The FCA assess firms’ operational resilience capabilities against their Operational Resilience Framework, which “defines industry practices aligned to our existing rules and expectations.” As part of this framework, regulated entities are expected to consider how to provide “warnings or advice quickly to clients” should there be an operational incident, and use effective methods to gather information about the cause, extent, and impact of operational incident. It is also important to ensure that the choice of communication method takes account of the circumstances, needs and vulnerabilities of your clients at any given time.
The first hurdle for firms can be distinguishing how to classify an incident; what is a material operational incident that effects operational resilience? To support this, setting out policies and procedures that grade incidents and provide impact tolerances will support internal or external teams in triaging incidents and lead to the appropriate action. The FCA recommends performing mapping and testing on each business service to measure and subsequently remain within your set impact tolerances. Making appropriate investments to allow operational consistency and measuring the grade of impact and tolerance is strongly advised.
Understanding how to identify what within your business, if disrupted, could cause intolerable harm to clients of your firm or risk to market integrity requires a robust IT infrastructure. Harm to your firms own continued viability or an incident that could cause instability in the financial system requires the same. Material risk should not just be considered as an external threat; both intentional and accidental incidents within your own firm are as relevant in your planning and should be identified as a vulnerability in your operational resilience structuring.
Mapping and testing will help you to understand what vulnerabilities you have within your internal network. We are all aware hybrid working has had a significant impact on visibility and use of data as well as communication sprawl. Where nonvisible unauthorised channels of communication are being used, this could quickly lead to material harm for both individuals and firms. When people join from other firms, it important that training is provided to ensure your entire team is aware of your firm’s policies and procedures. They are likely to be different from their previous employer. For example, internal use of unauthorised third party platforms can lead to serious tracing issues if there is a data breach, so the ability to lock down access to file sharing sites might be a key consideration for your firm.
If your firm is affected, an FCA requirement is for an internal and external communications plan for when important business services are disrupted. This should cover how you will notify the relevant regulators – perhaps globally – and how you will notify your clients, vendors and other third party organisations you work with, bearing in mind some or all of your day to day communications channels could be jeopardised. Exercises that help to identify successfully, prioritise, and manage your ability to respond and recover from disruptions effectively are a good way to stress test your procedures.
The FCA has created a broad operational resilience self-assessment questionnaire called ORQUEST to help firms understand their operational resilience capabilities, including their cyber capabilities. The document is designed to help you prepare self-assessment documentation to define on your own terms where material operational risks are likely to occur within your own firm, and your procedure for managing and reporting them to the relevant authorities.
In the UK, the FCA and PRA have made incident response a core component of their operational resilience framework. In the US, the SEC have also taken recent steps to redefine expectations for appropriate incident response action. The same applies in the EU. The danger is that overlapping and inconsistent regimes will create unnecessary reporting burdens for financial entities in implementing effective incident response regimes. Mapping and testing your network will support your regulatory requirements and allow you to optimise your operational processes.