Shortly before the holiday season in December 2019, the FCA, PRA, and the Bank of England published a joint policy summary as well as separate consultation papers on operational resilience (including changes to the FCA Handbook and PRA Rules and new PRA Supervisory Statement). The proposals contain a new regulatory framework for operational resilience, requiring regulated firms to develop systems, processes and operations to ensure their ability to provide important business services in times of operational disruption. These proposals will require firms to mobilise resources and launch “top-of-the-house” implementation projects to meet new standards of operational resilience. Failure to implement would risk regulatory enforcement against the firm and senior managers.
The increased regulatory focus on operational resilience stems from a combination of factors, including: a shift in the way customers access financial services by using digital services; the use of new technologies to improve services; the significant negative impact of IT failures/incidents, with major incidents at RBS, TSB and Visa; and the introduction of new types of risk such as cyber security risk. Increased reliance on outsourcing, with its use of technological innovations and new methods of delivering business operations, has also further rendered firms vulnerable to disruption risk.