Prudential Regulation Authority Rulebook

1.1

This Statement of Policy (SoP) is relevant to all:

• UK banks, building societies, and PRA-designated investment firms (hereafter banks); and
• UK Solvency II firms, the Society of Lloyd’s, and its managing agents (hereafter insurers).

1.2

Banks and insurers are collectively referred to as ‘firms’.

1.3

The Prudential Regulation Authority (PRA) considers that for firms to be operationally resilient, they should be able to prevent disruption occurring to the extent practicable; adapt systems and processes to continue to provide services and functions in the event of an incident; return to normal running promptly when a disruption is over; and learn and evolve from both incidents and near misses. Therefore, operational resilience is an outcome that is supported by several parts of the PRA’s regulatory framework.^[1]

1.4

The Operational Resilience Parts of the PRA Rulebook^[2] and SS1/21 ‘Operational resilience: Impact tolerances for important business services’^[3] respectively require and expect firms to identify important business services and set impact tolerances for these services. Firms must take action to ensure they are able to deliver their important business services^[4] within their impact tolerances.^[5] Testing against severe but plausible operational disruption scenarios enables firms to identify vulnerabilities and take mitigating action. The PRA’s operational resilience policy requires boards and senior management to drive improvement where deficiencies are found.

1.5

The context of important business services and impact tolerances influences the PRA’s approach to other parts of the PRA’s regulatory framework as well. This SoP sets out how the PRA implements a consistent and targeted approach across its regulatory framework.

1.6

The SoP clarifies how the PRA’s operational resilience policy affects its approach to four key areas of the regulatory framework in particular (the relationship between these policies is depicted in Figure 1 below):

• governance;
• operational risk management;
• business continuity planning (BCP); and
• the management of outsourced relationships.

1.7

There is a valuable set of other relevant existing policies and guidelines (eg the European Banking Authority’s (EBA’s) guidelines on information and communication technology (ICT) risks, and the EBA’s guidelines on ICT and security risk management).^[6] The PRA considers all of its policies and relevant international guidelines in the context of its operational resilience policy, not just those outlined here. The PRA’s operational resilience policy will complement existing policies and is not intended to conflict with or amend them.

Figure 1: The relationship between the PRA’s operational resilience policy with other key areas of the PRA’s regulatory framework

The framework of: identifying important business services; setting impact tolerances; and taking actions to be able to remain within impact tolerances set the strategic direction that the PRA expect firms to take. To achieve the strategy, firms must:

• map resources;
• test their ability to remain within impact tolerances;
• implement BCP requirements;
• implement operational risk management requirements; and
• implement outsourcing requirements.

Governance is an inherent part of each of the above elements, and self-assessment looks at how all of these elements combine to build the resilience of a firm.