Today the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have published a joint discussion paper (DP) on an approach to improve the operational resilience of firms and financial market infrastructures (FMI’s).
It envisages that boards and senior management can achieve better standards of operational resilience through increased focus on setting, monitoring and testing specific impact tolerances for key business services, which define the amount of disruption that could be tolerated.
The challenges for operational resilience have become even more demanding given a hostile cyber-environment and large scale technological changes. As recent disruptive events illustrate, operational resilience is a vital part of protecting the UK’s financial system, institutions and consumers.
An operational disruption such as one caused by a cyber-attack, failed outsourcing or technological change could impact financial stability by posing a risk to the supply of vital services on which the real economy depends, threaten the viability of individual firms and FMIs, and cause harm to consumers and other market participants in the financial system. This DP focuses on how the provision of these products and services can be maintained within reasonable tolerances regardless of the cause of disruption. It reinforces the need for firms and FMIs to develop and improve response capabilities so that any wider impact of disruptive events is contained. The speed and effectiveness of communication with the people and institutions most affected, in particular customers, should be at the forefront of every firm’s response.
Motivating the approach are a number of important concepts, which include:
- focusing on the continuity of the most important business services as an essential component of managing operational resilience
- setting board-approved impact tolerances which quantify the level of disruption that could be tolerated
- planning on the assumption that disruption will occur as well as seeking to prevent it
The approach to operational resilience set out in this DP is consistent with the Financial Protection Committee's (FPC) recent plans to establish its tolerance for disruption to financial services from cyber incidents, with both focusing on continuity of business services. The supervisory authorities may expect some firms and FMIs to consider the FPC’s impact tolerance when they set their own tolerances.
The supervisory authorities are encouraging responses to questions posed in the DP from all types of firms and FMIs, trade associations, consumer bodies, individuals and businesses as users of financial services, and especially those who have suffered harm from disruptive events.
The discussion period ends on 5 October 2018.
Notes to editors
- DP 18/4:Building the UK financial sector’s operational resilience (PDF)[1]
- On 1 April 2013, the FCA became responsible for the conduct supervision of all regulated financial firms and the prudential supervision of those not supervised by the Prudential Regulation Authority (PRA).
- The FCA has an overarching strategic objective of ensuring the relevant markets function well. To support this it has three operational objectives: to secure an appropriate degree of protection for consumers; to protect and enhance the integrity of the UK financial system; and to promote effective competition in the interests of consumers.
- Find out more information about the FCA[2].