Prudential Regulation Authority Rulebook

1.1

This Supervisory Statement (SS) sets out the Prudential Regulation Authority’s (PRA) expectations for the operational resilience of firms’ important business services, for which they are required to set impact tolerances. The policy objective is to improve the resilience to operational disruptions of both firms and the wider financial sector.

1.2

The policy addresses risks to operational resilience from the interconnectedness of the financial system and the complex and dynamic environment in which firms operate. The PRA considers that there is a need for a proportionate minimum standard of operational resilience that incentivises firms and, where relevant, their groups to prepare for disruptions and to invest where needed. Disruptions can affect firms’ safety and soundness, undermine policyholder protection, and, in some cases, affect financial stability.

1.3

This SS is relevant to all:

• UK banks, building societies, PRA-designated investment firms (hereafter banks), and CRR consolidation entities; and
• UK Solvency II firms, the Society of Lloyd’s, and its managing agents (hereafter insurers).

1.4

Banks and insurers are collectively referred to as ‘firms’ in this SS. In chapter 9, where those expectations relate to a banking group, the term ‘CRR consolidation entity’ is used; where those expectations refer to an insurance group, the term ‘insurer’ is used.

1.5

Operational resilience in this SS refers to the ability of firms, their groups, and the financial sector as a whole to prevent, adapt to, respond to, recover from, and learn from operational disruptions. The PRA’s approach to operational resilience is based on the assumption that, from time to time, disruptions will occur which will prevent firms from operating as usual and see them unable to provide their services for a period.

1.6

A clear focus by boards and senior management on their firm’s operational resilience will become increasingly important as the wider financial sector becomes more dynamic, complex, and reliant on technology and third parties. Moreover, international interconnectedness is increasing, for example as UK firms may outsource to cloud computing providers operating in a number of different countries. While this can improve firms’ resilience, it also gives rise to new risks to operations which the PRA expects firms to manage effectively.

1.7

To address the growing risk a lack of operational resilience poses, the Operational Resilience Parts of the PRA Rulebook^[1] require firms to set and meet clear standards for the services they provide and test their ability to meet those standards. Firms are required to review their existing approaches and make improvements where necessary.

1.8

The policy supports the PRA in embedding operational resilience into its prudential framework. The policy provides an objective basis for the PRA to assess firms’ operational resilience and for the PRA’s supervisors to have an informed dialogue with the firms they supervise and drive them to implement change where necessary.

1.9

This SS complements, and should be read in conjunction with:

• ‘The PRA’s approach to banking supervision’ or ‘The PRA’s approach to insurance supervision’;^[2]
• the Fundamental Rules Part of the PRA Rulebook;[3]
• the Operational Resilience Parts;
• the PRA Statement of Policy ‘Operational resilience’;^[4] and
• SS2/21 ‘Outsourcing and third-party risk management’.^[5]