Prudential Regulation Authority Rulebook

3.1

Operational risk management supports both operational resilience and financial resilience. Firms should have effective risk management systems in place to manage operational risks that are integrated into their organisational structures and decision-making processes.^[7]

3.2

When assessing a firm’s operational risk management, the PRA considers the extent to which firms: have reduced the likelihood of operational incidents occurring; can limit losses in the event of severe business disruption; and whether they hold sufficient capital to mitigate the impact when operational risks crystallise.

3.3

The additional requirements the PRA’s operational resilience policy places on firms to limit the impact of disruptions when they occur, whatever their cause, develops the PRA’s approach to operational risk in two key ways:

• it increases firms’ focus on their ability to respond to and recover from disruptions, assuming failures will occur; and
• it addresses the risk that firms may not necessarily consider the public interest when making investment decisions to build their operational resilience. The PRA’s operational resilience policy requires firms to take action so they are able to provide their important business services within their impact tolerances through severe but plausible disruptions.

3.4

Impact tolerances differ from risk appetites in that they assume a particular risk has crystallised instead of focusing on the likelihood and impact of operational risks occurring. Firms that are able to remain within their impact tolerances increase their capability to survive severe but plausible disruptions, but risk appetites are likely to be exceeded in these scenarios (see Figure 2 below). Impact tolerances are set only in relation to impact on financial stability, the firm’s safety and soundness and, in the case of insurers, the appropriate degree of policyholder protection.

Figure 2: The relationship between risk appetite and impact tolerance

Figure 2 shows the relationship between impact and likelihood for a firm’s risk appetite and impact tolerance. Both risk appetite and impact tolerances help ensure a firm’s operational resilience.

• The thick solid line represents the risk appetite, which changes with impact and likelihood. Green, yellow, and red illustrate the firm’s appetite towards disruption at different levels of impact and likelihood (green is within the firm’s risk appetite, yellow is outside of the firm’s risk appetite, and red is significantly outside of the firm’s risk appetite).
• The dashed dark line represents the impact tolerance, which is set at a high level of impact and assumes disruption has occurred, so is indifferent to likelihood. The green, yellow, and red are not related to the impact tolerance.

3.5

Firms are required to hold capital to ensure they can absorb losses resulting from operational risks such as fraud, damage to physical resources, or business disruption and system failures.^[8] However, the PRA’s operational resilience policy does not have an associated capital requirement. As such, it does not affect the PRA’s approach to operational risk capital policy or add additional considerations for firms when they make capital calculations.

3.6

In the PRA’s general notification rules^[9] firms are required to notify the PRA where an incident: could lead to the firm failing to satisfy one or more of the threshold conditions; could have a significant adverse impact on the firm’s reputation; could impact the firm’s ability to continue to provide adequate services to its customers; or could result in serious financial consequences to the UK’s wider financial sector or to other firms.

3.7

The PRA considers whether a firm has met the PRA’s notification requirements alongside the PRA’s expectations in its operational resilience policy. For example the PRA expects incidents to meet the test for notification if the incident would disrupt the firm’s ability to deliver its important business services within its impact tolerances. This includes incidents which have occurred, may have occurred or may occur in the foreseeable future.