David Bailey, PRA’s Executive Director responsible for Deposit Takers Supervision, has given a speech at the UK Finance Webinar “Operational Resilience and Beyond”. In his introduction, Mr Bailey noted the number of challenges (such as the Covid pandemic and war in Ukraine) likely to impact on firms’ operational resilience and thanked UK Finance (“UKF“) for its engagement with PRA in its development of its operational resilience policy (the “Policy“) and ‘Roadmap’ since PRA’s initial discussion paper in 2018.
In recapping the Policy he highlighted that PRA expects firms to:
- identify their ‘important business services’ (“IBS“);
- set impact tolerances for these IBS; and
- perform mapping and testing exercises to ensure they can demonstrate their ability to remain within their impact tolerances.
The first two of these tasks should have been completed by firms by March 2022.
The impression of PRA is that firms have generally made good progress in identifying their IBS. However, it is noted that the level of granularity applied has varied widely between firms. PRA acknowledged that such divergence was to be expected, but reiterated the key points from the Policy which should guide firms’ approaches.
In respect of impact tolerances, PRA expressed concern that some IBS that have been submitted omit an impact tolerance for ‘safety and soundness’ or ‘financial stability’. It expects these gaps to be addressed as a matter of priority. PRA will focus on challenging firms on their impact tolerances during its supervisory reviews.
Overall, PRA is pleased but is of the view that significant progress will still need to be made for all firms to meet the deadline at the end of March 2025 for the full implementation of their operational resilience mapping and testing frameworks.
Looking forwards, PRA’s approach to supervision and engagement with firms will be further developed as the PRA reviews firms’ submissions in greater detail. PRA flagged that firm’s should also be aware of the potential impact of (i) the Bank of England’s Cyber Stress Test and (ii) the work that it is undertaking alongside FCA and PRA with HM Treasury on potential ways to address the risks posed by Critical Third Parties inform thinking on operational resilience.