Working on Impact Tolerance

The recently released Financial Conduct Authority (FCA) 2019-2020 Business plan has flagged Operational Resilience as an area of focus this year. With operational resilience making the shortlist of overriding priorities — along with Brexit, Culture, and Financial Crime — it's time for firms to take heed and get ahead of the curve.

What is Operational Resilience?

The Prudential Regulation Authority (PRA) has stated that a firm’s ability to keep going operationally as well as financially during and post-crisis – operational resilience – is an area where the regulatory framework is “thoroughly underdeveloped” when compared to the frameworks for capital, liquidity and accountability. It has also identified two reasons why operational resilience is more important now: first, the emerging risks of cyber-attack, and second, that an operational failure ‘hurts’ more than it used to due to channels like social media.

In July 2018, the Bank of England, PRA, and FCA released a discussion paper, “Building the UK financial sector’s operational resilience”, setting out a broad approach to dealing with operational disruption. The goal? Having a “resilient financial system that can absorb shocks rather than contribute to them”. Recognising the importance, the PRA has also added a section on operational resilience to its banking and insurance supervision documents.

What do firms have to do?

Firms, whatever their size, are expected to have plans in place to resume essential and systemically important functions in the event of major disruption. The PRA expects firms to develop "impact tolerances" and to "acknowledge that disruptive events will happen".

This means that companies will need to make an assessment of operational resilience matters and have an understanding of impact tolerance linked to critical business services, as well as ensuring that an appropriate level of resilience is being maintained through monitoring and testing.

For boards, their involvement in, and sign off for, the setting of the entity’s “impact tolerances” is likely to be examined (with the benefit of hindsight) if there is an event that challenges the operational resilience of the entity. For example, what is the maximum acceptable downtime of a key IT system? Are there clear and understood metrics for when an operational disruption would represent a threat to the entity’s viability? The frequency and quality of an organisation’s scenario testing, back up and response plans, and effectiveness of recovery options are also going to be open to scrutiny. Reputations will be on the line, as the speed, accuracy, and effectiveness of post-impact communications are examined.

Setting impact tolerances at the right level, and monitoring exposures against these rely upon data and high-quality analytics. An approach to operational resilience that blends Enterprise Risk, actuarial, and modelling skills with insurance claims data and resilience expertise allows the delivery of an integrated solution. This allows more accurate quantification of resilience exposures and impact tolerance levels and delivery of governance and process that ties existing operational risk, risk transfer, and resilience capabilities together. It can also change the whole approach to the use of a risk transfer solution like insurance.

To discuss your risk transfer issues or operational resilience needs further, please contact your Marsh adviser.


Image placeholder

David Nayler

Financial Institutions Practice Leader