A combined discussion paper from the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) sets out an approach to improve the operational resilience of firms and financial market infrastructures (FMIs).
It noted that “boards and senior management can achieve better standards of operational resilience through increased focus on setting, monitoring and testing specific impact tolerances for key business services, which define the amount of disruption that could be tolerated”.
The regulators have made a point in especially calling for responses from those who have suffered harm from bank and financial institution disruption.
Disruption to mortgage processing
The authorities envisage that firms may need to establish time-based impact tolerances for services such as transferring funds between accounts, processing mortgages, and performing collateral management.
They were keen to understand what types of metrics firms used regarding tolerance for outages and said the “translation of impact tolerances into actual investment decisions and contingency planning is of particular interest”.
Whether there is clear governance and accountability, and how the impact tolerances are tested, was also raised by the watchdogs.
And they added that they would consider how effective the board was “in providing governance and leadership to their organisation’s resilience work, and in developing the necessary capabilities”.
Recent events
Although not mentioned by name, the report highlighted “recent disruptive events” which have harmed customers and raised the risk of seriously affecting the economy as a whole.
Most recently TSB encountered an IT meltdown which lasted almost a month with more than 1,300 customers suffering from fraud during the outage.
They highlighted that the need for better communication with those most affected by the disruptions, particularly customers, should be at the forefront of every firm’s response.
Overall, the regulators raised three key points which need to be considered by boards:
- focus on the continuity of the most important business services as an essential component of managing operational resilience;
- setting board-approved impact tolerances which quantify the level of disruption that could be tolerated;
- and planning on the assumption that disruption will occur as well as seeking to prevent it.
Wider economic harm
The watchdogs also warned that an operational disruption such as one caused by a cyberattack, failed outsourcing or technological change could impact UK financial stability.
This could, they said, pose a risk to the supply of vital services on which the real economy depends, threaten the viability of individual firms and financial market infrastructures, and cause harm to consumers and other market participants in the financial system.
