Operational Resilience: Are You Ready and Seizing the Opportunities?
-
March 19, 2024
DownloadsDownload Article -
This article co-authored by Tristan Jonckheer, Partner at Dentons and Sebastian Spriggs, Director at FTI Consulting recommends key steps to embed effective compliance & maintain a competitive advantage ahead of Operational Resilience regulation deadlines (download the PDF to access the full article).
Financial services regulators have made it clear that operational resilience is now viewed with the same importance as prudential resilience. Financial services firms should be taking action to comply with new regulatory requirements relating to operational resilience coming into effect across the UK and EU in Q1 2025. Are you doing enough to ensure compliance? Almost as importantly, are you maximising the opportunity to achieve a competitive advantage through operational resilience? If the answer to either of these questions is anything other than “yes”, there are steps you need to take now to change that.
Introduction
Operational resilience (“OR”) has been a key focus for global regulators in recent years. In the UK and European Union (“EU”), new OR regulations have been introduced. At the same time, regulators have readily applied sanctions to firms, and individuals, for failures in OR. The deadlines for full implementation of the new UK and EU regulations regarding OR — March 2025 for the UK and January 2025 for the EU — are fast approaching. By then, firms must have fully tested their OR measures and embedded the people, processes and structures to operationalise them.
Experience suggests that, while many firms have taken steps towards compliance, the majority are not going far enough in building OR into the fabric of their company. Some may not have even fully met the existing requirements, for example, by defining key OR parameters to meet the UK requirements by March 2022.
This is concerning because operational disruptions harm consumers, firms and market integrity. Consumers cannot access essential services. Firms cannot serve their customers. Trust in markets can be undermined. What is more, sources of disruption to business operations are both proliferating and becoming more acute. While disruptive forces such as extreme weather, geopolitical events and pandemics are not new, today their impact has the potential to be far more severe because of climate change, globalisation and hyperconnectivity.
So why are some firms not yet taking OR seriously? Often, the problem is that they view it as a regulatory burden to be implemented through a “tick box” approach to compliance. This is bad business. It is far better to treat OR regulation as an opportunity to advance the interests of your customers and shareholders by avoiding disruptions, mitigating key risks and increasing process effectiveness.
Key Operational Resilience Regulations in the UK and EU
Key OR Regulations in the UK and EU
UK
The UK's Financial Conduct Authority (“FCA”), in partnership with the Bank of England (“BoE”) and Prudential Regulation Authority (“PRA”), finalised rules for OR in Policy Statement PS21/3 in March 2021. The Financial Services and Markets Act 2023 granted additional powers to regulate critical third-party suppliers to financial services firms, further enhancing focus on OR.
EU
The Digital Operational Resilience Act (“DORA”"), effective January 2023, establishes a comprehensive framework aimed at strengthening the resilience of the financial sector in the EU against cyberattacks and other digital operational risks. DORA applies to a wide range of authorised financial entities and directly to information and communication technology (“ICT”) third-party service providers deemed critical.
Scope
UK
UK OR rules encompass a broad range of financial services firms, including banks, designated investment firms, insurance firms, electronic money institutions, payment institutions, and recognised account information service providers. FSMA 2023 also grants regulators the power to directly regulate critical third parties.
EU
DORA applies to authorised financial entities in the EU and directly to ICT third-party service providers deemed critical.
Key Requirements
UK
The UK’s OR rules entail identifying important business services, setting impact tolerances, establishing strategies, conducting mapping and scenario testing, and maintaining governance and communication.
EU
DORA focuses on ICT risk management, incident management and reporting, digital OR testing, third-party risk management, and information sharing.
Timing
Deadlines for full compliance are 31 March 2025 for the UK and 17 January 2025 for the EU. In the UK, firms should have identified important business services, set impact tolerances and started mapping and scenario testing by 31 March 2022. Firms are encouraged not to wait until the end of the transitional period to prepare for compliance but to make reasonable efforts during the transitional period to avoid breaching the rules.
How to Effectively Design and Integrate OR
It is important that firms embed OR into a company’s DNA and not just complete the minimum viable steps to execute a ‘tickbox’ exercise. So, what are the practical actions you can take now?
Define Accountability, Responsibility, and Governance for OR
Establish clear accountability and responsibility for operational resilience within the organisation. OR oversight should be structured effectively, with stakeholders such as the chief operating officer (typically for UK regulation) or the chief information officer (typically for EU regulation) playing pivotal roles. Business leaders responsible for delivering important business services must be engaged, ensuring a shared responsibility across the organisation. Effective governance and timely data are vital to supporting and controlling OR.
Optimise Your OR Organisational Model
Embed structures that promote good OR practices into business as usual. Allocate sufficient capacity to execute all OR activities, standardise activity across your organisation, and monitor activity completion. Organisational structures tend to vary on a continuum from centralised to hybrid to decentralised models. Each of these has specific benefits and challenges. A hybrid approach, combining centralised oversight with decentralised execution, may offer a balance between control, ownership and standardisation.
Align OR to Your Other Risk and Regulatory Frameworks
Design OR frameworks to align with existing risk and capital frameworks to streamline risk management processes, avoiding silos, reducing rework and enhancing overall risk awareness and response. Use of common artefacts, language and approach also promotes the vital interaction between OR and other functions such as business continuity and disaster recovery planning, cybersecurity, third-party risk management, operational risk management and change management.
Optimise Your Change Capability
Build the capability to monitor and improve steady-state operations while adapting to changing circumstances. Implement change and operational excellence methodologies to continuously adapt resources, processes, systems, and frameworks. Emphasize continuous improvement based on lessons learned from testing, incidents and industry best practices.
Maximising Business Benefits from OR
Effective OR transcends compliance, offering numerous business advantages such as cost savings, resource optimisation, enhanced customer and investor confidence, competitive advantage, and brand enhancement. By embracing OR, firms can differentiate themselves in the market and safeguard their reputation and revenue streams.
Next Steps
OR has emerged as a critical ingredient for a successful business strategy, transcending its roots in risk management.
Effective OR is not just about surviving; it is about thriving in the face of adversity. By embracing OR, firms can enhance their service continuity, protect their reputation, maintain customer trust and ultimately gain a competitive edge.
Preparing for OR implementation requires clear vision from the board and concerted effort across all levels of the organisation. With deadlines looming, proactive engagement from management, business leaders and compliance professionals is essential to ensure compliance and realise maximum business benefits.
How Dentons and FTI Consulting Can Help
Dentons and FTI Consulting offer a range of services and tools to help firms develop OR capabilities. These services include reviews, templates, governance advice, audits, project management, and business transformation support. By leveraging these resources, firms can achieve compliance efficiently while gaining a competitive advantage in the market.
Together, Dentons and FTI Consulting can help you to achieve compliance with OR requirements quickly and efficiently, while at the same time delivering a tangible competitive advantage for your business.
This article is not designed to provide legal or other advice and you should not take, or refrain from taking, action based on its content.
Download to read the full article
Authors: Tristan Jonckheer and Sebastian Spriggs
Dentons is a global legal practice providing client services worldwide through its member firms and affiliates. This document has been provided to you for information purposes only and you may not rely on this document. This publication is not designed to provide legal or other advice or give rise to a solicitor/client relationship and you should not take, or refrain from taking, action based on its content. Dentons does not have any duty, liability or responsibility whatsoever to you of any sort, whether in contract, tort (including negligence) or otherwise in respect of this document and Dentons does not accept any such duty, liability or responsibility. Specialist legal advice should be taken in relation to specific circumstances. You agree not to make any claim of any sort against Dentons in connection with this document. This information is provided to you on the basis you agree to keep it confidential. Dentons UK and Middle East LLP is a limited liability partnership registered in England and Wales under no. OC322045. It is authorised and regulated by the Solicitors Regulation Authority and the Law Society of Scotland. A list of its members is open for inspection at its registered office: One Fleet Place, London EC4M 7WS. Any reference to a "partner" means a person who is a partner, member, consultant or employee with equivalent standing and qualifications in one of Dentons' affiliates. Please see dentons.com for Legal Notices.
Related Information
Published
March 19, 2024
Key Contacts
Director