Resilience Re-Wire – Chapter 4: Building Operational Resilience: Impact Tolerances
The next and final paper I looked at in this series relates to the Financial Conduct Authority piece on building operational resilience: impact tolerances for important business services and feedback to discussion paper. I looked at this one last because I think it links the most closely to my role in business continuity… and it's 95 pages!
The next consultation closes on 1 October 2020 with comments to be sent via a form on the FCA website at: www.fca.org.uk/cp19-32-response-form
Much like the papers I posted on before, this document comes with a number of existing requirements which many may not have had of e.g. the regulatory technical standards on security and incident management from the EBA. I only intend to digest the paper in front of me and not cover the wider guidelines.
The paper also covers a lot of ground in terms of feedback summaries and justifications which I’m not going to cover in 1000-ish words. They also provide an in-depth cost-benefit analysis and generic examples of how different types of firms might be affected which can be useful to pick out which sounds more like your organisation.
Note: This paper also focuses entirely on financial services. It calls out banks, building societies etc. to be aware of the content. Although I do believe this change in regulatory focus will eventually set the tone beyond financial services. I would encourage any business continuity professional to take a look and try to digest what it might mean for their sector and organisation.
Proposals
The first paragraph in this section is quite consistent with the new requirements listed in the Bank of England consultation papers I looked at in my previous posts:
- Identify and map your important “business services” - meaning something that has a specific outcome or utility to an “identifiable participant” and not necessarily internal services like Payroll and HR in their own right. They are part of it, but this is broader.
Some people might look at this and think “This is BIA 2.0” which I certainly did. I think depending on the maturity and depth of your BIA you might be right but for others it might require some additional work to demonstrate why and how you picked the important business services. Paragraph 4.7 says as such by suggesting this could be complex, time-consuming, and disproportionately expensive. I would have one eye on resource requirements to achieve this during the expectation management discussions.
- Setting impact tolerances and testing them against “extreme but plausible” scenarios – again, this does not sound too far from a mature exercise and testing program for the seasoned business continuity practitioner. I devoted a paragraph to this in my previous post so I will pull straight from that:
Consider (and document) the rationale for which you are setting particular impact tolerances e.g. duration of outage, participants impacted, volumes of transactions affected etc. You will need to monitor the effectiveness and accuracy of these tolerances as well as how to monitor the movement of the business against them.
As business continuity professionals, we regularly document recovery time objectives (RTO) and try to test against them, so what is the different here? Paragraph 5.6 cites feedback from the industry for clarification on this. The response offered in return says we may be required to position our impact tolerances beyond the RTO in the interests of reducing harm to customers and market integrity, not just the business.
Again, paragraph 6.15 provides examples of scenarios firms could consider but I would argue that many of us have used most of them in their desktop and live exercises before. I think loss of people, premises, and technology is bread and butter for the business continuity professional. However, the FCA also suggest third party, disruption to market, and cyber-related scenarios, which some organisations might yet to have fully tested.
Following the usual best practice offered in the various GPG and ISO doctrine, the FCA also request a formal process for lessons learned and continuous improvement. I think regardless of the new upcoming regulations this is always a sign of a mature business continuity management system.
- Create a self-assessment document – like most self-assessment documents in any regulated space this will require a lot of content which can hopefully be pulled from existing places within the organisation. You will need to make sure you include the rationale and methodology for all of the below:
- Important business services
- Impact tolerances
- Identification and mapping of services
- Testing Strategy
- Vulnerabilities
- Lessons Learned
You will also need to understand how applying these requirements will support the aims of improving your operational resilience.
The regulators are not intending to periodically request self-assessments like they do in other areas but may wish to see this on request.
- Develop Internal and External Communication Plans – This shouldn’t cause too much change in one’s business continuity arrangements as a mature strategy should have tried and tested communications plans. Although I think recent events such as SIMEX 18 report from the Bank of England cites a greater need for inter-communication between other financial services in the market.
- Outsourcing and Third Party Service Provision – The FCA devote 5 pages to this section which basically touches on existing European and UK rules. I did a post prior to this on the PRA’s third party consultation paper which goes in to more detail in this space. I did however find the cross-sector survey results they summarised from 2017/18 quite interesting. Paragraph 8.7 cites that 15% of operational incidents reported to the FCA related to a third party issue. I imagine this will have increased and would like to see the 2020 stats when they drop.
Speak Now or Forever Hold Your Peace…
Annex A offers up 12 questions on the above content stating “Do you agree with what we documented for X? If not, why not?”
I’ll be honest, I’ve only just digested the content so I’ve no idea whether I agree or not. Also, this consultation process is the collective insight of 100s of professionals with years of experience, so I think I’m going to struggle to find too much to disagree with. Finally, if you are anything like me you will actually have to implement this before you truly spot the challenges much like when I did my first ISO 22301 certification.
I will say that based on this paper, an auditor or regulator will have to be pretty dynamic to view the variety of operational resilience flavours being built out there. The message I take from this paper is –heed what is coming, make a framework proportionate to your organisation, and develop your own approach.
As always, I’d love to hear the views of others so I can improve my own understanding. I’m now going to read the summaries of others to add more perspectives
More on
About the author
Luke Bird
Global Senior Risk Manager
Award-winning continuity & resilience professional working in financial services.
Global Board Director for the Business Continuity Institute.
Business Continuity Institute Scotland Chapter Committee Member.
*All opinions shared are mine and not those of the BCI board, which is a collective decision-making body.
