In it’s recent discussion paper ‘Building the UK financial sector’s operational resilience’ the PRA sets out its guidelines for UK financial services businesses to achieve the required level of service resilience. This discussion paper, which is likely to form the basis of future legislation, makes it clear that the regulator expects UK financial services companies to ‘step up to the plate’ when it comes to ensuring their services can withstand ‘severe but plausible’ shocks.
The PRA has identified several key factors that should guide companies’ thinking when it comes to service resilience. The most significant of these are set out in this article, with some thoughts on how companies might comply with the forthcoming legislation
Focus on Critical Business Services and end-to-end customer journeys, rather than component systems, technologies and teams.
The PRA observes that the critical resilience factor is how well the service delivered to customers can withstand shocks. From this standpoint, the robustness or fragility of individual systems and component processes is of secondary importance. The regulator is asking organisations to demonstrate that – whatever happens to these individual components – the service provided to customers will remain within pre-set quality and performance parameters (‘Impact Tolerances’).
Complying with this stipulation requires companies to identify the business services that are critical to their operations (and to the smooth running of the UK financial system) and to have processes in place to routinely test the performance of these critical end-to-end services against ‘severe but plausible’ scenarios. The PRA does not specify what sort of scenarios it has in mind, but these will certainly include cyber/ransomware attacks, unexpected system or network outages and the failure of outsourced/cloud services delivered by third parties (e.g. Amazon, Google, Microsoft, etc.).
The regulator requires companies to keep detailed records of these tests so that the actual scenarios tested against, the results of those tests, and the subsequent action taken are all available for inspection. This may require rethinking of an organisation’s testing practices and changes to its organisational structure, in order to ensure this co-ordinated effort.
Map Critical Business Services to the underlying IT systems.
Naturally, the PRA will expect organisations to ensure that their IT systems are robust, and able to withstand a wide range of internal and external shocks. However, the latest guidelines make it clear that, by itself, this is not sufficient to deliver a satisfactory level of service resilience. Instead, organisations should assume that their systems will fail and assess the impact that these system failures will have on their critical business services. The regulator suggests that organisations should approach this challenge by creating detailed maps showing how individual systems combine to deliver each end-to-end service. These maps should allow organisations to identify the key system performance characteristics that affect service resilience and to target system improvements where they will have the greatest positive effect on the resilience of the service overall.
Creating these maps, to an appropriate level of detail, requires mathematical modelling techniques to evaluate a wide variety of demand and capacity scenarios. Once companies have identified those business services that are critical to their business, they should create an initial design for these ‘resilience maps’ and ensure these remain accurate as service demands and system capacities change over time.
Set Impact Tolerances
The PRA is considering whether ‘companies should be required to set metrics that describe an intolerable level of disruption to their most important business services in a severe but plausible stress scenario’. These metrics – or impact tolerances – would apply to the provision of the business service as opposed to the systems and process that support it.
This is clearly a sensible strategy for any business and for UK financial companies may have several benefits. The PRA suggests that these impact tolerances could help businesses to ‘prioritise investment and resource allocation’ – a coded reference to its desire to see boards directing IT investment into the areas that have the biggest positive effect on resilience. The PRA also indicates that impact tolerances will ‘provide a focus for supervisory engagement’. In other words, we can anticipate that future supervisory activities will expect to see that impact tolerances are being used, that organisations are testing them against realistic (‘severe but plausible’) scenarios and that these test results are used by the board to direct IT investment.
It remains to be seen how assiduously the PRA will implement this approach, but given that this is sound business practice in any event, UK banks and financial service companies should consider putting impact tolerances in place for all their critical business services, if they have not already done so.
What’s next?
It is likely that future legislation will enshrine the PRA’s current guidelines in UK law. In our view, the changes proposed by the PRA make good sense and represent a sound approach to improving the resilience of the UK financial services sector. The changes that companies will need to make will take time to implement and so starting them should not be delayed.