UK Operational Resilience - The looming deadline for UK financial firms

The financial landscape is increasingly complex and interconnected, making it vulnerable to a myriad of disruptions, from cyberattacks and technological failures to pandemics and geopolitical crises. In response, UK regulators – Prudential Regulation Authority (PRA), the Financial Conduct Authority (FCA), and the Bank of England (‘the Bank’), collectively “the supervisory authorities” – have introduced this robust operational resilience regime.

The Role of Third-Party Providers: A Critical Link in the Chain

In today's interconnected financial ecosystem, third-party providers are crucial in delivering essential services. This reliance introduces significant risk, as disruptions to these providers can have cascading effects on the entire financial system. Consequently, Firms must extend their operational resilience frameworks to encompass their critical third-party (CTP) providers.

Once designated by HM Treasury (HMT) and the regulators, CTPs will be required to conduct an initial self-assessment within three months and annually thereafter. This assessment will provide regulators with an overview of the CTP's operational resilience and risk management practices. In November 2024, the regulators published a final policy statement on the CTP framework, which is an integral part of the UK Operational Resilience Regime. This framework focuses on the resilience of third-party service providers that are critical to the operations of financial institutions

Furthermore, the PRA have recently published CP17/24 which aims to enhance the Operational Resilience of PRA-regulated firms. To support the identification of CTPs and identify potential points of critical failure, the PRA needs to collect adequate data on firms’ outsourcing activities and material third-party arrangements.

The proposed policy outlined in CP17/24 would allow the PRA to collect good quality, consistent data focusing on operational incidents and third-party arrangements which pose the most risk to firms and the financial sector, by:

1. Prioritising significant risks: set clear requirements for firms to report operational incidents and third-party arrangements that threaten their safety, soundness, and resilience
2. Standardised reporting: implement standardised reporting to enhance information quality and comparability, helping the PRA manage risks and dependencies in the financial sector.

Unlike the EU's Digital Operational Resilience Act (DORA), the UK regime places a greater emphasis on the resilience of critical third-party service providers. Additionally, the UK regime has a more flexible approach to the implementation of resilience measures, allowing firms to tailor their strategies to their specific circumstances.

Operational Resilience Regime recap

Governance, Culture, and Ongoing Improvement: Embedding Resilience

Operational Resilience is not a one-off project; it requires ongoing commitment and continuous improvement. Effective governance is essential to ensure that operational resilience is embedded within the firm's culture and decision-making processes. This includes establishing clear roles and responsibilities, providing regular training and awareness programs, and conducting periodic reviews of the operational resilience framework.

Firms must also foster a culture of resilience, where employees are empowered to identify and report potential vulnerabilities. This requires open communication, collaboration, and a willingness to learn from past experiences.

The Foundation: Identifying Important Business Services and Setting Impact Tolerances

At the heart of the regime lies the requirement for firms to identify their important business services (IBS). These are the services that, if disrupted, could cause intolerable harm to consumers or pose a risk to the stability of the financial system. This exercise necessitates a deep understanding of a firm's operations and its critical dependencies.

Once these services are identified, firms must establish impact tolerances. These tolerances define the maximum acceptable level of disruption for each service, measured in terms of duration, severity, and other relevant metrics. Setting realistic and measurable tolerances is crucial. They must reflect the potential harm to consumers and the market, rather than simply the firm's own internal capabilities.

Mapping, Scenario Testing, and Vulnerability Remediation: The Backbone of Resilience

The next phase involves mapping the resources – people, technology, facilities, and third-party providers – that support the delivery of IBSs. This mapping exercise must be comprehensive and granular, revealing the intricate web of dependencies that underpin a firm's operations.

Scenario testing is then conducted to simulate severe but plausible disruptions. These tests are designed to assess the firm's ability to remain within its impact tolerances under stress. This is not just a theoretical exercise; it requires firms to test their contingency plans, identify weaknesses, and refine their responses. The scenarios should be diverse, encompassing a range of potential threats, including cyberattacks, technology failures, and external events.

Identifying vulnerabilities is a critical output of the mapping and scenario testing. These vulnerabilities represent weaknesses in the firm's operational resilience framework. Once identified, firms must develop and implement remediation plans to address these weaknesses. This could involve investing in new technology, strengthening cybersecurity measures, or enhancing business continuity plans.

The Regulatory Landscape and the Road Ahead

The 31 March 2025 deadline is not the end of the journey. Rather, it marks the beginning of a new phase of regulatory scrutiny. Regulators will be closely monitoring firms' progress and will likely increase their focus on supervision and enforcement. Firms that fail to demonstrate adequate operational resilience may face regulatory sanctions, including fines and other enforcement actions.

The UK Operational Resilience regime is a significant undertaking, requiring firms to invest substantial resources and effort. However, the benefits of a more resilient financial system are clear: by strengthening their operational resilience, firms can protect consumers, maintain market stability, and enhance their own long-term sustainability.

What happens next?

In conclusion, the 31 March 2025 deadline marks a pivotal milestone for the UK financial sector. It signifies a transition from planning to implementation, and from theory to practice. Firms that adopt the principles of operational resilience and invest in robust frameworks will be better equipped to navigate future challenges and contribute to a more resilient financial system. Following the deadline, the emphasis will be on demonstrating that firms can maintain their impact tolerances during real-world events.