Boosting your operational resilience

Operational resilience refers to the capacity of firms, the financial market, sector and infrastructures to prevent, adapt to, respond to, recover and learn from operational disruptions.

Technology resilience remains one of the major challenges facing businesses and yet boards typically receive very little assurance that management understands the vulnerabilities that exist, the quality of the arrangements in place and whether testing is effective.

The Financial Conduct Authority (FCA) and Bank of England consistently review firms’ operational resilience and expect reasonable steps to be taken to ensure they comply with their ever-evolving regulatory obligations.

Under the FCA’s operational resilience rules policy (introduced in March 2021), many businesses and corporations have to comply and document their operational resilience by 31 March 2025. These include:

• Banks
• Building societies
• PRA-designated investment firms
• Insurers
• Recognised investment exchanges
• Enhanced scope senior managers and certification regime firms
• Entities authorised and registered under the Payment Services Regulations 2017 and Electronic Money Regulations 2011
• Consolidated tape providers

Our risk advisory team and operational resilience specialists are experienced in advising on business continuity and disaster recovery. Our in-depth knowledge of operational resilience, in particular the FCA regulations for the financial sector, enable us to navigate the complexity of operational resilience rules and requirements.

The division has worked with a wide range of organisations providing:

Evaluating all critical services to ensure that all end-to-end dependencies have been identified; looking at recovery time objectives (RTOs) for all vulnerability scenarios (security attack, natural disaster, single points of failure, infrastructure weaknesses, data centre disruption, third party dependencies, data corruption, reliance on telecoms or digital platforms, people risks, premises and critical IT processes).

An in-depth assessment of the security and resilience plans in place against the vulnerability assessment and established good practice.

Reviewing how management monitors and predicts emerging performance issues across IT infrastructure. We look at whether the assurance provided to the board and senior management is appropriate, informative, robust and timely.