FinregE RIG Insights: PS16/24 – Operational resilience: Critical third parties to the UK financial sector

Operational Resilience, PRA, Third Parties, AI, RIG

Publication Date: 2023-10-03 | Regulator: Bank of England (BOE) and Financial Conduct Authority (FCA)

Title: PS16/24 – Operational resilience: Critical third parties to the UK financial sector

Main Objective and Summary

The main purpose of the regulatory document, specifically the PS16/24 – Operational resilience: Critical third parties to the UK financial sector, is to establish a framework that enhances the operational resilience of Critical Third Parties (CTPs) within the UK financial sector. This framework aims to ensure that CTPs can effectively manage operational risks and maintain the continuity of their services, which are essential for the stability of the financial system.

Summary of the Document

Regulatory Framework: The document outlines the regulatory requirements and expectations for CTPs, focusing on their operational risk and resilience. It aims to ensure that CTPs are equipped to handle disruptions and continue providing critical services to firms.

Fundamental Rules: The regulators proposed six Fundamental Rules that CTPs must comply with, which articulate the essential behaviours expected from these entities to meet the overall objective of maintaining operational resilience.

Operational Risk and Resilience Requirements: The document details specific operational risk and resilience requirements that CTPs must adhere to, including the need to identify, assess, and remediate vulnerabilities related to their information and technology assets.

Incident Reporting: It discusses the requirements for incident reporting, including the introduction of a voluntary incident notification template to facilitate efficient communication between CTPs and regulators.

Feedback and Adjustments: The document reflects on feedback received from stakeholders during the consultation process and outlines adjustments made to the proposed rules based on this feedback, including changes to reduce the compliance burden on CTPs.

Transitional Period: It acknowledges the need for a transitional period for CTPs to comply with the new requirements, recognizing that some may require new or enhanced processes to meet the expectations set forth.

Overall Objective: The overarching goal of the document is to enhance the resilience of CTPs, thereby contributing to the stability and confidence in the UK financial system.

Operational Resilience, PRA, Third Parties, AI, RIG

Questions we asked our AI RIG (Regulatory Insights Generator)

What feedback did the regulators receive regarding the proposed standardised incident notification template for CTPs?

The feedback received by the regulators regarding the proposed standardised incident notification template for Critical Third Parties (CTPs) was mixed, reflecting a range of perspectives from respondents:

Support for the Standardised Incident Notification Template

Consistency in Reporting: Several respondents expressed support for the idea of a standardised incident notification template, highlighting that it could promote consistency in reporting across CTPs. This consistency would facilitate clearer communication and understanding of incidents among stakeholders, including regulators and affected firms.

Flexibility Considerations: Some respondents suggested that a voluntary template could strike a balance between promoting uniformity in reporting while allowing CTPs the flexibility to adapt their reports based on the specific nature of incidents.

Opposition to the Standardised Incident Notification Template

Concerns About Prescriptiveness: Conversely, a number of respondents opposed the implementation of a standardised template, arguing that it could be overly prescriptive. They expressed concerns that such a requirement might add to the extensive list of bespoke incident reporting obligations that many CTPs already face.

Impact on Multi-Jurisdictional Operations: Respondents noted that CTPs providing services in multiple jurisdictions and sectors might find a mandatory template particularly burdensome. The lack of a prescribed format was seen as beneficial, allowing CTPs to provide information in the most appropriate and digestible format for their firm customers and regulators based on the incident’s specifics.

Regulatory Response: Considering the feedback, the regulators decided to provide a voluntary incident reporting template in due course. This approach aims to balance the need for consistency in reporting with the flexibility that CTPs require to effectively communicate incident information.

The document outlines several specific requirements related to Operational Risk and Resilience that Critical Third Parties (CTPs) must comply with. These requirements are designed to ensure that CTPs maintain high standards of operational resilience and effectively manage risks associated with their systemic services, thereby contributing to the stability of the financial system. Below is a list of the key Operational Risk and Resilience Requirements mentioned:

Requirement 1: Governance: CTPs must establish a robust governance framework that clearly defines roles and responsibilities, ensuring accountability for operational resilience.

Requirement 2: Risk Management: CTPs are required to implement comprehensive risk management processes that identify, assess, and mitigate operational risks, including those related to technology and cyber resilience.

Requirement 3: Dependency and Supply Chain Risk Management: CTPs must identify and manage risks associated with dependencies on third parties and the wider supply chain, ensuring transparency and resilience in their service delivery.

Requirement 4: Technology and Cyber Resilience: CTPs are required to maintain resilience in their technology and cyber systems, addressing unique risks and ensuring that appropriate controls are in place.

Requirement 5: Incident Management: CTPs must set a maximum tolerable level of disruption for their systemic services and maintain a Financial Sector Incident Management Playbook to guide their response to incidents.

Requirement 6: Mapping: CTPs are required to map resources that are essential to the delivery of systemic third-party services, ensuring that all relevant resources are considered in their operational risk assessments.

Requirement 7: Testing and Scenario Analysis: CTPs must regularly conduct testing and scenario analysis to assess the effectiveness of their operational resilience measures and incident management capabilities.

Requirement 8: Termination of Services: CTPs are required to develop plans for the termination of services that align with the requirements for firms regarding outsourcing and third-party risk management.

The document outlines specific requirements related to self-assessment and information sharing for Critical Third Parties (CTPs). Below are the key requirements as mentioned:

Self-Assessment Requirements

  1. Submission of Self-Assessments:

    • CTPs are required to submit a written self-assessment to the regulators within three months of designation and annually thereafter. This self-assessment should provide a comprehensive evaluation of the CTP’s operational resilience and compliance with regulatory requirements.

  2. Interim Self-Assessment:

    • The first self-assessment submitted by a CTP is referred to as an “interim self-assessment.” This document serves as an initial diagnostic tool to help regulators understand the CTP’s ability to meet its duties at the time of designation and to identify areas that require prioritization in the early phase of oversight.

  3. Content of Self-Assessments:

    • While the regulators do not intend for the self-assessment to be a “tick box” exercise, they have set out common expectations for the content of interim and annual self-assessments. CTPs should include relevant information that reflects their operational resilience capabilities and compliance status.

  4. Testing and Assurance:

    • CTPs are expected to regularly test their ability to continue providing material services in severe but plausible scenarios (scenario testing). They must also annually test their financial sector incident management playbook in collaboration with a representative sample of the firms they provide services to.

Information Sharing Requirements

  1. Sharing Self-Assessments with Customer Firms:

    • CTPs are required to share a summary of the information contained in their self-assessments with the firms they provide services to. This is intended to ensure that customer firms receive relevant information about the CTP’s operational resilience and compliance status.

  2. Full Annual Self-Assessment Sharing:

    • The regulators have mandated that CTPs share their full annual self-assessment (with confidential or sensitive information redacted as appropriate) with the firms they provide systemic third-party services to. This requirement aims to ensure that firms receive consistent and comprehensive information regarding the CTP’s operational resilience.

  3. Phased Approach to Incident Notifications:

    • CTPs must notify regulators and the firms to which they provide impacted services about certain incidents. The document outlines a phased approach to these notifications, specifying the information that must be provided in each phase.

  4. Feedback and Communication:

    • CTPs are encouraged to maintain open lines of communication with regulators and customer firms regarding their operational resilience efforts and any incidents that may arise.

The requirements for Critical Third Parties (CTPs) regarding information-gathering and testing are outlined in Chapter 6 of CP26/23. These requirements are designed to ensure that CTPs maintain operational resilience and are capable of providing their services effectively, even in adverse conditions. Below are the key requirements:

Information-Gathering Requirements

Self-Assessments: CTPs are required to submit a written self-assessment to the regulators within three months of their designation and annually thereafter. This self-assessment should evaluate their compliance with the operational risk and resilience requirements.

Information Sharing: CTPs must share a summary of the information contained in their self-assessments with the firms they provide systemic third-party services to. This is intended to ensure that firms receive relevant information about the CTP’s operational resilience.

Regular Testing: CTPs are expected to regularly test their ability to continue providing material services in severe but plausible scenarios. This includes conducting scenario testing to evaluate their operational resilience under stress conditions.

Incident Management Playbook Testing: CTPs are required to annually test their financial sector incident management playbook in collaboration with a representative sample of the firms they serve. This ensures that both the CTP and its clients are prepared to respond effectively to incidents.

Testing Requirements

Scenario Testing: CTPs must regularly conduct scenario testing to assess their operational capabilities and resilience. This involves simulating severe but plausible scenarios to evaluate how well they can maintain service delivery under stress.

Compliance with Skilled Person Reviews: CTPs are required to meet the expectations related to skilled person reviews. This means that they may be subject to independent assessments to evaluate their compliance with operational resilience requirements.

Notifications of Incidents: CTPs must notify the regulators and the firms to which they provide services about certain incidents. The notification process is phased, and CTPs are required to provide specific information at each phase of the incident notification.

The document outlines specific requirements related to notifications that Critical Third Parties (CTPs) must adhere to. These notification requirements are designed to enhance communication between CTPs, regulators, and affected firms, ensuring that all parties are informed and can take appropriate actions in response to incidents affecting operational resilience. Below are the key notification requirements specified:

Incident Notifications

Notification of Incidents: CTPs are required to notify the regulators and the firms to which they provide impacted services of certain incidents. This requirement ensures that all relevant parties are informed promptly about incidents that may affect service delivery.

Phased Approach to Notifications: The notification process is structured in a phased manner. CTPs must provide specific information in each phase of the incident notification, which allows for a systematic and organized response to incidents.

Content of Notifications: The notifications must include details about the nature and extent of the incident, its impact on the CTP’s operations, and any immediate actions taken to mitigate the incident. This information is crucial for regulators and affected firms to understand the situation and respond appropriately.

Intermediate Incident Reports: CTPs must submit intermediate incident reports that contain less granular information than initially proposed. The regulators have provided examples of the type of information that should be included to assist in understanding the incident’s nature and extent.

Final Incident Notifications: CTPs are required to submit final incident notifications that serve as a valuable source of lessons learned. These reports should include areas for improvement for affected firms in general, rather than specific recommendations for individual firms.

Other Notifications

Notification of Other Matters: CTPs must notify the regulators of other matters that could seriously and adversely impact their ability to deliver systemic third-party services or meet obligations under the CTP oversight regime. This requirement ensures that regulators are aware of any significant issues that may affect operational resilience.

Updates on Media Commentary: CTPs are expected to outline any steps taken or proposed to address misinformation and disinformation related to a CTP operational incident in mainstream or social media. This requirement aims to manage public perception and maintain trust.

General Considerations

Confidentiality and Sensitivity: CTPs must ensure that notifications do not disclose sensitive or confidential information that could pose security risks. The information shared should be relevant and necessary for the understanding of the incident’s impact.

The document specifies transitional timelines for implementing the policy related to Critical Third Parties (CTPs). Below are the key details regarding these timelines:

Implementation Date

Effective Date of Final Rules: The final rules for CTPs will take effect on January 1, 2025. This marks the date when the statutory obligations of a CTP under the Financial Services and Markets Act (FSMA), as well as the requirements in the regulators’ rules, will come into force.

Transitional Periods

Transitional Period for Compliance: Compliance with certain requirements in the regulators’ rules will be subject to a transitional period that will begin from the date specified by Her Majesty’s Treasury (HMT) in the designation order. This transitional period is intended to allow CTPs adequate time to adjust their processes and systems to meet the new regulatory requirements.

Specific Requirements Subject to Transitional Period: Section 12 of the accompanying guidance document (SS6/24) lists the specific requirements that will be subject to a transitional period. This section outlines which aspects of the rules may require additional time for CTPs to implement effectively.

Initial Interaction with Regulators: The regulators will adopt a different approach in their interaction with CTPs during the first year following their designation. This initial phase will focus on understanding the CTP’s operations and assessing the key risks it poses to regulatory objectives, rather than conducting routine oversight.

Review of Contractual Arrangements: CTPs may need to amend their contractual arrangements with firms and their Key Nth party providers because of the new requirements. The guidance suggests that CTPs should review and update these agreements at the first appropriate contractual renewal or revision point following their designation.

The UK Critical Third Party (CTP) oversight policy is designed to align with international standards and promote interoperability with similar regulatory frameworks in other jurisdictions. Below are the key aspects of how the UK CTP oversight policy aligns with international standards:

Alignment with Global Standards

International Frameworks: The UK regulators have made efforts to leverage global standards such as the Basel Committee’s Principles for Operational Resilience and the Financial Stability Board (FSB) Toolkit for Third Party Risk Management. This alignment ensures that the UK CTP oversight regime is consistent with widely accepted international practices.

Interoperability with Non-UK Regimes: The regulators emphasize the importance of the CTP oversight regime being interoperable with similar non-UK regimes, particularly the oversight regime for critical information and communications technology (ICT) service providers under the EU’s Digital Operational Resilience Act (DORA). This interoperability is crucial for maintaining regulatory consistency and coordination across jurisdictions.

Consultation with International Counterparts: The UK regulators are actively engaging in dialogue with international counterparts to strengthen bilateral and multilateral cooperation in the area of CTP oversight. This collaboration aims to ensure that the UK’s approach is informed by global best practices and that it contributes to a cohesive international regulatory environment.

Addressing Systemic Risks

Focus on Systemic Risk

The CTP oversight policy addresses systemic risks that arise from the interconnectedness of financial services. The regulators recognize that the shared responsibility model, which delineates the responsibilities of parties in a transaction, does not adequately account for the cumulative impact of a CTP’s failure on multiple firms. The requirements in the UK policy are designed to fill these gaps, ensuring a robust framework for managing systemic risks.

Regulatory Consistency

Consistency with Other Regulatory Bodies

The CTP Fundamental Rules are modelled broadly on the Prudential Regulation Authority (PRA) Fundamental Rules and the Financial Conduct Authority (FCA) Principles for Business. This consistency helps to create a unified regulatory framework that aligns with the expectations set forth by other regulatory bodies, both domestically and internationally.

Feedback from Stakeholders

Incorporation of Stakeholder Feedback

The regulators have considered feedback from various stakeholders regarding the importance of aligning the CTP oversight regime with international standards. This responsiveness to stakeholder input reflects a commitment to developing a regulatory framework that is both effective and globally relevant.

The document outlines several actions that firms, particularly those that receive systemic third-party services from Critical Third Parties (CTPs), are expected to take in order to comply with the new regulatory framework. Below are the key actions that firms are encouraged or required to undertake:

  1. Review and Update Contracts: Firms should review their contractual arrangements with CTPs to ensure that they are aligned with the new regulatory requirements. This includes updating contracts at the first appropriate renewal or revision point to reflect any changes necessitated by the CTP oversight regime.
  2. Participate in Incident Management Playbook Exercises: Firms are required to participate in incident management playbook exercises conducted by CTPs. These exercises are designed to assess the effectiveness of the CTP’s incident management procedures and to collaboratively identify areas for improvement in communication and support during operational incidents.
  3. Develop Business Continuity Plans: Firms must facilitate and inform the development and testing of their business continuity plans by improving their understanding of the CTP’s incident management procedures. This involves ensuring that their plans are robust enough to manage risks associated with the services provided by CTPs.
  4. Mitigate Risks from CTP Failures: Firms are responsible for deciding what actions to take to mitigate risks that may arise from significant failings in the services provided by CTPs. This includes assessing the impact of any identified failings on their operational resilience and taking appropriate measures to address these risks.
  5. Engage in Information Sharing: Firms should engage in information sharing with CTPs to enhance mutual understanding of risks and operational dependencies. This collaboration is essential for effective risk management and operational resilience.
  6. Feedback on Incident Management Playbook: Firms are encouraged to provide feedback to CTPs following incident management playbook exercises. This feedback should focus on how to improve the CTP’s incident management procedures and overall service delivery.
  7. Monitor CTP Performance: Firms should actively monitor the performance of CTPs and assess their compliance with the new regulatory requirements. This includes evaluating the effectiveness of the CTP’s incident management playbook and other operational resilience measures.
  8. Stay Informed on Regulatory Changes: Firms must remain informed about any changes to the regulatory landscape that may affect their operations and relationships with CTPs. This includes understanding the implications of the CTP oversight regime and adapting their practices accordingly.

Firms should pay attention to several additional pieces of information and considerations as they navigate the new regulatory landscape concerning Critical Third Parties (CTPs). Below are key areas of focus:

  1. Regulatory Expectations: Firms should familiarize themselves with the specific expectations outlined in the CTP oversight policy, including the Fundamental Rules and the associated supervisory expectations. Understanding these requirements will help firms align their internal processes with regulatory standards.
  2. Transparency and Cooperation: The regulators emphasize a “transparency by default” approach. Firms should be prepared to engage openly with CTPs and regulators, sharing relevant information that can aid in risk management and operational resilience. This includes being proactive in disclosing any issues or concerns related to CTP services.
  3. Incident Reporting Protocols: Firms should establish clear protocols for reporting incidents involving CTPs. This includes understanding the timelines and formats for reporting operational incidents to both the CTP and regulators, ensuring that they comply with the regulatory requirements for timely communication.
  4. Cost Implications: Firms should be aware of potential costs associated with compliance, including legal fees for updating contracts and the resources required for ongoing monitoring and assessment of CTP performance. Understanding these costs will help firms budget appropriately and manage financial impacts.
  5. Impact of CTP Failures: Firms need to assess the potential impact of CTP failures on their operations. This involves conducting risk assessments to identify vulnerabilities and developing contingency plans to mitigate the effects of service disruptions.
  6. Self-Assessment Requirements: Firms should prepare for the requirement to receive and review the annual self-assessment reports from CTPs. These reports will contain critical information about the CTP’s operational resilience and compliance status, and firms must ensure they understand the implications of the findings.
  7. Engagement with Auditors: Firms are encouraged to maintain regular communication with their internal and statutory auditors regarding CTP oversight. Auditors may provide valuable insights into the effectiveness of the firm’s risk management practices and compliance with regulatory requirements.
  8. Training and Awareness: Firms should invest in training and awareness programs for their staff regarding the new regulatory requirements and the importance of operational resilience. Ensuring that employees understand their roles in managing risks associated with CTPs is crucial for effective compliance.
  9. Monitoring Regulatory Developments: Firms should stay informed about ongoing regulatory developments and potential changes to the CTP oversight framework. This includes monitoring updates from regulators and participating in industry forums to share insights and best practices.
  10. Collaboration with Industry Peers: Engaging with industry peers can provide firms with valuable perspectives on best practices for managing relationships with CTPs. Collaboration can also facilitate the sharing of experiences and strategies for compliance with the new regulatory requirements.

Yes, the document outlines several amendments to existing regulations concerning Critical Third Parties (CTPs) and their operational resilience requirements. Below are the key amendments introduced:

  1. Renaming of Terms: The term “material services” has been renamed to “systemic third-party services” to better reflect the systemic risk posed by the potential disruption or failure of these services. This change aims to clarify the scope of services that fall under the regulatory framework.
  2. Clarification of the Shared Responsibility Model: The regulators have recognized the “shared responsibility model” in the supervisory statement (SS6/24) while also explaining its limitations in managing systemic risk. This clarification helps firms understand the boundaries of responsibility between CTPs and the firms they serve.
  3. Narrowing the Scope of Fundamental Rules: The scope of CTP Fundamental Rules 1-5 has been limited to the provision of “systemic third-party services” to firms. Fundamental Rule 6 continues to apply to all services provided by a CTP, ensuring that the most critical services are subject to stringent oversight.
  4. Proportionality in Requirements: Amendments have been made to the Operational Risk and Resilience Requirements, particularly in Requirement 3 (Dependency and supply chain risk management). The most onerous requirements are now limited to “Key Nth Party providers” and “Persons Connected to a CTP,” allowing for a more proportionate approach to risk management.
  5. Changes to Incident Management Requirements: The expectations regarding incident management have been revised. Specifically, the requirement for CTPs to consider the impact tolerances set by firms for important business services has been removed. CTPs are now allowed to use existing documented incident management policies instead of developing a bespoke playbook, provided these policies meet the specified outcomes.
  6. Amendments to Assurance and Information Sharing: The requirements on assurance, information-sharing, and self-assessment for CTPs have been amended to distinguish between different types of information and expectations. This aims to streamline the compliance process and clarify the information that needs to be shared with firms.
  7. Revised Definition of Disruption: The definition of “disruption” has been revised to apply only to a CTP’s provision of systemic third-party services to firms. This change aligns the definition with the scope of the regulators’ rules that impose significant obligations on CTPs.
  8. Removal of Disclosure Requirements for Vulnerabilities: The regulators have removed any requirements for CTPs to disclose unremedied vulnerabilities (in the cybersecurity sense) to regulators and firms. Instead, the term “vulnerability” has been replaced with “areas of improvement” in the ordinary-language context to avoid ambiguity.
  9. Voluntary Incident Notification Templates: CTPs are now enabled to use voluntary incident notification templates, which will facilitate more efficient data analysis by regulators. This change is intended to improve the identification of emerging risks while allowing CTPs the flexibility to choose their notification approach.
  10. Cost-Benefit Analysis (CBA) Adjustments: The changes made to the draft rules and guidance have been assessed, and while they do not significantly alter the original cost-benefit analysis (CBA), they are expected to reduce the overall compliance burden on CTPs.

We then asked the RIG to auto-generate a suggested control framework and create an associated Policy...

Suggest a control framework for the firms to comply with this regulation?

To ensure compliance with the regulatory requirements outlined for Critical Third Parties (CTPs), firms should implement a robust control framework. This framework should encompass governance, risk management, compliance, and operational resilience. Below is a suggested control framework structured into key components:

Suggested Control Framework for Compliance

  1. Governance and Oversight
    • Establish a Governance Structure:
      • Create a dedicated committee responsible for overseeing CTP compliance, including representatives from risk management, compliance, IT, and operational teams.
      • Define clear roles and responsibilities for all stakeholders involved in managing CTP relationships.
    • Board Accountability:
      • Ensure that the board of directors is informed about CTP risks and compliance status, and that they approve policies related to CTP oversight.
  1. Risk Management
    • Risk Assessment:
      • Conduct regular risk assessments to identify and evaluate risks associated with CTPs, including operational, financial, and reputational risks.
      • Utilize a risk matrix to categorize risks based on their likelihood and impact.
    • Dependency Mapping:
      • Maintain an updated inventory of all CTPs and the services they provide, including an analysis of dependencies and criticality to business operations.
    • Supply Chain Risk Management:
      • Implement controls to assess and manage risks related to sub-contractors and third-party vendors within the CTP supply chain.
  1. Compliance Controls
    • Policy Development:
      • Develop and document comprehensive policies and procedures that align with regulatory requirements, including incident management, reporting, and information sharing.
    • Training and Awareness:
      • Provide regular training sessions for employees on regulatory requirements, compliance policies, and the importance of operational resilience.
    • Monitoring and Reporting:
      • Establish a monitoring system to track compliance with regulatory requirements and internal policies. This should include regular reporting to senior management and the board.
  1. Incident Management
    • Incident Response Plan:
      • Develop and maintain an incident response plan that outlines procedures for managing incidents involving CTPs, including communication protocols and escalation paths.
    • Testing and Drills:
      • Conduct regular incident management exercises and simulations to test the effectiveness of the response plan and identify areas for improvement.
    • Feedback Mechanism:
      • Implement a feedback mechanism to gather insights from incident management exercises and actual incidents, allowing for continuous improvement of the response plan.
  1. Information Sharing and Transparency
    • Information Sharing Protocols:
      • Establish protocols for sharing relevant information with CTPs and regulators, ensuring compliance with confidentiality and sensitivity considerations.
    • Self-Assessment and Reporting:
      • Require CTPs to submit annual self-assessments and ensure that firms review these assessments to understand the CTP’s compliance status and operational resilience.
  1. Audit and Assurance
    • Internal Audits:
      • Conduct regular internal audits of CTP compliance processes and controls to identify gaps and areas for improvement.
    • External Assurance Reviews:
      • Engage independent auditors to perform assurance reviews of CTPs, when necessary, particularly in response to significant incidents or compliance concerns.
  1. Continuous Improvement
    • Review and Update Policies:
      • Regularly review and update compliance policies and procedures to reflect changes in regulations, industry best practices, and lessons learned from incidents.
    • Stakeholder Engagement:
      • Foster ongoing communication with CTPs, regulators, and industry peers to stay informed about emerging risks and regulatory developments.

Below is a comprehensive policy template based on the operational risk and resilience requirements outlined in the provided document. This policy is designed to ensure compliance with regulatory expectations for Critical Third Parties (CTPs) and to enhance the operational resilience of the organization.

Operational Risk and Resilience Policy

  1. Policy Purpose

The purpose of this policy is to establish a framework for managing operational risks and ensuring resilience in the delivery of critical services provided by the organization as a Critical Third Party (CTP). This policy aims to align with regulatory requirements and best practices in operational risk management.

  1. Scope

This policy applies to all employees, departments, and stakeholders involved in the management of operational risks and resilience related to the organization’s systemic third-party services. It encompasses all operational risk and resilience requirements as mandated by regulatory authorities.

  1. Definitions
    • Operational Risk: The risk of loss resulting from inadequate or failed internal processes, people, systems, or external events.
    • Operational Resilience: The ability of the organization to continue delivering critical services in the face of disruptions.
    • Critical Third Parties (CTPs): Entities that provide essential services to the organization and are critical to its operations.
  1. Governance Structure
    • The Board of Directors is responsible for overseeing the implementation of this policy and ensuring that operational risks are managed effectively.
    • The Chief Risk Officer (CRO) shall be designated as the individual responsible for the oversight of operational risk and resilience efforts.
    • A Risk Management Committee shall be established to monitor compliance with this policy and report to the Board.
  1. Operational Risk Management

5.1 Risk Assessment

    • The organization shall conduct regular assessments to identify and evaluate operational risks associated with its systemic third-party services.
    • Risk assessments shall be documented and reviewed at least annually, with updates made as necessary.

5.2 Dependency Mapping

    • The organization shall maintain an inventory of CTPs and their critical services, including interdependencies.
    • Mapping exercises shall be conducted to identify essential resources and services critical to the delivery of systemic services.
  1. Operational Resilience Requirements

6.1 Governance

    • The organization shall establish a governance framework for managing operational risks and resilience, ensuring clear roles and responsibilities.

6.2 Risk Management

    • A comprehensive risk management framework shall be implemented to encompass all relevant risks, including technology and cyber risks.

6.3 Technology and Cyber Resilience

    • The organization shall take reasonable steps to ensure the resilience of technology that delivers, maintains, or supports systemic third-party services.
    • Compliance with recognized standards (e.g., ISO 27001) shall be considered as part of the assurance process.

6.4 Mapping

    • Essential resources identified in mapping exercises shall be included in the operational resilience framework.
    • The organization shall ensure that services such as domain name systems (DNS) are mapped and considered in resilience planning.

6.5 Incident Management

    • An Incident Management Plan (IMP) shall be developed and maintained, outlining roles, responsibilities, and communication protocols during incidents.
    • The IMP shall be regularly tested through scenario exercises and updated based on lessons learned.
  1. Self-Assessment and Information Sharing

7.1 Self-Assessment Submission

    • The organization shall submit a written self-assessment to regulators within three months of designation and annually thereafter.
    • The self-assessment shall evaluate the organization’s operational resilience and compliance with regulatory requirements.

7.2 Information Sharing with Customer Firms

    • A summary of the self-assessment shall be shared with firms receiving systemic third-party services.
    • The organization shall provide full annual self-assessments (with confidential information redacted) to customer firms to ensure transparency.

7.3 Incident Notifications

    • The organization shall notify regulators and affected firms about significant incidents following a phased approach, providing necessary information as outlined in regulatory guidelines.
  1. Monitoring and Reporting
    • The organization shall establish monitoring mechanisms to track compliance with this policy.
    • Regular reports shall be provided to senior management and the Board regarding operational risk and resilience status, including key performance indicators (KPIs).
  1. Training and Awareness
    • Training programs shall be implemented to ensure that all employees understand their roles in managing operational risks and resilience.
    • Awareness campaigns shall promote a culture of resilience within the organization.
  1. Review and Continuous Improvement
    • This policy shall be reviewed at least annually to ensure alignment with regulatory changes and industry best practices.
    • Mechanisms shall be established for incorporating lessons learned from incidents and exercises into the policy.
  1. Compliance and Enforcement
    • Non-compliance with this policy may result in disciplinary actions, up to and including termination of employment.
    • Employees are encouraged to report non-compliance and any issues related to operational risk and resilience.

This Operational Risk and Resilience Policy serves as a comprehensive framework to ensure that the organization effectively manages operational risks and maintains resilience in its operations, particularly in relation to its Critical Third Parties. By adhering to this policy, the organization can enhance its ability to respond to disruptions and safeguard its critical services.

sfdsfdsada@2x-300x106

Level 39
One Canada Square
Canary Wharf, London
United Kingdom

Phone: +442045370860
Email: info@finreg-e.com
Social: Linkedin

Compliance Controls Mappings Compliance Self Assessments Controls Management Digital Rulebooks Governance, Risk & Compliance (GRC) Machine Readable Regulations Horizon Scanning Regulatory Change Automated Compliance Regulatory Horizon Scanning Regulatory Change Management Regulatory Impact Assessments Risk Management Regulatory Obligations
Compliance Auditing Compliance Gaps AnalysisRegulation Obligations Regulatory Impact Assessment Compliance Management Automated Compliance Compliance Workflows Digital Rulebooks Regulatory Horizon Scanning Regulatory Change Automated Compliance Regulatory Change Management Internal Regulation Management Project Management Regulatory Affairs Management Regulatory Policy Management Regulatory Change Management Regulatory Public Policy Regulatory Alerts Regulatory Publications Regulatory News Regulatory Alerts Regulatory Analytics Regulatory Developments Regulatory Updates Fast Compliance Regulatory Optimisation Regulatory Obligations Regulatory Technology (RegTech) Compliance Automation Risk Management Rule Inventories
APIs App Development Cloud Database Management ML/AI Development Software Development
FCA Handbook
News Sitemap
Working with us
Case Studies Use Cases Why FinregE?

Copyright © 2024 FinregE | All rights reserved 

Downloads Alert