Prudential Regulation Authority Rulebook

4.1

The Operational Resilience Parts^[17] require firms to ensure they are able to deliver their important business services within impact tolerances in severe but plausible scenarios. Mapping and testing the delivery of important business services will equip firms to establish whether and how they can remain within impact tolerances.

4.2

The PRA expects firms to take action where they identify a limitation in their ability to deliver important business services within impact tolerances. The PRA is unlikely to consider complicated business models or the provision of services across borders as good reasons for a firm not to be able to act to ensure they can remain within an impact tolerance – these factors are themselves vulnerabilities that the PRA expects firms to address. However, incidents such as rapid technological change may be a reason for a firm to not be able to remain within an impact tolerance, as it may take time to improve resilience under those conditions.

4.3

The PRA expects firms to develop and implement effective remediation plans for the important business services that would not be able to remain within their impact tolerance. Firms should take prompt action where they cannot remain within the impact tolerance, so these plans should include appropriate timing for the necessary improvements.

4.4

In developing these plans to improve resilience and prioritising their work, firms should also consider the:

• nature and scale of the risk that disruption to the important business service could have on financial stability (if applicable), safety and soundness, and (in the case of insurers) the appropriate degree of policyholder protection. Firms should prioritise those that pose the greatest risk.
• time-criticality of the important business service, which is high when the impact tolerance is set for a short amount of time. The PRA expects firms to have undertaken planning and set up recovery and response arrangements in advance to be able to respond quickly to disruptions when they occur.
• scale of improvement necessary to remain within the impact tolerance. An important business service that is far from remaining within the impact tolerance may need to be prioritised over a business service that could nearly remain within its impact tolerance in a severe but plausible disruption.

4.5

The PRA expects firms to be able to remain within impact tolerances for important business services, irrespective of whether or not they use third parties in the delivery of these services. This means that firms should effectively manage their use of third parties to ensure they can meet the required standard of operational resilience.

4.6

Although firms may assume that an arrangement is inherently less risky where the service provider is part of its own group, this is often not the case. The PRA expects firms to manage risk and make appropriate arrangements to be able to remain within impact tolerance, whether using third parties that are other entities within their group or external providers.

4.7

The PRA expects firms to develop communication strategies for both internal and external stakeholders as part of their planning for responding to operational disruptions. These communication plans should be developed with a view to reducing harm to counterparties and other market participants and supporting confidence in both the firm and financial sector. The PRA expects firms’ plans to include the escalation paths they would use to manage communications during an incident and to identify the appropriate decision makers. For example, the plan should address how to contact key individuals, operational staff suppliers, and the appropriate regulators.

4.8

The PRA requires^[18] firms to consider PRA objectives when setting impact tolerances. It is also aware that dual-regulated firms must identify a separate impact tolerance for their important business services, where the delivery of the important business service is also relevant to the FCA’s objectives. Where appropriate, a firm may set its PRA impact tolerance for a given important business service at the same point as its FCA impact tolerance. The PRA expects that work done to meet the requirements of one regulator should be leveraged to meet those of the other, and would encourage firms to avoid duplicative work.

4.9

The PRA expects dual-regulated firms to understand whether the scenarios that may cause firms to exceed their respective PRA and FCA impact tolerances would differ (whether or not those impact tolerances are aligned), and to take action to remain within their PRA impact tolerances as appropriate.

4.10

The PRA understands that in practice firms may concentrate their efforts on ensuring they can remain within the more stringent tolerance. Where the PRA and FCA impact tolerances differ for a dual-regulated firm, taking action to ensure firms can remain within the more stringent tolerance will be acceptable if a firm can demonstrate:

• how they have considered the PRA’s objectives when setting their impact tolerances;
• how their response and recovery arrangements ensure firms are able to remain within the PRA impact tolerance; and
• that scenario testing has been performed with the PRA impact tolerance in mind.

4.11

Below is an example illustrating how firms could effectively concentrate their efforts on ensuring they can remain within the more stringent impact tolerance for a given important business service:

• Where a firm providing custodian services to small and medium-sized asset managers and investment firms identifies the safekeeping of securities for customers as an important business service, it may judge that: (a) after six hours of disruption, this impacts customers’ abilities to settle transactions and thus poses a risk of consumer harm; and (b) after eight hours of disruption, this creates a reputational risk which threatens their safety and soundness. The firm identifies vulnerabilities in its safeguarding systems and thus increases its investment to improve the robustness of its systems to allow it to remain within the shorter impact tolerance, which also serves to meet the longer impact tolerance.

4.12

The Operational Resilience Parts are effective from Thursday 31 March 2022. By this point, firms must have identified their important business services and set impact tolerances. In order to achieve this, and to identify any vulnerabilities in their operational resilience, firms should have mapped their important business services and commenced a programme of scenario testing.

4.13

Firms are not expected to have performed mapping and scenario testing to the full extent of sophistication by Thursday 31 March 2022. Both mapping and scenario testing are ongoing processes, and firms are expected to perform them at varying levels of sophistication over time. The PRA expects that firms’ approaches to both mapping and scenario testing should evolve over time.

4.14

Senior management are expected to take responsibility for delivering the policy outcomes. Firms are expected to have a prioritised plan which sets out how they will comply with the requirement to be able to remain within their impact tolerances within a reasonable time, and no later than Monday 31 March 2025.^[19] For a firm’s plan to be effective, firms must have started putting the plan into effect by Thursday 31 March 2022. As part of this planning, firms should prioritise their regular mapping and scenario testing so that they will be able to identify vulnerabilities in sufficient time so that measures can be taken to remediate them. Firms, particularly larger, more complex ones, will need to make choices and prioritise with the ultimate goal of delivering the outcomes of the policy.

4.15

The speed at which vulnerabilities are remediated should be commensurate with the potential impact that a disruption would cause, and will be an area of supervisory focus.

4.16

After Monday 31 March 2025, maintaining operational resilience will be a dynamic activity. By this point, firms should have sound, effective and comprehensive strategies, processes, and systems that enable them to address risks to their ability to remain within their impact tolerance for each important business service in the event of a severe but plausible disruption.