Resilience Re-Wire – Chapter 2: The Bank of England Consultation Papers
In this "Resilience Re-Wire" series, BCI Global Board member Luke Bird, FBCI, shares his initial thoughts on the Financial Services Operational Resilience Papers published in December 2019.
Newsflash – If you want to comment on this round of papers the consultation closes on Friday 3 April 2020. The Bank invites feedback on the proposals set out in this consultation and any comments or enquires to [email protected] . The proposed implementation date for the proposals is Q4 2021.
A large section of the wording used in all three papers is consistent and conveys a very similar message which I’ve tried to summarise in this post. It’s important (well it was for me) to understand the types of organisations being targeted so I went straight to the BoE and FCA websites in search of some detail.
General Themes – Across all three papers
Bigger and Broader Picture and a Change in Risk Perspective
The first thing that caught my attention was the required change in my focus. During the vast majority of my practitioner days so far, I’m ashamed to admit, I have almost exclusively focused on internal business critical processes but these consultation papers and soon-to-be regulations kind of force you to consider what’s important to the UK Financial System and not just individual systems and resources. I don’t know about anyone else but this has been an afterthought for me for a number of frameworks I’ve introduced. Better late than never!
The other part of my re-wiring here is the way the scenarios and impacts to be considered are "extreme but plausible" with the assumption that the disruption "has crystallised" rather than focusing on the likelihood and impact of op risks occurring. I can already imagine saying to clients repeatedly "but it has happened let’s just view it from that" after they tell me that it would never happen!
Process and Dependency Mapping
Business continuity professionals may also need to re-wire their brains here slightly. The papers advise when identifying and mapping business services that they provide a specific outcome or utility to an “identifiable participant” and not necessarily internal services like Payroll and HR in their own right.
Those departments may become part of the chain for an outward facing “business service” but not the focus. This suggestion isn’t to replace the identification of business critical functions but rather to exercise a boarder view. To help identify a business service worth looking at, this paper suggests you consider each service for its market share, customer base, risk profile, substitutability (never used that word before) or regulatory driven activity. I thought that was a pretty helpful reminder. The paper also suggests mapping the dependencies to these services such as the usual people, processes, technology, facilities, information and outsource providers required for its delivery. This may present an opportunity to identify vulnerabilities. This feels like bread and butter Business Continuity to me so I would assume that a lot of the analysis has already been done and it’s just a case of reframing it?
The exam question here for identifying a “business service” seems to be - Would a prolonged disruption of this service significantly disrupt the orderly functioning of the market?
Testing, Monitoring and Reporting
A scientific approach here. This paper suggests you should consider (and document) the rationale for which you are setting particular impact tolerances e.g. duration of outage, participants impacted, volumes of transactions affected, etc. Just like with risk controls, you will need to monitor the effectiveness and accuracy of these tolerances as well as how to monitor the movement of the business against them. How will you provide assurance to yourself and anyone else that you will be able to remain within these tolerances? These papers suggests you should develop a testing plan that provides this level of assurance. This sounds like a lot of analysis. When considering all of the component parts to a “service” how on earth do you do that without additional resource and support? I foresee a resourcing issue hidden within this section!
The papers also suggest assessing the impact of a delayed service or a reduced resource to achieve the service. You should also set out scenarios for going over those tolerances. You need to provide an explanation where it’s unclear whether you can stay within your defined tolerances or where they cannot be met. The reasons why should be prioritised to the most critical business services for remediation.
I take from this section that some re-work on analysis is required and depending on the size and complexity of the task this might be resource intensive for a short time.
General Documentation Summary
I think the previous content pretty much implies what you'd need to document but in summary you need to document:
- Important Business Services
- Impact Tolerances
- Process and dependency mapping
- Test, monitor and report - communications planning
The governance of this documentation and processes should follow the same kind of model you'd expect to see in most places: sub-committees, board sponsorship, reporting metrics, audit and maturity plan etc.
Other Points of Note
Each of the papers provides some further detail to their focused area:
Central Counterparties - For me the draft Supervisory Statement on Operational Resilience just seems to cover what’s already in the earlier pages. It re-covers definitions and concepts, although section 3.12 provides a non-exhaustive list of example risks which I also believe serve as a list of starter for ten scenarios when you get to that phase.
Recognised Payment System Operators and Specified Service Providers – This includes the recommendation to add an Operational Resilience part to the already existing "code of Practice for payment system and specified system providers" - a draft of which is appended to the document. The only difference I can see is the list of examples for the operational activities under a business service which is obviously specific to payment systems and services e.g. tokenisation, interbank payments, etc. It also calls out the need for the designated body with the responsibility for risk management to approve the business services, impact tolerances, test plans and risk mitigation identified by the provider.
Central Securities Depositories – Again, For me the draft Supervisory Statement on Operational Resilience just seems to cover what’s already in the earlier pages. The only difference I can see is the list of examples for the operational activities under a business service which is obviously specific to CSDs e.g. issuance and settlements etc.
You folks might interpret the content differently but this is one of a handful of papers I wanted to get across. I hope you found it useful!
Next we move on to the PRA -Outsourcing and third-party risk management!
About the author
Vice President - Business Continuity and Disaster Recovery
Award-winning continuity & resilience professional working in financial services.
Global Board Director for the Business Continuity Institute.
Business Continuity Institute Scotland Chapter Committee Member.
*All opinions shared are mine and not those of the BCI board, which is a collective decision-making body.