5 insights to prepare for the 31 March Operational Resilience & Risk Requirements deadline
Financial services firms are busy making final preparations for
the 31 March Prudential Regulation Authority (Bank of England)
deadline for new requirements on operational resilience, third
party risk management, and outsourcing.
We recently hosted a webinar to discuss implementation of Supervisory Statement (SS1/21 and SS2/21) requirements, the challenges, and the opportunities. It attracted an audience of over 120 professionals across financial institutions. The distinguished panel included representatives from the PRA, HSBC, PwC, and UBS, as well as our own experts.
Here are five key insights from the webinar (removing attribution in accordance with the Chatham House Rule) to help firms prepare for the deadline.
Key insights on PRA SS1/21 and SS2/21
1. Operational resilience requires firms to identify important business services and relevant third parties, set impact tolerances, map, and test. Mapping entire business flows (front, middle, and back office) may be a requirement if they support important business services. Teams often find success adopting a cross-functional approach. Silo-based thinking, in which business verticals plan by themselves, is counterproductive to meeting requirements.
2. In implementing operational resilience requirements, firms should adopt their customer's perspective across offerings and operations and understand how third parties support customer activities. At some organizations, this mindset may never have been applied firmwide. The work done for operational resilience can yield added benefits in unlocking value for customers and improving their experience.
3. Robust third-party risk management and operational resilience work should not be a box-ticking exercise. For instance, firms should assess the materiality of all their third-party arrangements and implement appropriate controls based on these materiality assessments, rather than focusing 'unduly' on whether a given third-party arrangement meets the regulatory definition of 'outsourcing' or not. Likewise, firms should approach their business continuity and exit plans as genuine, practical mechanisms to prepare, respond to and recover from operational disruption rather than as mere regulatory compliance exercises. Whilst the guidelines/regulations are fairly prescriptive, they are also explicitly outcomes-focused and risk-based. Firms should ensure they take a risk-based approach to adoption and remain focused on outcomes rather than tasks.
4. Firms typically have existing systems and teams in place across a range of risk areas, including cyber, information security, business continuity and financial crime. It is vital to leverage existing culture, structures and initiatives when building out operational resilience, rather than build something new. Programs should continue to evolve post March 31; this is not a 'one and done' initiative. Programs should accommodate local/regional requirements.
5. Third-party risk management professionals are difficult to find and retain. Against this background and the growing requirements, the industry recognized that firms must work together to adopt community and technology-driven approaches and standards, including shared assessment offerings. Managed services can also be part of the solution.
How KY3P® by IHS Markit can help
KY3P® helps you manage your end-to-end vendor portfolio lifecycle on a single platform with on-demand, multi-dimensional vendor risk assessments. Our tools let you continuously monitor risk through partnerships with industry-leading data providers that specialize in financial health, cybersecurity ratings, data-breach analysis, location risk, and more. Our managed services scale your third party risk management program, while minimizing constraints caused by the difficulties of attracting and retaining risk management teams.
IHS Markit provides industry-leading data, software and technology platforms and managed services to tackle some of the most difficult challenges in financial markets. We help our customers better understand complicated markets, reduce risk, operate more efficiently and comply with financial regulation.
This article was published by S&P Global Market Intelligence and not by S&P Global Ratings, which is a separately managed division of S&P Global.
- Portfolio risk management is evolving – how can your tech stack keep up?
- Australia dividends through the macroeconomy lens
- iBoxx GBP Monthly Commentary
- iBoxx EUR Index Monthly Commentary
- iBoxx ALBI Monthly Update: May 2022
- iBoxx SGD Monthly Update: May 2022
- iBoxx USD Asia ex-Japan Monthly Update: May 2022
- April 2022 Model Performance Report
Join our webinar on Thursday, 19 May as we explore the impact of sustained inflation on dividend payments in 2022… https://t.co/jUwPoVmJFw
Join our webinar next week in partnership with Supply Management Insider as the industry experts unveil the necessa… https://t.co/iibJIqHM00