Operational resilience: what is SS1/21 and how can firms ...

The 31st March 2022 marked the day that new operational resilience rules (SS1/21) came into force for financial services within the UK. SkiptoprimarynavigationSkiptomaincontentSkiptofooterHome»Resources»Operationalresilience:whatisSS1/21andhowcanfirmscomply?Estimatedreadingtime:6minutesOperationalresilience:whatisSS1/21andhowcanfirmscomply?The31stMarch2022markedthedaythattheUK’snewoperationalresiliencerules(SS1/21)cameintoforce,andthestartofathree-yeartransitionperiodforfinancialservices.InMarch2021,theUK’sBankofEngland(BoE),PrudentialRegulationAuthority(PRA)andFinancialConductAuthority(FCA)issuedOperationalResilience:ImpactTolerancesforImportantBusiness(SS1/21)alongsideSupervisoryStatement(SS2/21).Thenewrulespresentedbythesestatementsrequiresfinancialservicesfirmstosetoutplansfor“severebutplausiblerisks”foreventsandactivitiesconnectedtoimportantbusinessservices.Thenewrulesareeffectiveasof31March2022andithasbeenmadeclearthatfirmsarenotexpectedtohaveperformedthefullmappingandtestingexercisesbythisdate.Thereis,however,theregulatoryexpectationthatfirmswillpresentaplansettingouthowtheywillremainwithintheirimpacttolerancesby31March2025.FollowingtheCovid-19pandemic,businesseshavebeenforcedtoconsideroperationalstrategiesforblackswanevents.Theideaofstabilityand‘BAU’has,overthepastfewyears,beencalledintoquestion–operationalresilienceandplanningismoreimportantthanever.Butwhatdothesenewrulesentail,andwhatarefirmsexpectedtodotomeetregulatoryobligations?WhatisoperationalresilienceforthepurposeofSS1/21?Operationalresilienceisacommonlyusedtermwithinfinancialservices–commonlyusedbutnotsofrequentlydefined. ForSS1/21,operationalresilience“referstotheabilityoffirms,theirgroups,andthefinancialsectorasawholetoprevent,adaptto,respondto,recoverfromandlearnfromoperationaldisruptions”.ForthePRA,itsunderstandingofoperationalresilienceisrootedintheassumptionthat“fromtimetotime,disruptionswilloccurwhichwillpreventfirmsfromoperatingasusualandseethemunabletoprovidetheirservicesforaperiod”.WhodoesSS1/21applyto?Thepoliciesapplytofinancialinstitutionsthatfallwithintheremitofthethreeregulatingauthorities–theFCA,theBoEandthePRA.Thismeansbanks,buildingsocieties,designatedinvestmentsfirms,insurersetc.ItalsoencapsulatesentitiesauthorisedorregisteredunderthePaymentServicesRegulations2017andtheElectronicMoneyRegulations2011.Broadlyspeaking,itcoversthegamutoffinancialinstitutions.Whatare‘importantbusinessservices’forSS1/21?SS1/21rulesaskfirmstoassesstherisksthatareconnectedtoimportantbusinessservices.Thisseemsvague–aren’tallfunctionsafirmperformsimportant?Forguidance,firmsshouldlookatexistingdefinitionsissuedbytheFCAandPRA.SS1/21saysthatimportantbusinessservicesare“theservicesafirmprovideswhich,ifdisrupted,couldposearisktoafirm’ssafetyandsoundnessor,ifafirmmeetsthecriteriasetoutintheOperationalResilienceParts,thefinancialstabilityoftheUK”.Forinsurers,firmsshoulddefinelookatservicesthatwouldposearisktopolicyholderprotection,too.HowcanfirmscomplywithSS1/21?Unlikemanyin-forcedates,regulatorybodieshavetakenamoreflexibleapproachwithSS1/21.Thismeansthat,whileitcomesintoeffecton31March2022thisisnot‘D-Day’andfirmswillbegivensometimetoputthefullsuiteofrequirementsintoeffect.Understandwhatyou’reworkingwithOnceafirmhasestablishedthattherulesapplytothem,andidentifiedtheirimportantbusinessservices,theyshouldthenbeinapositiontobegin‘Mapping’.Mapping,forthepurposesofSS1/21essentiallyasksfirmstoidentifythepeople,processes,technology,facilitiesandinformationneededtodelivereachoftheimportantbusinessservices.Inessence,thisisaprocessofknowingwhoandwhatisneededtoconductimportantactivities.Thisputsfirmsonagoodfootingtoidentifyvulnerabilitiesandtesttheirabilitytowithstandimpacttolerances,whichwe’llgetonto.Knowyourlimits–preventionnotremedySS1/21obligesfirmstosetimpacttolerancesfortheirimportantbusinessservices–thisessentiallymeansknowingthelimitstowhichafirmcanbepushed,withoutendingincatastrophe.Animpacttoleranceisdefinedas“themaximumtolerablelevelofdisruptiontoanimportantbusinessservice,asmeasuredbyalengthoftimeinadditiontoanyotherrelevantmetrics.”Assuch,SS1/21requiresfirmstosettheirimpacttolerances“atthepointatwhichanyfurtherdisruptiontotheimportantbusinessservicewouldposearisktothefirm’ssafetyandsoundness”.Underthenewobligations,firmsshouldapplyatolerancelimitforadisruptionforeachimportantbusinessservice.Thisisonacase-by-casebasis,soeachdisruptionshouldbeaddressedindividuallyratherthanonaggregate.Theseshouldbesetusingmetricsoftimeandduration.Importantly,firmsthataredual-regulatedwillneedtoidentifyandmanagetwoimpacttolerances:Thefirstshouldbemadeatthepointwherethereisharmcausedtoconsumersormarketintegrity,therebyfallingundertheumbrellaoftheFCA.Thesecondshouldbemadewhereafirm’ssafetyandsoundnessisputatrisk,withamaterialeffectonfinancialstability.Throughtheprocessofmappingandimpacttolerancetesting,regulatorsareexpectingfirmstoworkproactivelytopreventadisasterscenario.Thisisnotanexerciseinlearninghowtoremedyoperationswhendisasterstrikes,butinsteadinpreparingforchallengingscenariosandensuringyoucancope.Withthatinmind,whereavulnerabilityisfound–orthelimitsofimpacttolerancesappeartobestretched–theregulatorsexpectfirmstoactandputplansinplacetomanagethevulnerabilities.Anticipatetheworst-casescenario–remedynotpreventionOncetheabovethreeareashavebeenidentified(importantbusinessservices,mappingofresourcesandsettingimpacttolerances),firmswillthenneedtoregularlytesttheirabilitytoremainwithintheirimpacttolerancesininstancesof“severebutplausibledisruptionscenarios”.Unlikeidentifyingimpacttolerances,herethePRAexpectsfirmsto“focusonrecoveryandresponsearrangements”,ratherthanonpreventingincidentsfromhappening.Inordertoeffectivelytestascenario,firmswillneedtosetanappropriateselectionofadversecircumstancesandconsidertherisksthattheywouldposetoafirm’sabilitytodeliverimportantbusinessservices.Regulatorsexpectfirmstotestusingasuiteof“severebutplausiblescenarios”butdoesnotexpectfirmstocovereveryscenariothatcouldoccurad-infinitum.Asafoundation,firmscouldusepreviousnear-missesasaspringboardforwhatcouldhappen.Governanceandself-assessmentSS1/21requiresahighdegreeofboardengagement,withregulatorsaskingspecificallythatboardsapprovebothimportantbusinessservicesandimpacttolerancesthathavebeensetfortheirfirm.Thisisn’t‘oneanddone’,butacontinuousprocessofregularreviewandapprovalbytheboard.Boardmembersshouldbeequippedwiththe“adequateknowledge,skillsandexperiencetoprovideconstructivechallengetoseniormanagers”,sowhiletheyarenotexpectedtobeexperts,theyshouldhave“appropriatemanagementinformation”.WithreferencetoSMCRprinciples,itisexpectedthatfirmswillestablishclearaccountabilityandresponsibilitytrailsforthemanagementofoperationalresilience.AswellasensuringgoodgovernanceandaccountabilityforoperationalresilienceunderSS1/21,firmswillhavetomaintainanup-to-dateself-assessmentdocument,outlininghowtheyaremeetingtheirobligationsandresponsibilities–aswellasthejourneytheytooktogetthere.Whathappensnext?Thefinalrulescameintoforceon31March2022,whichmarksthebeginningofa3yeartransitionalperiodthatrunsto31March2025.Whilethisisalenienttransitionperiod,regulatorsexpectfirmstoidentifyandremainwithintheirimpacttolerancesassoonasisreasonablypracticable.Whilethereisnoimmediateurgency,firmsshouldnotrestontheirlaurelsastheFCAhasmadeitclearthatanyfirmthatover-stepsthe3yeardeadlinewillbeinbreachofFCArulesandwillfaceenforcementaction.SpeaktotheteamRelatedresourcesViewallarticlesWantCUBEupdatesandlatestindustrynewssentstraighttoyourinbox?FooterAddCUBElogohereSearchCUBESearchCUBEFollowus:LinkedInTwitterYouTube××××××WantCUBEupdatesandlatestindustrynewssentstraighttoyourinbox?SignuptoourNewsletterhere×