Blog 15 February 2022

The FCA Throw Down the Operational Resilience Gauntlet

by Yad Jaura

Share:
operational and IT people using low code to improve process agility

Operational resilience has never been more important than in today’s financial sector. It’s about to become crucial for organisations in the financial and insurance markets to have the ability to prevent, adapt and respond to operational disruption, and also to demonstrate how they would recover and learn from any issues. Yad Jaura looks at the new FCA regulations which are driving these issues quickly up the agenda of the industry.

The FCA (Financial Conduct Authority) is endeavouring to ensure that the industry and all those operating within it, can cope with any shocks – those that are expected as well as coping with unexpected. Their goal is to ensure that consumers are protected from the impact. There have been many examples in recent years (the financial crash, Brexit, Covid-19) and the FCA want to greatly reduce the impact for future incidents.


Why now?


This is not a recent effort. There has been a focus on operational resilience for some years. This is gaining importance right now due to the FCA mandating that, by 31 March 2022, relevant financial organisations must identify their important business services and set impact tolerances. They must then carry out necessary mapping and testing.

The FCA want the senior management within these firms to be acutely aware of the potential risks to the way they operate. Understanding the detail of the ways that their supply chains impact resilience is important, especially given that many services are outsourced these days. The FCA want confidence themselves that these issues are being suitably addressed and that they will be alerted as any issues arise.

The rules apply to banks, building societies, PRA-designated investment firms, insurers, Recognised Investment Exchanges and some other organisations. The regulations relate to all the resources a firm relies on to provide its financial service. That includes people, processes, systems, suppliers, offices, and so on.


What must be done before 31 March 2022?


Organisations must identify their important business services that, if disrupted, could cause:

  • intolerable harm to consumers;
  • a risk to market integrity;
  • instability in the financial system; or
  • threaten the viability of firms.

To do this, they must:

  • identify the maximum tolerable disruption they can handle to services
  • map and test these tolerances, identifying resulting issues and vulnerabilities
  • invest in their ability to respond and recover from disruptions effectively
  • develop internal and external communications plans for disruption to important business services
  • prepare self-assessment documentation.

Further deadlines to meet


After 31 March 2022, and by no later than 31 March 2025, they will also need to:

  • have performed mapping and testing do show that each important business service is able to remain within identified impact tolerances
  • make the necessary investments to operate consistently within their impact tolerances
  • ensure any incidences are immediately reported to the FCA, similar to the reporting of data breaches to the Information Commissioners Office (ICO).

Enhancing and demonstrating operational resilience


Many financial services organisations who still operate manual processes will need to automate these quickly and efficiently, and may now be worried about how they could demonstrate operational resilience. Running legacy systems that need augmenting or replacing makes it very difficult to make changes quickly and efficiently. Especially if a crisis hits.

Low-code and automation can help. New systems and processes can be built and implemented quickly – in time for the March deadline. These solutions help to mitigate risk by making processes run like clockwork and reducing the chance for human error. At the same time, this can reduce operational costs – a win-win. And improved customer experience is a fantastic by-product.

Automation is more easily accessible than you might expect and provides a clear route to enhancing and demonstrating operational resilience in your organisation.


Netcall as a supplier


As a supplier to financial services customers, Netcall will also be required to demonstrate our own operational resilience. We are prepared – able to show capabilities to cope with events that may impact organisations that we work with. We can demonstrate documented procedures confirming how we will continue to deliver software and services (including professional services and technical support) in the event of any operational resilience challenges. Our ISO27001 certification is also an important accreditation.

Our specialist team is ready to discuss the challenges facing you, to assist in planning a route to operational resilience for your organisation.