Prudential Regulation Authority Rulebook

2.1

A business service is a service that a firm provides. Business services deliver a specific outcome or service to an identifiable user external to the firm and should be distinguished from business lines, which are a collection of services and activities.

2.2

As set out in the Operational Resilience Parts,^[6] firms must identify their important business services. The Operational Resilience Parts define important business services as the services a firm provides which, if disrupted, could pose a risk to a firm’s safety and soundness or, if a firm meets the criteria set out in the Operational Resilience Parts,^[7] the financial stability of the UK. The Operational Resilience Parts^[8] set out that insurers must also identify important business services that may pose a risk to policyholder protection.

2.3

The PRA expects firms to identify important business services considering the risk their disruption poses to financial stability (where applicable), the firm’s safety and soundness and, in the case of insurers, policyholder protection. A firm’s important business services will be a relatively short list of external-facing services for which the firm has chosen to build high levels of operational resilience in anticipation of operational disruption.

2.4

Firms should also consider the practicalities of how they identify their important business services. For example, they should identify important business services so that:

• an impact tolerance can be applied and tested; and
• boards and senior management can make prioritisation and investment decisions.

2.5

When assessing the risk a business service poses to financial stability (where applicable), the firm’s safety and soundness, or policyholder protection, the PRA expects firms to consider the following factors:

1. (a) Financial stability – the impact on the wider financial sector and UK economy, including:

• the potential to inhibit the functioning of the wider economy, in particular the economic functions listed in SS19/13 ‘Resolution planning’;^[9]
• the potential to cause knock-on effects for counterparties, particularly those that provide financial market infrastructure or critical national infrastructure; and
• whether the service is covered by an impact tolerance set by the Bank’s Financial Policy Committee.

1. (b) The firm’s safety and soundness – the impact on the firm itself, including the:

• impact on the firm’s profit and loss;
• potential to cause reputational damage; and
• the potential to cause legal or regulatory censure.

1. (c) In the case of insurers, an appropriate degree of policyholder protection – the impact on policyholders affected by a disruption to the service, including consideration of:

• the type of product, type of policyholder, and their current or future interests;
• the significance to the policyholder of the risk insured;
• the availability of substitute products that would offer a policyholder a similar level of protection; and
• the potential for significant adverse effects on policyholders if cover were to be withdrawn or policies not honoured.

2.6

When assessing if an impact tolerance can be applied to an important business service, firms are expected to consider if the users of the service are identifiable. This means that the impacts of disruption should be clear. The users of the service may include retail customers, business customers, other legal entities, trustees, market participants, the supervisory authorities, or other members of a regulated entity’s group.

2.7

The focus on the implications of operational disruption for firms’ safety and soundness, financial stability, and policyholder protection means that firms should not identify internal services alone (for example those provided by human resources or payroll) as important business services. Such internal services, if necessary for the delivery of important business services, would be included in the mapping, scenario testing, and any remediation work the PRA requires firms to perform.

2.8

Important business services deliver a specific outcome or service to an identifiable user and should be distinguished from business lines, such as mortgages, which are a collection of services and activities. They will vary from firm to firm. Firms should consider the chain of activities which make up the important business service, from taking on an obligation to delivery of the service, and determine those parts of the chain that are critical to delivery of the important business service. The PRA expects that the critical parts of the chain should be operationally resilient, and that firms should focus their work on the resources necessary to deliver them. Below is an example of where activities performed by internal services within a firm would need to be included in the chain of activities (note, in the example below, the risk management function itself is not required to be operationally resilient in the terms of this policy):

• Trade execution: Where trade execution requires clearance from the risk management function, the clearance process would be included in the chain of activities that form part of the important business service, and the operational resources needed to provide that clearance would need to be operationally resilient. In this example, the important business service (trade execution) could not be delivered if the clearance process was operationally disrupted.

2.9

When assessing if boards and senior management can make prioritisation and investment decisions for an important business service, firms are expected to consider whether the number of important business services is proportionate to their business. It is likely that larger firms will identify a larger number of important business services than smaller firms.

2.10

The PRA expects firms to review their important business services annually at a minimum, or sooner if a significant change occurs, and to determine whether any changes are required to their list of important business services.