The UK’s Financial Conduct Authority (“FCA”) has published a web page of observations aimed at helping firms prepare for new operational resilience rules due to be inforced by 31 March 2025. The relevant rules apply to banks, building societies, larger investment firms, insurers, and recognised exchanges, but are worth reading for all firms given the current regulatory emphasis on operational preparedness for ever more severe challenges.
While as soon as possible after 31 March 2022, and by no later than 31 March 2025, relevant firms must have performed mapping and testing to remain within their identified impact tolerances for each important business service, those firms should also have conducted a self-assessment covering impact tolerance and how they are mapped to important business services, identified vulnerabilities and the results of scenario testing.
The FCA looks at observations and insights into current practices around identifying and regularly reviewing important business services to make sure that these are identified and can continue to function to keep the firm within impact tolerance parameters. Those parameters must be set in the round and ready for assessed ‘severe but plausible scenarios’. The importance of regular scenario review and senior management buy-in is also key.