Operational Resilience – Your obligations and FCA PS21/3

With the Bank for International Settlements (BIS) operational risk management principles² at its core, tempered by a 1 in 100-year pandemic, and ongoing cyber-attacks, the Policy requires firms to improve the resilience of their business operations.

It highlights that a firm’s risk management and governance processes should focus more particularly on a number of key operational dependencies including: processes, people, technology, facilities and information (resources). Scenario testing is then recommended to provide insights into how a disruption to one of these key resources, for example a cyber-attack on a supporting technology system can be mitigated so as to prevent seriously impacting a firm’s ability to reliably deliver its services.

Policy definitions

Important Business Services

The Board must define important business services (IBSs). These are the key services of the firm that, if their delivery were to be interrupted, could potentially cause intolerable harm to consumers, and/or put financial market integrity at risk. IBSs should be reviewed at least annually.

Time-based Impact Tolerances

A time-based measure of impact tolerance should be established for each IBS. That is, how long is it before a disruption to an underlying resource impacts the delivery of the IBS and potentially causes harm to consumers or market integrity. These impact tolerances inform managers of the resilience of systems and resources that support their IBSs. They should be reviewed at least annually, or when there is a material change to business operations.

Scenario testing

The test plan and any scenario testing details should be summarised in the self-assessment document. Risks should be tested, under various operational scenarios. A “wide range” of IBS operational scenarios is encouraged, so relevant vulnerabilities can be identified under the various circumstances and effective mitigating controls established. Examples cited as potential disruptions requiring appropriate controls, include: cyberattacks or telecommunications/power failures – both of which have recently been shown, to cause serious impact to the important business services.

Read more on other Policy considerations

So much to do, so little time

During the transitional period that ends in March 2025, there is a lot to be done as firms embed new governance frameworks across their business service value chains and iteratively build their operational controls. Regular testing of the impact tolerance of each IBS under various people, processes, technology, and resource scenarios is required to enable firms to learn about the ongoing effectiveness of their operational controls. Broadening that testing to include “severe but plausible scenarios” especially given the volatile environment and risk landscape in which firms now operate is also encouraged. Incorporating the lessons learned into the developing governance process will assist the ongoing closure of operational resilience gaps.

Over time, however, these scenario-centric techniques will add to the operating complexity of any governance process. Perhaps it is why, posttransition, regulators are encouraging firms to establish more capable and reliable means of identifying vulnerabilities and maintaining effective sets of mitigative controls.

It is important to note that some of the input resources that support the delivery of IBSs are more volatile than others. The stability of non-technical resources like the staff and even processes that support IBSs deliveries, for example, are less likely to be susceptible to disruptions, than those influenced by technology. And increasingly digitised business operations, key IT assets and systems and the technical resources that support them make them more vulnerable to technical disruption. The fact that a number of these resources can interdependently impact the outcome of a scenario testing process only makes it more complex and difficult to establish individual mitigating controls.

Operational resilience stretches beyond operational risk management

The Policy specifically makes the distinction between operational resilience and simply the outcome of operational risk management. Operational resilience includes the particular risk management of the specific operational resources that support reliable IBSs delivery. Cyber resilience is seen similarly; it is not just cyber protection of infrastructure and highrisk data, it specifically focuses on the defence of the operational resilience program and the specific priority resources that support IBS delivery.

Cyber resilience

As part of operational resilience then, cyber resilience must embrace more than the protection of high-risk data and infrastructure. It must also capture the systems and IT assets that support the IBSs. It’s not either or. And the CISO, or responsible manager, must be able to work with the accountable operational resilience executive to fulfil both functions. Poor cyber resilience can quickly put both the firm’s technology and business operations at risk almost simultaneously. And hence why it is a major factor in ongoing operational resilience.

With purposeful implementation, the cyber security controls that protect high risk data and infrastructure can be the same ones that protect the systems that support the IBS value chain. The number and sophistication of cyber attacks seeking to move laterally across systems to disrupt operational resources and services delivery is certainly increasing. But it’s the speed, unpredictability and impact of these attacks on the technology and processes it supports, that makes cyber resilience so hard to establish and then maintain.

Security teams seek to establish and monitor security controls in an effort to maintain appropriate cyber resilience of the data, infrastructure and IBS supporting systems. And while IT assets and systems can be priorities for particular focus, few key operational resources and systems that support IBSs deliveries can be easily isolated for scenario testing. And it’s why scenariobased identification and testing of security control effectiveness isn’t feasible for already stretched teams to continuously undertake on their own.

Because of the apparent unpredictability and speed at which gaps can emerge, only automated data-driven processes are quick enough to identify and analyse these new vulnerabilities to inform and guide the effectiveness of the control system.

One way to supplement the scenario-based governance model is to progressively add more data-driven information from across the organisation’s operational systems. By automatically collecting and building better risk information about disruptions and resource vulnerabilities, from the bottom-up, emerging issues can be pin-pointed and mitigated as part of improving operational controls. And the timeliness and reliability of the information about otherwise unknown risks can enrich the development of additional mitigating controls.

It also creates a feedback loop to automatically inform management of the successful mitigation (or otherwise) of previously identified vulnerabilities.

Monitoring and automation to support operational resilience

For data-driven systems to quickly and accurately determine emerging new vulnerabilities in such volatile and complex operating environments, bottom-up data needs to be automatically collected, analysed and reported regularly and at scale. And given the speed at which resources can be disrupted, sufficiently to impact the delivery of IBSs, means that the speed of delivery of this information is key to mitigation efforts.

Many of the vulnerabilities that the Policy aims to address can occur unexpectedly and at a rate that teams are ill-equipped to respond to. Organisations need the ability to detect and mitigate these as soon as they emerge in order to maintain uninterrupted service delivery. As we’ve already observed managing operational risks and overall resilience of an organisation is not an occasional activity; problems could arise at any time and operational governance requires a rapid if not automated response to support the ongoing operational resilience process.

System failures, user provisioning, patching, functionality updates, technology roll-outs occur almost continuously; impacting business operations as they go. Operational resilience obligations cannot rely on ad hoc, intermittent assessments and response; they require timely evidencebased information.

As Boards come under increasing regulatory and legal pressure with regard to operational resilience, they will need to improve the nature and relevance of the information on which they base decisions about operational control settings and governance oversight. In dynamic environments, like the finance sector, where operational factors are constantly changing, annual audits and even scenario based operational resilience efforts are clearly no longer adequate.

Automated solutions that provide visibility of operational controls and the state of resilience and governance will become a priority; if not before March 2025, certainly after.

1. https://www.fca.org.uk/publication/policy/ps21-3-operational-resilience.pdf
2. https://www.bis.org/bcbs/publ/d515.pdf