operational resilience of the financial sector. For example, the EU’s Digital Operational Resilience Act, or DORA, is about to be made law and is expected to start applying in late 2024.
As well as discussing DORA’s direct impact on financial entities, the panel also covered how it will be used to allow EU financial authorities to directly oversee critical ICT third party service providers. The UK is exploring its own approach to supervising unregulated critical third parties. This marks a big change for financial firms which have previously acted as the middlemen between regulators and their suppliers. There are hopes that this will mitigate concentration risk across the sector but concerns about the commercial and competition implications remain.
As we look ahead, the hope is that customers' money and investments will be safer while the financial services industry may find it easier to procure services. This is not a regulatory change project with an end-date but rather an ongoing exercise to ensure end-to-end delivery of business services which can withstand operational disruption.