Customer Logins

Obtain the data you need to make the most informed decisions by accessing our extensive portfolio of information, analytics, and expertise. Sign in to the product or service center of your choice.

Customer Logins

5 insights to prepare for the 31 March Operational Resilience & Risk Requirements deadline

03 March 2022 Will Kendal

Financial services firms are busy making final preparations for the 31 March Prudential Regulation Authority (Bank of England) deadline for new requirements on operational resilience, third party risk management, and outsourcing.

We recently hosted a webinar to discuss implementation of Supervisory Statement (SS1/21 and SS2/21) requirements, the challenges, and the opportunities. It attracted an audience of over 120 professionals across financial institutions. The distinguished panel included representatives from the PRA, HSBC, PwC, and UBS, as well as our own experts.

Here are five key insights from the webinar (removing attribution in accordance with the Chatham House Rule) to help firms prepare for the deadline.

Key insights on PRA SS1/21 and SS2/21
1. Operational resilience requires firms to identify important business services and relevant third parties, set impact tolerances, map, and test. Mapping entire business flows (front, middle, and back office) may be a requirement if they support important business services. Teams often find success adopting a cross-functional approach. Silo-based thinking, in which business verticals plan by themselves, is counterproductive to meeting requirements.

2. In implementing operational resilience requirements, firms should adopt their customer's perspective across offerings and operations and understand how third parties support customer activities. At some organizations, this mindset may never have been applied firmwide. The work done for operational resilience can yield added benefits in unlocking value for customers and improving their experience.

3. Robust third-party risk management and operational resilience work should not be a box-ticking exercise. For instance, firms should assess the materiality of all their third-party arrangements and implement appropriate controls based on these materiality assessments, rather than focusing 'unduly' on whether a given third-party arrangement meets the regulatory definition of 'outsourcing' or not. Likewise, firms should approach their business continuity and exit plans as genuine, practical mechanisms to prepare, respond to and recover from operational disruption rather than as mere regulatory compliance exercises. Whilst the guidelines/regulations are fairly prescriptive, they are also explicitly outcomes-focused and risk-based. Firms should ensure they take a risk-based approach to adoption and remain focused on outcomes rather than tasks.

4. Firms typically have existing systems and teams in place across a range of risk areas, including cyber, information security, business continuity and financial crime. It is vital to leverage existing culture, structures and initiatives when building out operational resilience, rather than build something new. Programs should continue to evolve post March 31; this is not a 'one and done' initiative. Programs should accommodate local/regional requirements.

5. Third-party risk management professionals are difficult to find and retain. Against this background and the growing requirements, the industry recognized that firms must work together to adopt community and technology-driven approaches and standards, including shared assessment offerings. Managed services can also be part of the solution.

How KY3P® by IHS Markit can help
KY3P® helps you manage your end-to-end vendor portfolio lifecycle on a single platform with on-demand, multi-dimensional vendor risk assessments. Our tools let you continuously monitor risk through partnerships with industry-leading data providers that specialize in financial health, cybersecurity ratings, data-breach analysis, location risk, and more. Our managed services scale your third party risk management program, while minimizing constraints caused by the difficulties of attracting and retaining risk management teams.

Posted 03 March 2022 by Will Kendal, Director, Product Management, KY3P, S&P Global Market Intelligence

IHS Markit provides industry-leading data, software and technology platforms and managed services to tackle some of the most difficult challenges in financial markets. We help our customers better understand complicated markets, reduce risk, operate more efficiently and comply with financial regulation.

This article was published by S&P Global Market Intelligence and not by S&P Global Ratings, which is a separately managed division of S&P Global.


Follow Us

{"items" : [ {"name":"share","enabled":true,"desc":"<strong>Share</strong>","mobdesc":"Share","options":[ {"name":"facebook","url":"","enabled":true},{"name":"twitter","url":"","enabled":true},{"name":"linkedin","url":"","enabled":true},{"name":"email","url":"?subject=5 insights to prepare for the 31 March Operational Resilience & Risk Requirements deadline | IHS Markit &","enabled":true},{"name":"whatsapp","url":"","enabled":true}]}, {"name":"rtt","enabled":true,"mobdesc":"Top"} ]}
Filter Sort