The FCA’s operational resilience rules: identifying, documenting and testing your important business services

By Travis Bristow

The FCA wants financial sector firms to be more operational resilient. To find out what this means for your business, take a look at our previous blog. A new set of regulatory rules to come into force in March 2022 is non-negotiable. The aims are laudable: to reduce risks to market integrity and harm to consumers. But getting there will require some major legwork from regulated organizations. The first step is to identify the “important business services” which the FCA wants to protect from “intolerable” disruption, in line with EU and other regulatory regimes.

Fortunately, BusinessOptix has the tools to help your organization identify, document, test and assess in order to accelerate compliance.

What happens first?

According to the FCA, it’s critical to treat each important business service separately and clearly identify their users. For example, online mortgage accounts and telephone mortgage banking are defined as two separate services. This is so tolerances can be defined, impact analysis performed and remedies designed.

There are several stages to work through:

  • Identify and document the people, process, technology, facilities and information necessary to deliver each important business service. If you outsource any of these services, your organization must still document the process or ensure the service provider has done so.
  • Perform scenario testing to assess your ability to remain within impact tolerance for each service, in the event of a severe but plausible operational disruption. Document all of these plans, the results of testing and any lessons learned.
  • Review these important business services and their documentation periodically and update if there are any material changes within 12 months of the last assessment. This also applies to scenario testing.
  • Compile a self-assessment document that provides the evidence you have completed the above stages and have the artefacts available.

How BusinessOptix can help

The good news is BusinessOptix is here to help. Our end-to-end process transformation platform offers standout capabilities to support compliance with the new FCA rules, including:

Process mining and process modelling to rapidly document current operations in case your operating procedure documentation has not kept pace with changes on the shop floor. Alternatively, it may be useful to create new views of current models to support the resilience analysis. This baseline documentation is stored in the platform and provides a dynamic copy of your real-life operations, which we call a digital twin.

Scenario modelling to deliver the FCA’s testing requirement by using process simulation tools.. These can illustrate the impact of disruptions on various services and inform your lessons learned analysis. Improvements can be tested prior to roll-out to prove they will have the desired impact—particularly vital when the business service is delivered partly in-house and part outsourced. It’s also a more cost-effective way to achieve compliance than running physical tests and disruption role plays.

Integration with your risk and controls register. So that your risk governance is in-step with resilience analysis and key controls are maintained when those important business services are operating within and recovering from a disruption event.

Support for audits to prove compliance. Because all the information you need is in one place, it is far easier to perform these reviews. And because it reflects the reality of your operations (via digital twin) it is far more accurate and up-to-date than any alternative methods. To recap, we store:

  • the documentation for your important business services, and the links to the source
  • the results of scenario testing
  • any changes that have been made to important business services.
  • the processes for reviews and updates

Since Brexit, the UK is under no obligation to comply with DORA, the equivalent EU legislation for operational resilience. However, many firms operate both within the UK and the EU, and will therefore need to satisfy both regulatory regimes. So it makes sense to solve your operational resilience documentation in one place to satisfy multiple regulatory regimes.

BusinessOptix not only provides superior capabilities to do this. Digital twin technology can also be the foundation for digital transformation efforts to drive ongoing success for your organization and value for customers.

Find out more today!

BusinessOptix has a library of blogs and materials. Read our other blogs for more insights into our cloud-based transformation hub or click here to request a demo of the BusinessOptix platform!