Operational Resilience: Impact Tolerance for Important Business Services

After completing this reading, you should be able to:

• Describe an impact tolerance; explain best practices and potential benefits for establishing the impact tolerance for a business service.
• Provide and explain criteria that firms should use to determine their important business services.
• Explain tools and processes, including mapping and scenario testing, that financial institutions should use to improve their operational resilience and remain within their impact tolerance
• Describe the governance of an operational resilience policy, including the relationships between operational resilience and a firm’s risk appetite, impact tolerance, continuity planning, and outsourcing to third-party providers.

Impact Tolerance, Best Practices, and Potential Benefits

A Brief Background

In the past few years, there has been a lot of effort to promote operational resilience among financial institutions around the world. Most of the proposals have been designed to improve the operational resilience of firms and market infrastructures firms (FMIs), protect consumers, the wider financial sector, and the economy from the impact of operational disruptions. The Prudential Regulation Authority (PRA), the Financial Conduct Authority (FCA), and the Bank of England (‘the Bank’), which are collectively termed ‘the supervisory authorities,” have all been at the forefront in these efforts.

In 2018, the supervisory authorities published a joint Discussion Paper on Operational Resilience that out an approach to operational resilience. The paper marked the start of large-scale consultations among stakeholders that ultimately led to a formal policy document. The goal of these policies is to ensure that firms and FMIs will improve their operational resilience to be able to respond effectively if a disruption does occur. This chapter summarizes the key policy proposals

What is Impact Tolerance?

One of the key policy proposals revolves around the need for firms and FMIs to identify important business services. According to the PRA, here’s the definition of an important business service:

A service provided by a firm, or by another person on behalf of the firm, to another person which, if disrupted, could pose a risk to:

• (where the firm is an O-SII/where the firm is a relevant Solvency II firm) the stability of the UK financial system;
• the firm’s safety and soundness; or
• (for Solvency II firms) an appropriate degree of protection for those who are or may become the firm’s policyholders.

The FCA has a differently worded definition, which goes as follows:

A service provided by a firm, or by another person on behalf of the firm, to one or more clients of the firm which, if disrupted, could:

• cause intolerable levels of harm to any one or more of the firm’s clients; or
• pose a risk to the soundness, stability, or resilience of the UK financial system or the orderly operation of the financial markets.

Impact tolerance refers to the maximum tolerable level of disruption to an important business service, including the maximum tolerable duration of a disruption. By setting impact tolerances, firms are able to determine the point at which intolerable harm occurs to consumers or a risk is posed to the orderly functioning of the financial markets. Thus, by anticipating scenarios in which harm may occur, firms can operate within their impact tolerances. This approach is premised on the idea that setting impact tolerances helps boards and senior management prepare for inevitable disruptions regardless of their likelihood, instead of merely trying to minimize the probability of disruptions. In addition to protecting consumers, it also ensures the market’s overall resilience.

Figure 1: an Illustration of Impact Tolerance

Best Practices

For PRA-FCA Dual-Regulated Firms, the following are the best practices for impact tolerance:

• In cases where a business service is defined as an important business service under both PRA and FCA rules, the firm should apply separate impact tolerances that reflect the objectives of the two supervisory authorities.
• Whenever appropriate, a firm may set its PRA impact tolerance for a given important business at the same point as its FCA impact tolerance or vice versa.
• Businesses and FMIs need to understand how long a disruption to an important business service can be tolerated, or a point in time beyond which the disruption cannot be tolerated.
• Firms and FMIs should identify specific metrics for the maximum level of disruption that can be tolerated. These measures should identify any threat to consumers, market participants, market integrity, policyholder protection, safety and soundness, and financial stability.
• A firm’s impact tolerance should reflect the fluctuations in demand for the important business service during different times of the day and throughout the year, and be appropriately broad-based on when the service has its highest demand.
• To ensure the continuity of business services, it is necessary for firms to plan around a time-based metric and to ensure contingency plans are in place to limit the extent of disruption. In some scenarios, however, firms can also consider other metrics depending on the type of the important business service in question. Examples include the level of customer complaints or the volume of interrupted transactions.
• Every firm should review its impact tolerances at least once a year or whenever there is a material change to its operations or the market in which it operates.

Criteria That Firms Should Use to Determine Their Important Business Services

To nurture a culture of operational resilience marked by strict adherence to impact tolerance levels and accountability, firms and FMIs must first identify their important business services. An important business service is one that is provided by the firm, or by a third party on its behalf, to its clients. Crucially, this excludes internal functions, such as human resources or payroll. The FCA and PRA argue that if internal services were to be defined as important business services on a standalone basis, this would effectively expand the coverage of this policy, and the importance of external services could be reduced.

Below are some general considerations that could help firms identify their important business services:

• It should be clearly identifiable as a standalone business service and not a collection of services. For example, the use of ATMs to withdraw cash or the provision of online banking are separate services, any of which could constitute an important business service. However, packaged bank accounts that provide a bundle of services – such as breakdown cover, mobile, and travel insurance, and preferential rate overdrafts – constitute a collection of services.
• Users of the service should be clear and identifiable so that the impacts of a disruption (e.g., a cyber event) are clear.
• The service must be capable of having an impact tolerance set against it

Tools and Processes Financial Institutions Can Use to Improve Their Operational Resilience

As part of the policy, firms and FMIs must set and implement operational resilience standards that are consistent with the public interest as represented by supervisory authorities’ objectives. Firms and FMIs should focus on their important business services and ensure they have the ability to remain within impact tolerances in severe but plausible (or extreme) scenarios. To stay within their impact tolerances, firms will be required to map the resources, people, processes, technology, and facilities required to deliver important services, regardless of whether they rely on third parties to provide these services.

Mapping

In the context of operational resilience, mapping is the process by which a firm of FMI develops a holistic view of the systems and processes that support its business services, including those systems and processes that it does not control directly. It’s marked by identifying and documenting the necessary people, processes, technology, facilities, and information (referred to as resources) required to deliver each important business service. In their proposals, the supervisory authorities state that mapping will allow firms and FMIs to understand how their key business services are delivered and how a disruption might come about. According to the proposals, firms and FMIs are expected to map only their important business services rather than all business services.

Mapping should have the following outcomes:

• Help identify vulnerabilities in the delivery of important business services;
• Take action to remedy vulnerabilities as appropriate; and
• Test a firm’s ability to remain within impact tolerances.

For example, mapping can help reveal whether there’s resource concentration risk where the firm relies too much on a single resource. It could also highlight business areas with limited substitutability of resources or single points of failure. However, the supervisory authorities stop short of prescribing a mapping methodology for all firms. Instead, firms are encouraged to develop their own methodology based on their specific needs and document their mapping according to their size, scale, and complexity.

Scenario Testing

The purpose of scenario testing is to evaluate whether a firm or FMI can remain within its impact tolerance for each of its important business services in the event of a severe (or extreme in the case of an FMI) but plausible disruption. If a firm conducts scenario testing, it should identify a variety of adverse circumstances of varying nature, severity, and duration that are relevant to the firm’s business and risk profile and identify the risks that these circumstances pose to the delivery of the firm’s important business services. When preparing severe/extreme but plausible scenarios, firms and FMIs may consider past incidents or near misses within the organization, across the financial sector, as well as in other sectors and jurisdictions.

It should be noted that impact tolerances assume a disruption has occurred. In light of this, scenario testing should not be focused on preventing incidents from occurring or determining the likelihood of an incident occurring. Rather, the focus should be on what must be done to continue the delivery of an important business service, assuming a disruption has occurred.

The Governance of an Operational Resilience Policy

Operational resilience must be integrated into a firm’s risk management and business continuity processes in order to ensure its effectiveness. A key role for the board and senior management is to direct, evaluate, and monitor this operational resilience framework. For the best results, governance arrangements and reporting lines need to be given adequate consideration by firms. For example, firms might wish to consider whether their operational resilience strategy should be an initiative led by the risk management team or by the IT department.

Boards of Directors

Each firm’s board is specifically responsible for approving the key business services identified and establishing impact tolerances for each of them. Firms’ boards have to approve and regularly review their important business services, impact tolerances, and self-assessments. While board members need not be technical experts on operational resilience, the PRA expects them to have access to adequate management information. Additionally, boards should possess sufficient knowledge, skills, and experience that will enable them to issue constructive challenges to senior management and help them make decisions that will positively impact operational resilience. Currently, many requirements exist for a firm’s governance of operational resilience. Boards of directors and senior managers also have personal and collective responsibilities and accountability requirements. The supervisory authorities expect firms and FMIs to continue to meet their obligations under these existing requirements.

Senior Management

All firms’ senior management should be aware of their responsibilities and accountability, according to good practices in general governance and the Senior Managers and Certification Regime (SM&CR). Clearly defining the roles and responsibilities for managing operational resilience is a key aspect of this process. Using existing committees or establishing new ones as necessary, firms should structure oversight of operational resilience in a way that is appropriate and effective for their businesses. There must be a clear delegation of responsibilities when people and systems are involved in supporting an important business service.

Operational Resilience vs. Risk Appetite

Impact tolerance differs from risk appetite in that it assumes that a particular risk has crystallized instead of considering its likelihood and impact. The ability to remain within a firm’s impact tolerance increases its ability to withstand severe but plausible disruptions, but firms are likely to exceed their risk appetites in these scenarios. Impact tolerances are set based solely on the implications for financial stability, safety and soundness, and, in the case of insurers, the level of protection of policyholders.   Defining the board’s risk appetite and impact tolerance can create a better risk oversight and will help senior management know what the board expects of them in terms of business and strategic decisions. As a result, management would be encouraged to take more risks and allocate resources in a more effective, risk-proportional manner, ensuring the best return on investment possible.

The heat map presented below depicts impact and likelihood levels, where the Y-axis represents the impact scale and the X-axis, the likelihood scale.

Figure 2:  Risk Appetite and Tolerance Heat Map

Green, yellow, and red illustrate the firm’s appetite towards disruption at different levels of impact and likelihood.

• Green is within the firm’s risk appetite;
• Yellow is outside of the firm’s risk appetite; and
• Red is significantly outside of the firm’s risk appetite

The impact tolerance line assumes disruption has occurred, so it is indifferent to likelihood. The green, yellow, and red zones are not related to the impact tolerance.

Operational Resilience vs. Continuity Planning

According to the PRA, banks should have “adequate contingency and business continuity plans” to ensure that they can continue to operate in the event of a severe interruption. Similarly, an insurer must take reasonable measures to ensure continuity and regularity in the conduct of its activities, including developing contingency plans. By incorporating these requirements and the PRA’s operational resilience policy, firms can enhance their response and recovery capabilities.

Operational Resilience vs. Outsourcing to Third-Party Providers

According to the PRA, when firms outsource functions to third parties, they remain responsible for those functions. According to the PRA’s operational resilience policy, firms should be operationally resilient irrespective of how they utilize outsourcing and third-party services. Firms must ensure that their ability to deliver their important business services within their impact tolerances isn’t compromised by partnering with external providers or other entities within their group.