In March 2021, the U.K. PRA published Supervisory Statement (SS) 1/21, which sets out its expectations for the operational resilience of these financial institutions.
What is Operational Resilience?
Operational resilience refers to the ability of a financial institution to prevent, adapt, respond to, and recover from operational disruptions. These disruptions can be caused by a variety of factors, including cyber attacks, IT failures, natural disasters, and pandemics. Operational resilience is crucial for maintaining the stability of the financial system and protecting the interests of customers.
What are Impact Tolerances?
Impact tolerances are the maximum level of disruption that a financial institution can tolerate for each of its important business services (IBS). An IBS is a service that, if disrupted, could cause harm to customers, market integrity, or the stability of the financial system. Examples of IBSs include payment processing, lending, and trading.
What are the Expectations of SS1/21?
SS1/21 sets out the PRA's expectations for how financial institutions should identify their IBSs, set their impact tolerances, and test their resilience to operational disruptions. The key expectations of SS1/21 include:
* Identifying all IBSs and mapping their interdependencies
* Setting impact tolerances for each IBS based on the potential harm to customers, market integrity, or financial stability
* Developing and implementing plans to remain within impact tolerances during operational disruptions
* Testing the effectiveness of these plans through scenario testing and other means
* Reporting to the PRA on the institution's operational resilience and compliance with SS1/21
How Can Firms Comply with SS1/21?
Compliance with SS1/21 requires a significant amount of work and coordination across different departments within a financial institution. Firms must identify their IBSs, assess their dependencies, and set impact tolerances based on a range of factors. They must also develop and test plans for maintaining resilience during operational disruptions and report regularly to the PRA.
To comply with SS1/21, firms can follow a number of best practices, including:
* Establishing a dedicated operational resilience team
* Conducting regular risk assessments and scenario testing
* Investing in robust IT infrastructure and cyber security measures
* Developing clear communication and escalation protocols
* Regularly reviewing and updating impact tolerances and resilience plans
How Can Surety Help?
Managing the compliance obligations associated with regulatory change such as the obligations in SS1/21 can be overwhelming for compliance staff. This is where Surety comes in. Surety is a central compliance brain that helps firms to simplify the process of regulatory compliance. Our platform enables firms to align and assign their controls to the regulations that apply to them, and to easily evidence their compliance to regulators.
With Surety, firms can quickly spot regulatory overlaps and underlaps, report to stakeholders, and drive forward change projects by being fully informed. This gives firms the evidence and insights they need to successfully implement regulatory change projects or assess their impacts or exposures from new/changing regulation.
Compliance with SS1/21 can be a complex and time-consuming process, but with the right tools and systems in place, firms can ensure that they meet their regulatory obligations and avoid potential penalties.