My father, he of a military background, is the didactic sort, akin to the econ professor you didn’t...
As the 3-year implementation to meet the operational resilience regulation draws to a close and the 1 March 2025 deadline approaches rapidly, how comfortable are you to get board approval and submit to the regulators?
Key things to think about
This requirement aims to ensure that financial institutions can withstand, adapt to, and recover from severe but plausible disruptions. By now, your firm will have identified which services are designated as “important”, set impact tolerances based upon your understanding of how disruptions impacts your clients, your firm’s safety and soundness and the market in which you participate. You firm will have mapped these services, identified and assess operational resilience vulnerabilities and taken steps to remediate. You will have thought long-and-hard about what-could-go-wrong and identified those severe but plausible disaster scenarios and stress-tested your firm’s resilience to these scenarios, and probably found move resilience vulnerabilities to remediate. The last mile in an epic journey of hardening your business, with just the write-up to go (the Self Assessment). So what is left to think about?
The Self Assessment
Sure, the self-assessment needs to demonstrate compliance with PRA rulebook and/or FCA handbook and be completed, board-approved and delivered on time. But the narrative is also important. The self-assessment should concisely and coherently explain the ‘what-and-why’ behind your resilience programme.
- Why did you structure your business services the way you did?
- Why did you designate some-and-not-other business services to be ‘important’?
- How did you set impact tolerances?
- Why are you confident that you have identified vulnerabilities and thoroughly stress-tested your resilience?
- Is your board fully bought-in to meeting resilience targets and making sure they are reached?
- Does your board really understand what they are being asked to endorse and the consequences of over-promising and under-delivering?
RocketFin Consultants have been neck-deep in operational resilience policy from inception; from responding to regulators consultation papers, implementing operational resilience programmes for the most critical (and closely scrutinies) of UK firms and preparing annual self-assessments. We know shaped what ‘good’ looks like as we’re part of the journey, working with key market bodies like UK Finance’s Operational Resilience Committee and as contributors to ORCG initiatives. Whether you are interested in expert review of your self-assessment or are looking for someone to weave together the threads of your operational resilience programme into a coherent, best practice self-assessment, we‘re here to help.
Key message from RocketFin; if you haven’t already, you should start the self-assessment process now. Operational Resilience cuts across many areas, including product, technology, HR, operations, risk, cyber, projects & programmes, network and supplier management. They all need to buy into your narrative and the board needs to know that they stand behind your self-assessment of the firm’s resilience.
Regulator’s Guidance
The regulators have provided feedback during the 3 year implementation period on what they have seen so far. Key trends that firms should be mindful of:
- Soft-balling. Regulators are concerned that firms are not truly embracing the concept of ‘severe-but-plausible’ and instead are re-hashing well-trodden business continuity tests, or re-running the same IT disaster recovery test under the same parameters and assumptions. If you are re-testing the same loss-of-office disaster scenarios that (post-COVID) presents little challenge and threat, you aren’t going far enough. A simple test – have you stress-tested your firm’s ability to recover within impact tolerance from a severe cyber attack (ransomware, for example)? Have you stress-tested your firm’s resilience to a critical supplier, or an FMI disruption? If you have, you are probably in the right place. If you haven’t, you should ask yourself whether you have calibrated the severity of your disaster scenarios in line with regulator expectations.
- Scratching the surface. Regulators are concerned that firms look under the covers of a business service to identify resilience risks. This doesn’t necessarily mean identifying and risk-assessing every cable in the data-centre, but firms need to go beyond simply identifying IT services and/or suppliers to examine how disruption can occur, how it can be prevented and how to recover should disruption occur.
- Resilience monitoring and KRIs. Firms are awash with operational resilience-related data. The trick is to use data you have to identify key resilience risk indicators so your firm’s executive knows how resilient you are today, where the vulnerabilities lie, what you are doing about it, whether your firm is trending upwards towards a more resilient future or sliding backwards and what steps your board is taking in response.
Why RocketFin?
RocketFin is here to support your journey towards operational resilience excellence. Our team of experienced consultants specialises in guiding financial institutions through the complexities of the SS1/21 directive. We offer tailored solutions to help you conduct rigorous scenario testing, create comprehensive digital process maps, and develop effective KRIs. With RocketFin by your side, you can confidently navigate the self-assessment process, strengthen your operational resilience, and meet regulatory requirements well ahead of the 2025 deadline. Don't leave your operational resilience to chance – partner with RocketFin to ensure your bank is prepared for whatever challenges the future may bring. Contact us today at to transform your resilience strategy from a necessity into a competitive advantage.
David has 20+ years of experience in leading exchange and trading operations and has held various senior roles in consultancy firms, specialising in Operational Resilience. David was instrumental in delivering the SIMEX22 market-wide exercise and most recently led the ORYX market-wide operational resilience exercise with UK Finance.
