Today the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have published a joint discussion paper (DP) on an approach to improve the operational resilience of firms and financial market infrastructures (FMIs). It envisages that boards and senior management can achieve better standards of operational resilience through increased focus on setting, monitoring and testing specific impact tolerances for key business services, which define the amount of disruption that could be tolerated.
The challenges for operational resilience have become even more demanding given a hostile cyber environment and large scale technological changes. As recent disruptive events illustrate, operational resilience is a vital part of protecting the UK’s financial system, institutions and consumers.
An operational disruption such as one caused by a cyber-attack, failed outsourcing or technological change could impact financial stability by: posing a risk to the supply of vital services on which the real economy depends; threatening the viability of individual firms and FMIs; and causing harm to consumers and other market participants in the financial system. This DP focuses on how the provision of these products and services can be maintained within reasonable tolerances regardless of the cause of disruption. It reinforces the need for firms and FMIs to develop and improve response capabilities so that any wider impact of disruptive events is contained. The speed and effectiveness of communication with the people and institutions most affected, in particular customers, should be at the forefront of every firm’s response.
Motivating the approach are a number of important concepts, which include:
- focusing on the continuity of the most important business services as an essential component of managing operational resilience;
- setting board-approved impact tolerances which quantify the level of disruption that could be tolerated; and
- planning on the assumption that disruption will occur as well as seeking to prevent it.
The approach to operational resilience set out in this DP is consistent with the FPC’s recent plans to establish its tolerance for disruption to financial services from cyber incidents, with both focusing on continuity of business services. The supervisory authorities may expect some firms and FMIs to consider the FPC’s impact tolerance when they set their own tolerances.
The supervisory authorities are encouraging responses to questions posed in the DP from all types of firms and FMIs, trade associations, consumer bodies, individuals and businesses as users of financial services, and especially those who have suffered harm from disruptive events.
The discussion period ends on 5 October 2018.
Notes to editors
1. Discussion paper 01/18: December 2019
2. Speech by Lyndon Nelson: ‘Resilience and continuity in an interconnected and changing world’, 13 June 2018
7. Andrew Bailey and Sam Woods letter to Treasury Select Committee: ‘Resilience and security of IT systems in financial services’, November 2016