The discussion period for this DP – jointly issued by the FCA, PRA and Bank of England - has just ended and, partly in light of last week’s Tesco Bank fine, it’s a good time to think about why operational resilience poses a different sort of problem for both regulators and firms.
Most if not all of the differences are covered or alluded to in the DP, but their importance in this particular arena is arguably underplayed. There are two major reasons for this:
- The nature of Discussion Papers is to dampen any sense of prioritization, so that the issues covered are all given a relatively neutral weighting
- The tendency of regulators is to focus primarily on matters that can largely be controlled within the regulatory universe (i.e. by firms and/or regulators taking action).
The first thing to emphasise, however, is that the DP is one of the best I’ve come across in a long time, and worth a read even if you have only a passing interest. The following suggestions should be seen in this light.
There are two areas where the DP might have placed greater stress. Both stem from the reality, unusual in a regulatory context, that almost all significant operational disruptions will have an immediate and wide-ranging external impact, and/or will involve some element of criminal activity/conscious opponents.
This makes operational resilience crucially different from the majority of regulation, which is characterized by long lead times and firms disclosing to the regulator when they discover problems. Consequently, the two areas that might have been given greater weight are:
1. External communication: This is covered [para 2.11] but, from the RBS outage in 2012 through to TSB’s problems earlier this year, firm after firm has found that its best laid consumer communication plans have fallen short, failing to adapt to the pace of events.
2. Response capacity: Again this is briefly covered [2.10], but the presence of a conscious opponent means both that attacks are a fact of life, and that they are much more likely to try to counter any initial regulatory action. This requires a different mind set, one that includes devising ways of increasing the cost and risk to the criminal (of whatever sort).
Beyond these, it’s worth pointing to the DP’s focus on business services rather than systems and controls, and its highlighting of the need to include outsourced services [4.36]. Both raise challenges in relation to SMCR - identifying how Senior Managers should allocate individual responsibility across an issue as multi-faceted as operational resilience will need careful engineering and regular stress-testing. The results of the various investigations into TSB’s problems, when they come, will obviously play into this.
One last point to note is the welcome distinction the DP makes between impact tolerance and risk appetite. The first is “an upper limit where a breach is to be avoided in all but the most extreme scenarios”, the latter “a desired outcome that is achieved with high probability” [5.6]. Historically, regulators have tended to use the terms tolerance and impact interchangeably, and especially to use tolerance when they mean impact. This shift is another indication that operational resilience is a different sort of problem.
Motivating the approach are a number of important concepts, which include: focusing on the continuity of the most important business services as an essential component of managing operational resilience setting board-approved impact tolerances which quantify the level of disruption that could be tolerated planning on the assumption that disruption will occur as well as seeking to prevent it