Operational Resilience is the ability of an organisation to prevent, adapt, respond, recover, and learn from operational disruptions that could affect its performance, customers, or stakeholders. It involves identifying and protecting the most important business services, setting impact tolerances, testing scenarios, addressing vulnerabilities, and implementing action plans.
Overall, operational resilience is important for ensuring customer trust, market integrity, business continuity, and regulatory compliance.
At the moment, there is just over a year left until the 31st March 2025 Operational Resilience deadline. No later than that date, firms must have performed mapping and testing to ensure that they can remain within their impact tolerances for each important business service. Furthermore, firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances.
Industry Observations
A common theme amongst firms under the scope of the Operational Resilience rules has been a general mobilisation and efforts towards meeting the requirements and making the changes necessary.
This is a positive development showing that firms are making sure they implement the necessary interventions to address problems identified, and lead to a reduction in harm. Addressing the market failures outlined by the FCA which include negative externalities, distorted incentives and imperfect information is crucial. These steps will lead to an overall mitigation of harm to consumers, market participants and the integrity of the UK financial system.
Operational Resilience Audit
Due to the upcoming regulatory deadline in March 2025, there has been an increase in demand for Operational Resilience Audits. Firms wanting to ensure compliance with the regulatory requirements actively seek to assess the effectiveness of their Operational Resilience arrangements, which include the measures and actions taken to prevent, adapt, respond, recover and learn from operational disruptions.
An Operational Resilience Audit can be conducted as a standalone review or as part of a broader audit framework that covers various aspects of Operational Resilience, such as IT and cyber security, supply chain management, business continuity, disaster recovery, and operational risk management.
Fines and Non-Compliance
The most notable fine issued by the FCA, up to this date, for operational resilience failings was issued to TSB Bank plc, was a penalty of £29,750,000. Partnered with a £18,900,000 fine by the Prudential Regulation Authority (PRA), the total penalty for TSB’s failings was £48,650,000. The fine was issued as a result of operational risk management and governance failures, including management of outsourcing risks, relating to the bank’s IT upgrade programme.
Following that fine to TSB, the PRA fined Mr Carlos Abarca, the former Chief Information Officer (CIO) of TSB Bank plc (TSB), £81,620 for breaching PRA Senior Manager Conduct Rule 2 as he failed to take reasonable steps to ensure that TSB adequately managed and supervised appropriately its outsourcing arrangement in relation to its 2018 IT migration programme.
The crucial message to be taken on board, is that there is an expectation for firms to manage their operational resilience as well as their financial resilience.
FCA 2024 priorities
Amongst the key activities that the FCA will kick off, as laid out in the FCA’s Business Plan 2023/24 is to assess how operationally resilient firms are to remaining within their impact tolerances and to make it clearer to firms how they should report operational incidents to us, including what, when and how they should be reporting.
It is evident that the FCA is scaling up their efforts to deal with firms who cannot meet the new standards on operational resilience and making it clearer for firms regarding how they should report incidents to the FCA. The FCA is also developing new rules to address the systemic risk that critical third parties present to firms and markets.
Fast Approaching Deadline
Ahead of the 31st March 2025, firms are expected to use the time leading up to the deadline proactively, to show that they can remain within their impact tolerances. This applies for both authorised firms and newly authorised firms.
Firms should not wait until the end of this transitional period to be able to remain within their impact tolerances, but rather remain within them as soon as reasonably practicable.
It is important to note, the 3-year period is a hard deadline and that any firm that is not making reasonable effort to remain within its impact tolerances during this 3-year period would be in breach of the FCA rules.
How Complyport can help
Complyport is uniquely positioned to provide guidance and support, in the form of an Operational Resilience Audits, to firms that fall under these regulatory obligations. We understand that it can be challenging to assess whether your current position aligns with compliance requirements, or how best to successfully navigate the rules and guidance for meeting these obligations in the future.
In situations where an organisation’s senior executive management is seeking for support to understand the dimensions of operational resilience within the financial services sector, we can offer bespoke training through our associated and accredited training academy; the LGCA.
Broadly speaking, our accomplished team is equipped to deliver customised support that paves the way for firms to achieve full compliance with their Operational Resilience obligations through targeted project initiatives.
Complete the form below to book a free consultation.
About Complyport
Complyport is a market-leading consulting firm supporting the UK financial services industry for over 22 years. We specialise in providing Governance, Risk and Compliance services to support the regulated financial services industry to raise standards and thrive.
Complyport can assist with the preparation of a GAP analysis and impact assessment on the investment firm’s capital adequacy and risk management framework of the Company under the regulatory framework.
We specialise in supporting the UK financial services industry with compliance guidance, advice and best practice.
- Operational resilience & Cybersecurity advice
- Financial Crime Risk and Compliance support
- Compliance managed services and resourcing compliance personnel
- Skilled Person Reviews and Regulatory Investigation
- Prudential support, IFPR, ICARA and financial resilience advice
- Consumer Duty implementation advice
- Financial Promotions guidance, support, and management software solutions
- CASS advice and protections of client assets
- Comprehensive compliance work-flow management software
Complete the form below to schedule a free consultation.
