Prudential Regulation Authority Rulebook

8.1

The Operational Resilience Parts^[31] require firms to document a self-assessment of their compliance with the Operational Resilience Part. Firms are also expected to document the methodologies they have used to undertake these activities. Firms’ boards are accountable for and should approve the information provided in these documents. The PRA expects boards and senior management to seek to build resilience so that they gain a high level of assurance that their firm is able to deliver its important business services within impact tolerances. Firms should document this information in the form of a self-assessment.

8.2

A self-assessment should directly address the requirements set out in the Operational Resilience Parts.^[32] Broader elements of firms’ operational resilience, for example, operational risk management and business continuity planning, should only be referenced where they directly pertain to the Operational Resilience Parts.^[33] Broader elements of firms’ resilience should be captured in existing firm practices.

8.3

When documenting a self-assessment to meet the Operational Resilience Parts,^[34] firms should:

• list their important business services and state why each of these have been identified, with reference to the PRA’s expectations in Chapter 2 of this SS;
• specify the impact tolerances set for these important business services and why each impact tolerance has been set, with reference to the expectations in Chapter 3 of this SS;
• detail their approach to mapping important business services. The PRA expects this to include how the firm has identified the resources that contribute to the delivery of important business services and how they have captured the relationships between these. Firms should also document how they have used mapping to identify vulnerabilities and to support testing activity;
• describe their strategy for testing their ability to deliver important business services within impact tolerances through severe but plausible scenarios. Firms should also describe the scenarios used, the types of testing undertaken, and specify the scenarios under which firms could not remain within their impact tolerances;
• identify any lessons learned when undertaking scenario testing or via practical experience including the actions taken to address the issues encountered or risks highlighted;
• identify the vulnerabilities that threaten their ability to deliver important business services within impact tolerances. Firms should make every effort to remediate these vulnerabilities, detailing the actions taken or planned and justifications for their completion time. The completion time should be appropriate to the size and complexity of the firm, and the PRA will expect large and complex firms to take prompt action; and
• identify any additional risks to their ability to deliver important business services within impact tolerances arising from elsewhere in their group. In the case of a CRR firm, the self-assessment should also be informed by any work the CRR consolidation entity has undertaken to comply with the requirements under Rules 8.6, 8.7 and 8.8, regarding important group business services and whether each member of the CRR consolidation entity’s consolidation group could remain within impact tolerance.