On 28 May 2024, the Financial Conduct Authority (FCA) published a new webpage providing key insights and observations for firms preparing to comply with PS21/3: Building operational resilience, by the end of the transition period on 31 March 2025.
PS21/3 sets out the FCA's final rules and guidance on building operational resilience, developed following an initial consultation (CP19/32) held in December 2019. The FCA expects firms to use the observations set out on the webpage in order to review their approaches to compliance with the rules and assess readiness in relation to a number of key areas, including:
Important business services: Firms are required to identify 'important business services' (by reference to the FCA's Handbook) and keep these under review.
Impact tolerance: Firms are required to set 'impact tolerances' for each identified important business service, also to be kept under review. The FCA recommends providing a full rationale for impact tolerances in any self-assessment, to ensure the FCA can understand what has been set and why.
Mapping and third parties: Firms must identify and document the people, processes and facilities necessary for delivery of any identified important business services, including relationships with third parties which could impact a firm's ability to remain within an impact tolerance. The FCA expects to see firms' mapping of resources and processes to develop over time, to enable firms to create a clear picture of all relevant dependencies required to deliver the services.
Scenario testing: Firms must develop and maintain testing plans that detail how firms can remain within their respective impact tolerances for important business services. The FCA expects this scenario testing and mapping to have 'matured' throughout the transition period, providing firms with a greater understanding of their resilience capabilities.
Vulnerabilities and remediation: Firms' mapping and scenario testing should identify any vulnerabilities which may put impact tolerances at risk. The FCA expects firms to have significantly progressed remediation activities for vulnerabilities identified in the early part of the transition period.
Response and recovery plans: The FCA highlights exercise and testing of recovery plans as fundamental to understanding whether firms can remain within impact tolerance, noting that reviews of self-assessments so far show 'limited evidence' of the testing in this regard.
Governance and self-assessment: The self-assessment is a tool for firms to document their journey to becoming operationally resilient. The FCA expects self-assessments to develop over time. These should include an overview of identified vulnerabilities, scenarios tested (including relevant outcomes), remediation plans and firms’ strategies for ensuring they remain within impact tolerances for all important business services.
Embedding operational resilience: The webpage highlights that PS21/3 is an outcomes-based policy, and reminds firms that the most effective operational resilience frameworks are embedded within existing enterprise-wide risk frameworks.
Horizon scanning: The FCA also reminds firms that risks from 'severe but plausible' scenarios should be refreshed regularly, and recommends horizon scanning as key to maintaining an understanding of new and emerging risks.
Firms have until the end of the transition period to carry out relevant mapping and scenario testing to ensure they will be able to operate consistently within their set impact tolerances for important business services.
