Back to News
Article Headers Merje (55)
Share this Article

Can you prove your resilience?

  • Publish Date: Posted 6 days ago
  • Author:by Adam Stage

"It feels like the 2,000 firms in scope for the regulation are about to sit their final exam..."

Adam Stage, operational resilience leader and financial services regulatory expert with over 10 years in the industry, discusses upcoming deadlines and the future of OpsRes for UK firms.

We are less than three months away from the regulatory deadline for the UK operational resilience regulations. It has been four years since the regulations came into effect.

It feels like the 2,000 firms in scope for the regulation are about to sit their final exam for this module in the specialist subject of operational resilience (1).

Much like students, firms will have taken different approaches to preparing for this exam.

Many will have started off with full gusto, setting out plans with checkpoints for their progress and checking in with their supervisor along the way.

A minority may have left the preparations for the last minute and be panicking over what they can achieve in the time remaining.

The rest will be somewhere in between; taking time at the start to grasp the subject matter, navigate the odd distraction along the way but making slow and steady progress.

The advantage all firms have is advance warning of the exam question:

Can you remain within impact tolerances for each important business service (IBS) for a range of severe-but-plausible scenarios?

…and perhaps the most important three words in any such exam:

Show your workings.

Of course, there are lots of underlying questions here to unpack, which are open to interpretation, such as:

  • Have you mapped your IBS in enough detail?

  • Have you set your impact tolerances at the right level?

  • Have you run enough scenario exercises?

  • Were they severe enough?

The list goes on.

The supervisors have helped firms in their preparations through both bilateral and industry feedback (2). This has driven the industry towards a common view of how to implement the regulations in practice and to increase the likelihood that supervisors end up with a clearer view of the biggest vulnerabilities facing delivery of the IBS.

One of the most impressive aspects of how this topic has evolved has been how firms have studied together, comparing notes on how they have implemented the regulations. This has resulted in some extremely helpful guidance published by the Cross Market Operational Resilience Group (CMORG) (3) which acts as a great guide for those firms less sure about the path ahead.

"...these are exactly the sort of severe-but-plausible scenarios that they expected firms to be preparing for."

Actual incidents challenge firms Operational Resilience in real-time

Over the past three years firms will have faced more practical challenges when hypothetical scenarios have been overshadowed by real incidents. These of course provide valuable lessons to ensure that firms are looking at disruption through an end-to-end service lens and to understand what contingency options are available to continue those services.

Over summer we saw two unrelated incidents on consecutive days whereby disruption at third parties caused significantly impaired service.

First was a Swift outage impacting CHAPS settlement on 18 July, followed the next day by a flawed update by Crowdstrike which had a much wider impact on financial services firms and many other industries.

Policymakers would have taken comfort that these are exactly the sort of severe-but-plausible scenarios that they expected firms to be preparing for. Those which in the past may not have been considered on the grounds of lower probability.

Upcoming Critical Third Party Regulation

On the horizon firms can see some salvation through the forthcoming Critical Third Party (CTP) regulation which will see the regulators expand their supervisory power over a small number of third parties critical to the functioning of the UK Financial System.

Firms will not see the benefit in time for the March 2025 self-assessment but there will surely be benefits for financial services firms in the future as these CTPs:

  1. Disclose more information to support oversight of supplier risks

  2. Develop objectives on resilience which aligns with regulatory expectations on firms

  3. Drive improvement in their own operational resilience and stability

  4. Drive an overall increase in confidence in the resilience of the financial system

"DORA has developed into a much more prescriptive set of regulations..."

Beyond UK Regulations

Of course, this article has focused on the exam for UK regulators but multinational firms are facing multiple concurrent tests, not least the European Digital Operational Resilience Act which applied from 17 January.

DORA has developed into a much more prescriptive set of regulations focused largely on the disciplines of ICT risk management and outsourcing, bringing parity across the financial services sector while acknowledging proportionality to address the vastly different sizes of firms in scope.

Such prescriptiveness may be preferred by those who like greater certainty in knowing what needs to be done, whereas the UK’s principles-based regulations require firms to think about defining resilience in the broader context of the regulatory objectives around customer harm, firm safety and soundness and financial stability.

So what?

As we approach March there is much to discuss about what the expectations of regulators will be going forward, but this is unlikely to be radically different from today’s operating model.

There will surely be a reinforcement of the role of the Board in approving ongoing resilience assessments and perhaps wording about the need to remediate vulnerabilities in a reasonable timeframe.

Rather than waiting for regulatory enlightenment, firms should continue to drive their resilience agendas internally and ensure that for all the effort that contributes towards their final exam paper (their self-assessment), there is a clear story on how they can prove they are more resilient than they were in the past, and more resilient to the severe-but-plausible scenarios of the future.

References: (1) Of course, we know the UK regulations do not end in March 2025 but supervisory teams are expecting to see firms demonstrate their compliance with the rules and their plans for the future. (2) This August 2024 publication is a good example: Operational resilience in a macroprudential framework | Bank of England. (3) Guidance for Firm Operational Resilience | Cross Market Operational Resilience Group (cmorg.org.uk) - accessible on registration.

Many thanks to Adam for this insightful Operational Resilience article. If you would like to collaborate with MERJE on an industry piece, email marketing@merje.com

If you're looking for Operational Resilience experts to add to your team, or your next role in the OpsRes space, get in touch with our Governance recruitment expert Kirstie Burn.

Related Articles

​How are traditional banks competing with alternative providers?

2024: A Year in Review

Financial Crime & Fraud Salary and Recruitment Trends Report 2024/25