This week saw the long-awaited publication* of the regulatory authorities’ policy changes to drive greater levels of operational resilience into the financial services sector and better mitigate the impact on customers of future events such as the one at TSB, covered in an earlier post.

It’s important to note that regulators acknowledge that incidents will still happen, but if the impact on customers and the wider financial sector can be better contained, then this will be a big step forward. It will also start to align the efforts already practised for financial resilience with operational disruptions and move us closer to achieving broader, organisational resilience outcomes.

Identifying important business services and setting impact tolerances are two key requirements introduced by the regulations; both require an external perspective in terms of understanding the harm that customers can experience when critical services are not available or are substantially impaired, as well as the cascading effect of disruptions at one institution on the wider financial sector. These considerations complement traditional concerns of customer experience, increased costs and longer-term reputation impact.

Naturally, firms regularly exceeding impact tolerances during disruptions is something that the regulators want to avoid. To understand whether firms would be likely to exceed these limits before the event, they need to identify severe but plausible scenarios and test the business services against these scenarios.  Where the scenario causes the service’s impact tolerance to be breached, then vulnerabilities identified in the underpinning processes or resources need to be addressed and investments made to ensure that the overall business service can operate within impact tolerance.

The timescales set out for complying with the regulations would be pretty demanding from a cold start, especially given investment cycles in larger firms. There are only four years from publication of the new rules this week to get to the position of being able to demonstrate the capability to operate within impact tolerances in 2025.

While some of the changes may seem daunting, a lot of the elements that require better orchestration and optimisation under these new rules are already in place, whether business continuity management, IT resilience, operational risk management, supply chain management or cyber security practices. The regulatory agenda actually provides an opportunity to put operational resilience on a new footing with a fully engaged senior management, driving better business outcomes.

* FCA’s Building Operational Resilience Policy Statement 21/3, as an example.