5 insights to prepare for the 31 March Operational Resilience & Risk Requirements deadline
Financial services firms are busy making final preparations for
the 31 March Prudential Regulation Authority (Bank of England)
deadline for new requirements on operational resilience, third
party risk management, and outsourcing.
We recently hosted a webinar to discuss implementation of
Supervisory Statement (SS1/21 and SS2/21) requirements, the
challenges, and the opportunities. It attracted an audience of over
120 professionals across financial institutions. The distinguished
panel included representatives from the PRA, HSBC, PwC, and UBS, as
well as our own experts.
Here are five key insights from the webinar (removing attribution
in accordance with the Chatham House Rule) to help firms prepare
for the deadline.
Key insights on PRA SS1/21 and SS2/21
1. Operational resilience requires firms to identify important
business services and relevant third parties, set impact
tolerances, map, and test. Mapping entire business flows (front,
middle, and back office) may be a requirement if they support
important business services. Teams often find success adopting a
cross-functional approach. Silo-based thinking, in which business
verticals plan by themselves, is counterproductive to meeting
requirements.
2. In implementing operational resilience requirements, firms
should adopt their customer's perspective across offerings and
operations and understand how third parties support customer
activities. At some organizations, this mindset may never have been
applied firmwide. The work done for operational resilience can
yield added benefits in unlocking value for customers and improving
their experience.
3. Robust third-party risk management and operational resilience
work should not be a box-ticking exercise. For instance, firms
should assess the materiality of all their third-party arrangements
and implement appropriate controls based on these materiality
assessments, rather than focusing 'unduly' on whether a given
third-party arrangement meets the regulatory definition of
'outsourcing' or not. Likewise, firms should approach their
business continuity and exit plans as genuine, practical mechanisms
to prepare, respond to and recover from operational disruption
rather than as mere regulatory compliance exercises. Whilst the
guidelines/regulations are fairly prescriptive, they are also
explicitly outcomes-focused and risk-based. Firms should ensure
they take a risk-based approach to adoption and remain focused on
outcomes rather than tasks.
4. Firms typically have existing systems and teams in place across
a range of risk areas, including cyber, information security,
business continuity and financial crime. It is vital to leverage
existing culture, structures and initiatives when building out
operational resilience, rather than build something new. Programs
should continue to evolve post March 31; this is not a 'one and
done' initiative. Programs should accommodate local/regional
requirements.
5. Third-party risk management professionals are difficult to find
and retain. Against this background and the growing requirements,
the industry recognized that firms must work together to adopt
community and technology-driven approaches and standards, including
shared assessment offerings. Managed services can also be part of
the solution.
How KY3P® by IHS
Markit can help
KY3P® helps you manage your end-to-end vendor portfolio lifecycle
on a single platform with on-demand, multi-dimensional vendor risk
assessments. Our tools let you continuously monitor risk through
partnerships with industry-leading data providers that specialize
in financial health, cybersecurity ratings, data-breach analysis,
location risk, and more. Our managed services scale your third
party risk management program, while minimizing constraints caused
by the difficulties of attracting and retaining risk management
teams.
S&P Global provides industry-leading data, software and technology platforms and managed services to tackle some of the most difficult challenges in financial markets. We help our customers better understand complicated markets, reduce risk, operate more efficiently and comply with financial regulation.
This article was published by S&P Global Market Intelligence and not by S&P Global Ratings, which is a separately managed division of S&P Global.