05, 2019 / 03:41PM / By Megan Butler /
Header Image Credit: TISA
Being a speech by Megan Butler,
Executive Director of Supervision: Investment, Wholesale and Specialist, FCA, delivered at TISA's
Operational Resilience Forum, London on December 05, 2019.
December 2019, the FCA, PRA and Bank of England published their joint
Consultation Papers on Operational Resilience
proposals develop and expand on the ideas set out in their 2018 Discussion
proposals set requirements and expectations for firms and financial market
infrastructure (FMI) to identify their important business services by
considering how disruption to the business services they provide can have
impacts beyond their own commercial interests
set a tolerance for disruption for each important business service and ensure
they can continue to deliver their important business services and are able to
remain within their impact tolerances during severe but plausible scenarios
proposals also include requirements to map and test important business services
to identify vulnerabilities in their operational resilience and drive change
where it is needed.
consultation closes on 3 April 2020.
delighted to have been invited to give the keynote address today, especially as
today is the day we, the PRA and the Bank of England have published our
much-anticipated Consultation Papers on Operational Resilience.
like to set out what we have collectively been working on in order to build a
more resilient financial system.
I hope you will all read the details of the proposals for yourselves, I'd like
to focus your minds today on the outcomes we are seeking from this consultation
intention is to bring about change in how the industry thinks about operational
resilience - a shift in mindset as it were - informed and driven by the public
is fair to say there have been a number of cyber-attacks over the past three
years which have shown that it is more important than ever to remain vigilant
against cyber adversaries. From the Eurofins attacks to the data breaches
affecting Ticketmaster and Tesco Bank.
it is not just the external threat we need to be vigilant against. The
disruption resulting from TSB's IT upgrade served as an important reminder that
our organisations need to be resilient to a far wider range of potential
operational issues than cyber-attacks alone.
is for this reason that we have published the Consultation Papers. It picks up
where the joint discussion paper left off.
starting point is the premise that operational disruptions happen.
want to dispel the belief, which many firms hold, that we expect them to stop
all operational disruptions altogether. We understand these happen.
outcomes we are seeking are more focussed on the continuity of supply of the
financial products and services that people, businesses and the wider economy
rely on most. Even in the event of severe operational disruptions.
unpack that a bit further.
Definition of Operational
define operational resilience as the ability of firms and FMIs and the
financial sector as a whole to prevent, adapt, respond to, recover and learn
from operational disruptions.
this was in our discussion paper, hopefully this does not come as a surprise!
our discussion paper, we have had a significant amount of engagement with
industry from roundtables, operational resilience panels and numerous speeches.
of course, the responses to the Discussion Paper itself.
supported our approach of focussing on the delivery of important business
services as a way of strengthening operational resilience. Which shows that we
are all on the same page.
considered the feedback we received on the Discussion Paper and we've provided
more detailed explanations and definitions of the main concepts: such as
important business services, setting impact tolerances and taking actions to
remain within impact tolerances.
also took on board feedback in terms of scope.
proposals in this Consultation Papers will apply to banks, building societies,
Prudential Regulation Authority (PRA) designated investment firms, Solvency II
firms, Recognised Investment Exchanges, Enhanced scope Senior Managers &
Certification Regime (SM&CR) firms, entities authorised or registered under
the Payment Services Regulations 2017 (PSRs 2017), and Electronic Money
Regulations 2011 (EMRs 2011).
we lay out in our consultation, we want firms to build operational resilience
because we believe it is in the public interest to do so.
definition of operational resilience also helps clear up the uncertainty we
often see between operational risk and operational resilience.
risk is, as the name suggests, a risk.
management is a process which results in acceptance, mitigation or avoidance of
risk and of course a commensurate level of financial resources, both capital
and liquidity, to manage this.
risk management is not infallible. In risk management, you can assume harm will
occur and still be comfortable so long as you are able to stay within your
agreed risk appetite.
resilience on the other hand is an outcome. It is a step change, where we
expect you to be forward looking and making decisions today that help prevent
Outcomes we are seeking
proposals in the Consultation Papers make it clear that we expect you to
understand your vulnerabilities, invest in protecting those and protecting
yourselves, consumers and the market.
are confident that as a result of firms applying these concepts, customers will
be better served by more resilient firms.
is why the proposals require firms to consider the impact of operational
disruption with reference to each authorities' public interest objectives.
resilience is not about protecting the reputation of your firms or the
reputation of the industry as a whole. It is about preventing operational
incidents from impacting consumers, financial markets and UK financial system.
will not accept operational failures that - but for a lack of sufficient
contingency planning - see consumers stuck on the phone for hours trying to
speak to their bank, unable to complete a house sale or purchase or facing
uncertainty over whether they will be able to pay their rent on time because
they cannot transfer their money.
me put this in other terms.
you remember the power blackout in August of this year?
cause of the disruption was lightning striking a high-voltage transmission line
near Bedford. This caused two generators to trip out. Around one million
customers were affected across most regions of England. The risk of serious
harm was real. Passengers were stranded on trains, and Ipswich hospital and
Newcastle airport lost power.
generators tripping off the system at once is apparently exceptional, and the
safeguards worked largely as they should. But the fact remains - a routine
lightning strike knocked two providers offline. Priority services such as an
airport were badly hit by the supply cut.
took a major incident for unforeseen vulnerabilities to be exposed.
this example into financial services, we know that currently a high impact but
low probability risk event like this may not be given enough focus at firms.
a result, when the unexpected happens, firms are not prepared and cannot
achieve good consumer outcomes. As I have already mentioned, the concepts in
the Consultation Papers must be applied in relation to creating good outcomes
for consumers, financial markets and the UK financial system.
is not new. These outcomes are core to the FCA Mission and our public
statements in response to TSB are a reminder of this.
have been clear that we were dissatisfied with TSB's initial communications to
customers. In the Consultation Papers, we explain that we will expect firms to
have effective internal and external communication plans to reduce harm when
things do go wrong.
What will we ask?
will be asking your Chairs and CEOs what strategic decisions and investment
choices they are making to build operational resilience and to maintain the
supply of important business services in the event of a major incident, or, as
we say in the Consultation Papers 'a severe, but plausible, scenario'.
the definition of operational resilience, and our intended outcomes, we will
look for the following:
First, firms should identify their important business services and map
successful delivery back to the key underlying resources,
Second, they should test their ability to withstand a severe event with
reference to an impact tolerance, and
Third, they should use the test results to identify resilience gaps -
and make investment choices that increase their ability to provide these
important business services - even when severe disruptive events happen.
take each of these in turn.
propose that firms should identify and document the resources that deliver and
support their important business services. This is called mapping.
we launched the discussion paper, we referred to the increasingly
interconnected and technology-driven operating environment.
are concerned that these complex interdependencies increase the likelihood of a
major disruptive event spreading quickly.
could be the failure of a shared piece of connectivity used in wholesale
markets or loss of access to a major cloud provider.
types of solution we might expect to see more of include joined up engagement
with these important suppliers by the authorised firms that rely on them, to
properly understand those suppliers' resilience arrangements.
the example of the Ipswich Hospital I mentioned earlier.
I read some of the media coverage of the national power outage, it was
interesting to see how Ipswich hospital dealt with the situation when a circuit
breaker failed to work and its own back-up generators did not kick in
was reported that staff enacted contingency plans and calmly managed the
situation during the 15-minute loss of electricity - a response that kept
patients reassured and unharmed.
example serves to illustrate how important it is to test contingency plans
rather than wait for a crisis to see if everything will actually work. The
hospital had clearly thought about the impact of the event on their services to
their patients as it unfolded, and the response they delivered ultimately kept
takes me on to impact tolerances; which means: the maximum tolerable level of disruption
to an important business service, including the maximum tolerable duration of a
also like to make it absolutely clear that identifying your firm's maximum
tolerable level of disruption to an important business service - from a public
interest perspective - should produce a threshold that is quite different to
your established risk appetite and risk tolerance metrics.
simpler terms, this means that impact tolerance is not a recovery time
objective or a recovery point objective.
you read the Consultation Papers, you will see that an impact tolerance and a
recovery time objective exist in the same risk universe, but they are very
different measures. The latter is very much a time bound metric that does not
consider a wider range of factors such as potential harm to consumers and the
is not a box ticking exercise.
is not about what you are willing to, or think you can, 'get away with',
because you think the worst is unlikely to happen. We need to know that you
have planned for the worst and are able to continue to deliver your important
business services when the worst does happen.
know the industry is still working through what we mean by "impact tolerance".
Let me illustrate how we think about this with an example.
2016 cyber attackers netted 2.26 million pounds by exploiting vulnerabilities
at Tesco Bank, causing harm to the current account customers who saw money
leaving their accounts. Following the attack, Tesco Bank did put in place a
comprehensive redress programme and customers were compensated.
had the firm mapped the systems and processes that support its current account
service and tested whether it could continue to protect consumers from harm in
the scenario it was faced with, it would have identified the vulnerabilities it
had and could have taken steps to increase resilience.
is why we care; we want customers protected by actions you can take now.
tolerance requires firms to think about services from the perspective of their
consumers, as well as the wider UK financial system and financial markets.
this brings me to the purpose of testing.
your ability to remain within your impact tolerance, during a severe event, is
likely to reveal gaps and weak points in the resources that support delivery of
the important business service.
properly, testing your ability to remain within your impact tolerance should
lead firms to taking actions that make a real difference to your operational
the Consultation Papers, we go further than we did in the Discussion Paper and
explain that where these gaps are identified we expect firms to take actions to
ensure they can remain within their impact tolerances.
cannot 'game the system' by setting an excessively high impact tolerance that
you know will never require you to take additional steps. When it comes to
supervising firms, you can expect this to be an area where we will pay close
know that firms currently focus on the recovery of systems that support
business services. There has been less focus on limiting the wider impact of
disruption on end-users, and even less focus on achieving continuity of supply
of the affected business service during disruption.
if risk appetite is only set in line with corporate strategic objectives, which
are inevitably anchored to profitability and cost reduction, this can work
against achieving the continuity of supply of an important business service.
few firms have asked us what an 'important business service' actually is.
me make it simple.
business service is a service provided by a firm or FMI to an external end user
business service becomes an 'important business service' where a disruption to
the provision of the service could cause intolerable harm to consumers or
market participants the soundness, stability or resilience of the UK financial
system or the orderly operation of the financial markets. It could threaten
policyholder protection, safety and soundness, or financial stability.
respondents to the discussion paper asked us to help them by publishing a list
of important business services. We have not done this.
believe firms are best-placed to determine their most important business
we have not been prescriptive in this regard, we have provided guidance as to
how to go about identifying an important business service.
Why now? Why more rules?
may be asking yourselves, 'why now?' - operational resilience has been priority
for the regulatory community for years, and if there is nothing wrong with
current regulations, why the move to more rules?'
can help to give clarity around our expectations on operational resilience, but
this is also about a cultural change. Where possible we will build on existing
policies and rules, placing them within a clear and consistent framework.
proposed new requirements we are consulting on sit alongside established
operational risk management practices. They are not replacing risk management.
believe that, in the public interest, a resilient financial system should
always aim to supply its important business services with minimal interruption
even during severe operational events.
the resilience outcome that's most important to the supervisory authorities,
not simply a firm's ability to demonstrate compliance.
want to stress that this is not just an industry change. Aligning our
supervisory approach and strategy towards continuity of business services
necessitates a review of our approach to overseeing the industry too.
elements of our existing approach, such as reviewing the effectiveness of
firms' governance, will continue to be an important component in assessing
firms' operational resilience capability.
in line with good standards of general governance and the Senior Managers &
Certification Regime - which is about to be extended to all firms - every
Senior Manager should know what they are responsible and accountable for. This
includes the need for firms to establish clear lines of responsibility for the
management of operational resilience.
The Consultation Process
like this event today provide a welcome opportunity to get our message out to a
wider audience. And as we progress our work on operational resilience, we are
keen to seek your views.
is a joint undertaking - by both the UK financial authorities and the UK
financial sector. The positive response to our discussion paper is evidence
that our interests are aligned on this most crucial of issues, and should be
working together to create a more resilient financial sector.
consultation will be open for four months and close on 3 April 2020.
that time, we'll continue to engage with industry and the wider public on the
proposals. You'll see us talking about the consultation at more events and you
can expect this to remain a key focus for the FCA in the future.
the consultation closes, and following consideration of the responses and
feedback we receive, we will publish a Policy Statement in which you'll see our
response to your feedback alongside our final rules. We expect this to be
towards the second half of 2020.
encourage you all to read, discuss and respond to the joint Consultation
Papers. This is your chance to influence how we work together with all the
entities we supervise to build a resilient financial system.
you very much for letting me use today to launch the consultation.
1. A Call for
Review and Comments on Investments And Securities Bill 2019
2. SEC Proposes
Amendments to Its Rules on Sub-broker, Records of Transactions and Risk Management
Amendments to SEC Rules, Regulations On Fidelity Bond and Removal From Listing
4. Statement on
IOSCO Study of Emerging Global Stablecoin Proposals
Committee Discusses Policy and Supervisory Initiatives, Approves Implementation
6. SEC Issues
Guidelines On The Operations Of Nominee Accounts By CMOs
Publishes 2018 Financial Stability Report
Guidance To Rules On Order Handling And Best Execution
Publishes New Rule on Direct Cash Settlement, Electronic Offering And
Transmission of Shares
Publishes Annual Report on Implementation and Effects of Financial Regulatory
11. NSE Notifies
of Effective Date of Its Rules On Online Trading Portals
12. IOSCO World
Investor Week Gives Impetus to Investor Education and Protection
13. NSE Reviews
Rules On Pricing Methodology
14. Report Sets
Out Governance of Key OTC Derivatives Data Elements
15. Report on
The Regular Basel III Capital Monitoring and Compliance Of EU Banks With
16. UK Banking Outlook Changes to Negative from Stable As Operating
Japanification Difficult for Eurozone If It Takes Root
Policy Decisions: Four SSA Countries At The Center-Stage
19. Aramco IPO
Funds May Help Offset Fresh Saudi Austerity Push
20. Central Bank
Accountability, Independence, and Transparency
Africa's Rate Decision: Giving Priority To Foreign Investors
Collision Courses for the Global Economy - Nouriel Roubini
Venezuela's Neighbors, Mass Migration Brings Economic Costs and Benefits
Pledges Heighten UK Fiscal Risks