Prudential Regulation Authority Rulebook

5.1

The Operational Resilience Parts^[20] require firms to identify and document the necessary people, processes, technology, facilities, and information (the ‘resources’) required to deliver each of their important business services. This identification process is referred to as ‘mapping’.

5.2

Adequate mapping should enable firms to meet the following outcomes:

1. (a) The identification of vulnerabilities. Mapping an important business service should allow a firm to identify the resources that are critical to delivering an important business service, ascertain whether they are fit for purpose, and consider what would happen if resources were to become unavailable.
2. (b) Test ability to remain within impact tolerances. Mapping should facilitate the testing of a firm’s ability to deliver important business services within impact tolerances. To design and understand the full implications of scenarios, a map of the relevant business service is necessary. Further information on the approach to testing is outlined in Chapter 6.

5.3

To meet the requirements in the Operational Resilience Parts^[21], the PRA expects firms to take action where a vulnerability is identified, or testing highlights a limitation to remaining within impact tolerances.

5.4

The PRA expects firms to map their important business services to the level of detail necessary to use the mapping to identify vulnerabilities and test ability to remain within impact tolerances.

5.5

The PRA expects firms to map the resources necessary to deliver important business services irrespective of whether the resources are being provided wholly or in part by a third party, which may be an intragroup or external service provider. Firms should understand how their outsourcing and third party dependencies support important business services.

5.6

Firms should understand the reliance placed on sub-outsourcing arrangements and if these arrangements pose a threat to their operational resilience. Paragraph 9.5 of SS2/21 sets out that firms should assess whether sub-outsourcing meets materiality criteria set out in Chapter 5 of SS2/21, which includes the potential impact on the firm’s operational resilience and the provision of important business services. Paragraph 9.6 of SS2/21 sets out that firms should ensure that the service provider has the ability and capacity on an ongoing basis to appropriately oversee any material sub-outsourcing in line with the firm’s relevant policy or policies.

5.7

As set out in SS2/21, ‘firms that enter into outsourcing arrangements remain fully accountable for complying with all their regulatory obligations’. This is a key principle underlying all requirements and expectations regarding outsourcing and other third party arrangements. Therefore, a firm will remain responsible if a third party provider on whom it relies, whether wholly or in part, to provide an important business service, fails to remain within impact tolerances or causes the firm to do so. SS2/21 sets out detailed expectations on how firms should obtain assurance from third parties throughout the lifecycle of an outsourcing or, where relevant, other third party arrangement. The level of assurance that the PRA expects should be proportionate to the size and complexity of the firm and reflect the materiality and risk of the outsourcing and third party arrangement. As part of this assurance, firms may ask third parties to provide mapping, but this is not required in all cases, particularly if other assurance mechanisms are effective and more proportionate.

5.8

Mapping information should be accessible and usable for the firm. Firms should document their mapping in a way that is proportionate to their size, scale, and complexity. Firms are expected to develop their own methodology and assumptions for mapping to best fit their business.

5.9

The PRA expects firms to update their mapping annually at a minimum, or following significant change if sooner.