In December 2019, the FCA issued 'CP19/32: Building Operational Resilience', which proposed changes to the way that firms approach Operational Resilience. The FCA originally requested firms to provide comments and responses by 3 April 2020, however, due to the Covid-19 crisis the deadline for responding has been extended to 1 October 2020. In the meantime the FCA will be focusedon understanding how firms' systems and controls have held-up in terms of meeting the challenges of this pandemic and facilitated business as usual with minimal disruption for clients and consumers. The FCA will be seeking to learn lessons from the crisis and will be expecting firms to do the same. Indeed, the suggestion of conducting a 'lessons learned exercise' was one of the key proposals set out in CP19/32, for firms to consider their operational resilience in certain scenarios.
So what lessons might firms have learnt as result of Covid-19?
1. Important Business Services
The first priority the FCA set out was that firms identify important business services that need to be prioritised to protect; 1) the interest of clients/consumer, 2) the impact on the firm itself, and 3) the impact of the failure of important business services on the UK financial system. As such, firms are expected to have identified its most critical services, based upon these criteria. Firms should also evaluate whether their initial prioritisation of important services was correct and given the duration of the crisis, firms should now be armed with the feedback from clients (which has undoubtedly been overwhelming), guidance issued by the FCA and most importantly, the experiences of individuals within the firm itself. Off the back of this self-evaluation, firms should check whether to re-prioritise going forward.
2. Impact Tolerances
The FCA proposed that firms should set their impact tolerances from the first point at which disruption to an important business service would cause intolerable levels of harm to clients/consumers or market integrity. There is no doubt that Covid-19 will have tested these tolerances and probably exceeded many, if not all, of those tolerances. In fact, most firms would not have accounted for a global pandemic in their Operational Resilience stress-testing. That said, from our engagement with firms throughout this crisis, the common feedback is they have coped and adapted well. Firms have, at speed, adapted their ways of working and spent heavily on infrastructure to enable continuity of process and continuity of workforce outputs. In light of these changes and lessons learnt firms should look to revisit these tolerances.
For firms who have not set their impact tolerances (there is not currently a requirement to have done so), the lessons being learnt through Covid will be valuable when these are first drafted and become compulsory through future regulation.
3. Mapping
Firms will be expected to identify and document the resources (people, processes, technology, facilities and information) necessary to deliver each Important Business Service, to ensure it can remain within the impact tolerance the firm has set. Again, through business' Covid- 19 response, firms may have identified that additional technology or people are required to maintain Important Services, conversely, that the service can operate without all the resources previously identified. For firms that have not previously mapped Important Business Services, through operationalising teams during lockdown, you will have conducted a similar exercise to what the regulator proposed in the CP. This should be captured and will prove valuable when the regulations come in to force and it becomes necessary to demonstrate compliance with Operational Resilience requirements in full.
Firms are also expected to consider their outsourcing and third-party service providers when undertaking mapping exercises. The FCA expect an operationally resilient firm to have a comprehensive understanding and detailed mapping document of the resources that support their business services. This includes those outsourced and third-party services over which the firm may not have direct control. Where firms have outsourced arrangements they should be in close communication with those suppliers to understand how these services have responded during a time of stress, whether service levels have been maintained and what lessons can be learnt. Firms should also consider the expectation of the Prudential Regulatory Authority (PRA) as set out in 'CP30/19: Outsourcing and Third Party Risk Management'.
The FCA also expect firms to carry out scenario testing, to assess their ability to remain within their Impact Tolerances in respect of each Important Business Service, in the event of a severe, but plausible disruption of its operations. Firms therefore need to capture the impact Covid-19 has had on their systems and controls for use in future scenario testing.
4. Communications, governance and self assessment
The importance of fast and effective communications in mitigating harm at times of operational disruption has been brought to bear through this crisis. One of the real challenges for some firms in response to Covid-19 has been how to communicate with clients who are vulnerable or may not be able to communicate online, particularly where these clients were not identified in advance. How your firm has adapted to reach these customers during these times is a valuable consideration to take forward into future planning, as is ensuring your customer's records enable you to effectively communicate with your most vulnerable customers.
Finally, CP19/32 highlights that good governance is critical in setting effective standards for Operational Resilience. It is the governance framework and the engagement of Senior Management that will ensure that valuable lessons are learned from this unprecedented period. Only through the capture of MI and analysis of the impact on business operations caused by the pandemic, will firms truly be able to fully assess Operational Resilience in a meaningful and applied manner and be in an informed position to make the decisions necessary to be better prepared for any future crisis.
To reiterate, not many firms will have envisaged or prepared for an event such as Covid-19; but it has happened and is now a credible threat in the future. Firms will have learnt vast amounts about their operational resilience and will have made changes to their business, as a result of this crisis, which will leave you on a surer footing to cope with events in the future. We urge you to ensure that you capture the lessons from this period, including those actions you took and the impact or mitigating benefits these had. Track your decisions, analyse what you did, be honest about what your firm could have done better and hopefully you can emerge from recent events with an operationally more resilient business.