Since the UK regulatory discussion paper on operational resilience was issued in July 2018, KPMG has had the privilege of working with many of our clients in developing strategy and supporting execution. Following up on this, in December 2019 the UK regulators released a series of consultation papers building upon and adding clarification to the points in the discussion paper.

A key, shared priority for the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) is to put in place a stronger regulatory framework to promote operational resilience of firms and the Financial Market Infrastructure (FMI). As a consequence, although the policy proposals brought forward for consultation are tailored to the individual policy frameworks and supervisory approach of each respective authority, they share a common overarching approach to operational resilience.

Having analysed the content of the papers, KPMG has identified the following key themes:

• Operational resilience must be driven from the board with clear accountability for differentiated investment decisions that properly consider resilience.
• Resilience should be prioritised for important business services, those services that have the greatest potential to cause harm to consumers, the financial system and the firm itself.
• The resources that a firm deploys to deliver those most important services must be mapped across technology, data, people, facilities, suppliers and now key dependent processes.
• The maximum tolerable level of disruption to an important business service must be defined as an impact tolerance, and metrics must be identified to monitor and measure the firm’s ability to remain within the tolerance.
• Firms should identify severe but plausible scenarios to test the ability to respond and recover within those tolerances.
• Robust internal and external communications plans must be in place to manage the impact during any service disruption – with an emphasis on ensuring the timeliness and accuracy of the information provided.
• Firms must demonstrate that they have taken decisive and effective actions to improve resilience and have embedded a recovery centric mind-set within the organisation’s culture.

Whilst these are UK regulatory proposals, it is also important to consider the increase in focus on operational resilience from a global perspective:

• At European and global level, operational resilience is also a high priority. 
• The UK proposals reflect guidelines already finalised by the European Banking Authority (EBA)  on Outsourcing arrangements, Information and Communications Technology (ICT) and security risk management and European Insurance and Occupational Pensions Authority (EIOPA’s) draft guidelines on outsourcing to cloud service providers. 
• The Financial Stability Board (FSB) in Basel is engaged in the discussion around the financial stability implications of cloud and big tech.

KPMG believes that, given the importance being given to operational resilience across the international regulatory environment, we can expect to see increasing collaboration and convergence in this space.

The consultation papers have confirmed that, in future, operational resilience will be scrutinised as much as financial resilience in the UK, and will be embedded in the regulatory framework. It is now clear that firms will be required to put in place robust management frameworks to prioritise and allocate investment to deliver resilience across important business services. From this point we are currently expecting final policy in late 2020, all the rules then taking effect a year after publication, with firms having longer (up to three years) to be able to show they are able to remain within impact tolerance for their important business services.

KPMG believes that with the additional information and clarification provided firms can move forward with confidence, but they should take care to ensure that their plans place proper emphasis on the scalability and sustainability of solutions. Please contact us if you would like to explore how we can help to accelerate your progress.

• Our operational resilience practice is recognised as market leading.
• We understand that operational resilience isn’t just a new name for business continuity planning. 
• We help your business understand and manage itself end-to-end, as a series of services, harnessing the opportunity presented by the regulators’ vision.
• We change the culture of your business to one where resilience is a strategic essential giving your organisation a competitive advantage. 
• We have completed multiple engagements of this nature at a number of organisations, including 
• some of the UK’s largest universal banks, challenger banks and financial management infrastructure organisations.

Click the link below to download and read our latest insights and response to the recently released UK Regulatory Consultation Papers.