Operational resilience: what is SS1/21 and how can firms comply?

What is operational resilience for the purpose of SS1/21?

Operational resilience: what is SS1/21 and how can firms comply?

The 31st March 2022 marked the day that the UK’s new operational resilience rules (SS1/21) came into force, and the start of a three-year transition period for financial services.

In March 2021, the UK’s Bank of England (BoE), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) issued Operational Resilience: Impact Tolerances for Important Business (SS1/21) alongside Supervisory Statement (SS2/21). The new rules presented by these statements require financial services firms to set out plans for “severe but plausible risks” for events and activities connected to important business services.

The new rules are effective as of 31 March 2022 and it has been made clear that firms are not expected to have performed the full mapping and testing exercises by this date. There is, however, the regulatory expectation that firms will present a plan setting out how they will remain within their impact tolerances by 31 March 2025. Following the Covid-19 pandemic, businesses have been forced to consider operational strategies for black swan events. The idea of stability and ‘BAU’ has, over the past few years, been called into question – operational resilience and planning is more important than ever.

But what do these new rules entail, and what are firms expected to do to meet regulatory obligations?

What is operational resilience for the purpose of SS1/21?

Operational resilience is a commonly used term within financial services – commonly used but not so frequently defined.  For SS1/21, operational resilience “refers to the ability of firms, their groups, and the financial sector as a whole to prevent, adapt to, respond to, recover from and learn from operational disruptions”.

For the PRA, its understanding of operational resilience is rooted in the assumption that “from time to time, disruptions will occur which will prevent firms from operating as usual and see them unable to provide their services for a period”.

Who does SS1/21 apply to?

The policies apply to financial institutions that fall within the remit of the three regulating authorities – the FCA, the BoE and the PRA. This means banks, building societies, designated investment firms, insurers etc. It also encapsulates entities authorised or registered under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011. Broadly speaking, it covers the gamut of financial institutions.

What are ‘important business services’ for SS1/21?

SS1/21 rules ask firms to assess the risks that are connected to important business services. This seems vague – aren’t all functions a firm performs important? For guidance, firms should look at existing definitions issued by the FCA and PRA.

SS1/21 says that important business services are “the services a firm provides which, if disrupted, could pose a risk to a firm’s safety and soundness or, if a firm meets the criteria set out in the Operational Resilience Parts, the financial stability of the UK”.

For insurers, firms should define look at services that would pose a risk to policyholder protection, too.

How can firms comply with SS1/21?

Unlike many in-force dates, regulatory bodies have taken a more flexible approach with SS1/21. This means that, while it comes into effect on 31 March 2022 this is not ‘D-Day’ and firms will be given some time to put the full suite of requirements into effect.

Understand what you’re working with

Once a firm has established that the rules apply to them, and identified their important business services, they should then be in a position to begin ‘Mapping’. Mapping, for the purposes of SS1/21 essentially asks firms to identify the people, processes, technology, facilities and information needed to deliver each of the important business services. In essence, this is a process of knowing who and what is needed to conduct important activities. This puts firms on a good footing to identify vulnerabilities and test their ability to withstand impact tolerances, which we’ll get on to.

Know your limits – prevention not remedy

SS1/21 obliges firms to set impact tolerances for their important business services – this essentially means knowing the limits to which a firm can be pushed, without ending in catastrophe.

An impact tolerance is defined as “the maximum tolerable level of disruption to an important business service, as measured by a length of time in addition to any other relevant metrics.” As such, SS1/21 requires firms to set their impact tolerances “at the point at which any further disruption to the important business service would pose a risk to the firm’s safety and soundness”.

Under the new obligations, firms should apply a tolerance limit for a disruption for each important business service. This is on a case-by-case basis, so each disruption should be addressed individually rather than on aggregate. These should be set using metrics of time and duration. Importantly, firms that are dual-regulated will need to identify and manage two impact tolerances:

  1. The first should be made at the point where there is harm caused to consumers or market integrity, thereby falling under the umbrella of the FCA.
  2. The second should be made where a firm’s safety and soundness is put at risk, with a material effect on financial stability.

Through the process of mapping and impact tolerance testing, regulators are expecting firms to work proactively to prevent a disaster scenario. This is not an exercise in learning how to remedy operations when disaster strikes, but instead in preparing for challenging scenarios and ensuring you can cope. With that in mind, where a vulnerability is found – or the limits of impact tolerances appear to be stretched – the regulators expect firms to act and put plans in place to manage the vulnerabilities.

Anticipate the worst-case scenario – remedy not prevention

Once the above three areas have been identified (important business services, mapping of resources and setting impact tolerances), firms will then need to regularly test their ability to remain within their impact tolerances in instances of “severe but plausible disruption scenarios”. Unlike identifying impact tolerances, here the PRA expects firms to “focus on recovery and response arrangements”, rather than on preventing incidents from happening.

In order to effectively test a scenario, firms will need to set an appropriate selection of adverse circumstances and consider the risks that they would pose to a firm’s ability to deliver important business services. Regulators expect firms to test using a suite of “severe but plausible scenarios” but does not expect firms to cover every scenario that could occur ad-infinitum. As a foundation, firms could use previous near-misses as a spring board for what could happen.

Governance and self-assessment

SS1/21 requires a high degree of board engagement, with regulators asking specifically that boards approve both important business services and impact tolerances that have been set for their firm. This isn’t ‘one and done’, but a continuous process of regular review and approval by the board. Board members should be equipped with the “adequate knowledge, skills and experience to provide constructive challenge to senior managers”, so while they are not expected to be experts, they should have “appropriate management information”. With reference to SMCR principles, it is expected that firms will establish clear accountability and responsibility trails for the management of operational resilience.

As well as ensuring good governance and accountability for operational resilience under SS1/21, firms will have to maintain an up-to-date self-assessment document, outlining how they are meeting their obligations and responsibilities – as well as the journey they took to get there.

What happens next?

The final rules came into force on 31 March 2022, which marks the beginning of a 3 year transitional period that runs to 31 March 2025. While this is a lenient transition period, regulators expect firms to identify and remain within their impact tolerances as soon as is reasonably practicable. While there is no immediate urgency, firms should not rest on their laurels as the FCA has made it clear that any firm that over-steps the 3 year deadline will be in breach of FCA rules and will face enforcement action.

Related resources

Regulatory Risk Management: How will Executive Order 14028 change the cybersecurity landscape?

Regulatory Risk Management: How will Executive Order 14028 change the cybersecurity landscape?

What is Executive Order 14028 and who must comply with the US regulation? And will it affect the cyb...

What is the US’ Community Reinvestment Act?

What is the US’ Community Reinvestment Act?

Are you aware of the latest updates to the Community Reinvestment Act in the US? Learn more about fi...

What regulations are there for the payment services industry?

What regulations are there for the payment services industry?

Discover the regulations shaping payment services, from PSD2 to AMLD6. Stay compliant with CUBE's in...

What is the CISO (Chief Information Security Officer) responsible for?

What is the CISO (Chief Information Security Officer) responsible for?

CISO's face a number of challenges with regulations constantly changing. Learn more about some of th...

View More