Insights

FCA insights

Questions for firms

Important business services (IBS)

• Inconsistency in firms identifying their IBS appropriately

• Need to look at all factors when identifying IBS. SYSC 15A.2.4 lists a minimum 13 different factors to be considered

• Rationale and justification for IBS should be documented in firms’ self-assessments

• Have there been any changes to your business model or the services you provide? And have these been considered from an operational resilience perspective?

• Have any changes impacted the minimum factors that would influence your identification of an IBS?

• Is your consideration of, and conclusion on, each of the minimum factors clearly documented?

• Does your self-assessment document provide enough information about the IBS you have selected / not selected and your reasons?

Impact tolerances

• Wide range of impact tolerances identified by firms with limited rationale – this should be documented in firms’ self-assessments

• Many firms setting time-bound tolerances – firms should consider other measures to complement this

• Impact tolerances differ from recovery time objectives (RTOs) which means the maximum time to recover the service. To avoid intolerable harm, processing must take place once the recovery of service is complete

• How well have you explained and justified the impact tolerances you have established? Does the Board understand clearly what has been set and why?
  
  
• Other than time-bound tolerances, what additional metrics have you considered or established, (eg numbers or types of customers or transactions affected)?
• Have you looked at the interaction between impact tolerances and RTOs? RTOs will typically need to be set well within impact tolerances

Mapping and third parties

• Mapping expected to have matured over time
• Where third parties support or deliver IBS and fail to remain within impact tolerance, this is still the responsibility of firms
  
  
• Relationships with third parties should be actively managed
  
  
• Detailed mapping should help firms to identify vulnerabilities

• Have there been any changes to people, processes, technology, facilities and information that need to be reflected in your mapping?
  
  
• Have all relevant third parties been captured in your mapping?
  
  
• Where you rely on third parties to provide an IBS, how well do you understand their people, processes, technology, facilities and information?~
  
  
• Have you established appropriate governance and controls around critical third-party relationships to manage these on an ongoing basis?
  
  
• Have you revisited your mapping to see if any new dependencies or vulnerabilities have emerged?

Scenario testing

• Firms should consider the five minimum scenarios in SYSC 15A.5.6
  
  
• Testing expected to have matured and become more sophisticated over time. Includes increasing the severity of disruption to fully understand the effectiveness of response and recovery plans and the severity at which the firm can no longer remain within impact tolerance
  
  
• Firms should mature the format and type of testing – evolve from judgement, desk-based scenario tests to a wider range of tests (eg penetration tests, disaster recovery / failover tests, simulations, lessons learned from real scenarios
  
  
• Testing should include third parties
  
  
• Should perform horizon scanning to develop understanding of new and emerging risks – this will inform testing

• Has the testing so far considered the minimum scenarios?
  
  
• Have you completed the testing plan originally established? And has this evolved and matured over time, including testing against greater levels of severity?
  
  
• Have you performed different types of tests, including live simulations?
  
  
• To what extent has your testing involved third parties?

Vulnerabilities and remediation

• Vulnerabilities identified early in transition period should have been remediated (or significantly progressed) and re-tested to verify that vulnerabilities have been resolved
  
  
• Remediation plans should be approved, fully-funded and governed
  
  
• As mapping and scenario testing matures, vulnerabilities should be reviewed regularly. Any new vulnerabilities should be remediated

• Have you addressed any vulnerabilities identified from the testing to date?
  
  
• Have you re-tested these vulnerabilities and used different scenarios or severities to prove the vulnerability has been remediated?
  
  
• Are there any remaining vulnerabilities? And do you have an approved and fully-funded remediation plan? What is the governance that ensures completion by March 2025?

Response and recovery plans

• Response plans are important as they can buy time for recovery plans to complete and may help to avoid breaching impact tolerance
  
  
• There is limited testing of response plans

• Do you have response plans setting out your initial reaction to an operational incident?
  
  
• Does your response plan consider management actions / decision-making and the necessary communications?
  
  
• Have you tested your response plan?

Governance and self-assessment

• Self-assessment must include minimum requirements in SYSC 15A.6.1 and detail firms’ journeys to operational resilience
  
  
• Expected to mature and develop over time
  
  
• From a governance perspective, firms must provide sufficient information and justifications on the determinations, decisions and plans to ensure continued resilience. This allows governing body members to understand firms’ positions and roadmaps to resilience
  
  
• Should highlight any concerns and document the remediation work needed

• Is your self-assessment up to date and does it contain the minimum requirements?
  
  
• Does the self-assessment reflect the journey (eg from March 2021 to date), and the actions the firm has taken to improve its operational resilience?
  
  
• Is the self-assessment clear and does it provide sufficient information to inform your Board?
  
  
• Has your self-assessment been subject to any assurance (eg from internal audit or external parties)?
  
  
• Does your self-assessment provide a realistic view of any remaining vulnerabilities and the actions you need to take?

Embedding operational resilience

• Requirement to be operationally resilient is not a ‘one and done’ activity or seen as a tick-box regulatory compliance – it should be embedded into overall firm culture
  
  
• Should be embedded into firms’ ERM frameworks, including change management and strategic planning
  
  
• As part of BAU, firms should be reviewing IBS, impact tolerances and mapping regularly (at least annually or if there is a material change to  business or market) – as well as regular testing

• Is consideration of operational resilience sufficiently prominent, eg part of Board and management discussions and decision-making? Is it front of mind?
  
  
• How have operational resilience risks been incorporated into your ERM framework, risk registers, etc?
  
  
• Is operational resilience given sufficient consideration in strategic planning and change activities?
  
  
• Have you implemented a regular cycle of reviewing and testing your operational resilience?