Operational Resilience has been saved
Limited functionality available
Operational Resilience has been and should continue to remain a key priority for Internal Audit as firms work towards meeting regulatory expectations set by the FCA, PRA and Bank of England. Firms need to demonstrate that important business services can operate within their impact tolerance by no later than 31 March 2025 and Internal Audit should play a key role in supporting and assuring progress over the transition period.
Focus should continue to be placed on the evolution of service mapping and scenario testing, relationships with third parties and how firms plan to embed and maintain Operational Resilience outcomes post-2025. This includes how resilience has been embedded within the risk and control environment, the effectiveness of management information (MI) reported to the Board (and sub-committees) and how operating models have been set up for long term success. Specifically, we are seeing firms re-evaluate organisational structures and operating models to enable capability groups to come together effectively to support the resilience and response capabilities of the firm. These focus areas are set out in the publication below.
Internal Audit should be mindful of the regulatory deadline during annual planning exercises and consider timelines for (1) audit scheduling and (2) development of management action plans. It is important to provide timely assessments to enable firms to incorporate and act on audit feedback. Any vulnerabilities that may impact the ability to meet regulatory requirements require prompt attention so that remediation plans can be developed and/ or accelerated where needed.
Firms in-scope of the Digital Operational Resilience Act (DORA) mandated by the European Union (EU) will also need to consider how the UK regulation interacts with the European framework. The DORA is EU-wide legislation that impacts financial service firms and ICT service providers to the FS industry with full application required by 17 January 2025. Whilst areas of the UK regulation are aligned with the DORA’s objectives, Internal Audit will also need to consider and be prepared to assess and support firms as expectations on resilience standards are increased. Internal Audit teams will have no regret in determining how their organisation will be impacted by the DORA, and how it differs from other, similar, resilience regulations and guidance to ensure that they can adequately check and challenge plans and programmes.
For more information on DORA, please visit:
The first key regulatory deadline has now passed as of 31 March 2022. Operational Resilience should remain a key priority and an area of focus for Internal Audit.
Firms need to demonstrate that a full assessment of their Operational Resilience has been completed, vulnerabilities have been identified, and there is a focus on the remediation activities to complete in order to demonstrate that important business services can operate within their impact tolerance by no later than 31 March 2025.
Amongst the broader suite of activity required to continue on the Operational Resilience journey, the following areas are likely to be key areas of focus and challenge for Boards and Senior Management over the next three years:
By holding both broad and deep organisational knowledge and a range of skillsets, Internal Audit functions can play a leading role in supporting firms to meet Operational Resilience expectations and continue to build confidence for the future. Internal Audit, as the third line of defence, has a role in providing independent, objective assurance that an organisations risk management, governance, and internal control environment are operating effectively, and Operational Resilience is no exception to this.
To date, Internal Audit has focussed on challenging management’s approach to Operational Resilience and to assess “readiness” against regulatory requirements. However, Internal Audit’s focus on Operational Resilience should continue to evolve, but certainly not in a manner which reduces continued involvement; If anything, a greater emphasis may be prudent over the coming three years, as many of the bigger challenges remain to be overcome.
Internal Audit will also be one of the best sources for the identification of vulnerabilities and required improvement activity, as a result of their historic work over key risk areas throughout the organisation. However, we have seen little evidence to date of previous Internal Audit findings being incorporated into Operational Resilience planning and vulnerability assessments.
The regulators are already playing an active hand in terms of direct engagement with Internal Audit functions, and we expect to see this continue over the remainder of the three-year transition period. The PRA recently confirmed in their Operational Resilience: Next steps on the PRA’s Supervisory roadmap − speech in April 2022 that Operational Resilience remains one of the regulators’ highest supervisory priorities currently.
It is expected that Internal Audit will already have identified Operational Resilience as important due to the long focus on this topic on the firm’s and the regulator’s agenda. As a result, it is expected Internal Audit have either scheduled or delivered a review of the progress made to assess and respond to the final policy statements. Indeed, the majority of Internal Audit functions we engage with across the Financial Services sector have already performed a number of reviews on the topic. There is a need to move from programme readiness assessments to broader engagement with the business including progress against management’s remediation of vulnerabilities, further embedding of the framework and continued development of scenario testing. Further details of which are included below.
Internal Audit’s primary focus to date has been to assess the firm’s Operational Readiness to meet the Operational Resilience requirements set out by the regulators. This may have included gap analysis against the policy statements and should have considered the documentation and evidence that supervisory authorities expected to be in place by this date:
Operational Resilience should remain a key area of focus on Internal Audit Plans following the effective date and remain a dedicated review at cyclical intervals in advance of the three-year transition deadline, during which time activities are expected to mature. An important decision for firms to make is how Operational Resilience thinking will be embedded across all reviews to ensure a ‘resilience by design’ culture and help to support resilience through change across the business. For example, when reviewing a capability or functional area, this should include assessing whether vulnerabilities have been adequately considered and how resilient related Important Business Services are. It may be appropriate for firms to consider this in a thematic review cycle or with any major change to the capability or functional area, depending on the size and complexity of their operational resilience programme.
Moving forward, the role of Internal Audit should move to more holistic, thematic based formats, challenging stakeholders over the validity and accuracy of outputs in line with changes in the external environment and maturing of the Operational Resilience Framework. Internal Audit should focus on:
At the heart of the response, financial services firms have needed to respond to the publication of the Operational Resilience Policy and Supervisory Statements by carrying out their work based on the following five step approach:
However, there are much wider implications for the successful adoption of this regulation. The right leadership, mindset, culture, and operating model are needed to make resiliency and a resilient framework embedded the organisation’s DNA and align functions and risk management systems, and these foundational elements underpinning the mechanistic interpretation of the methodology highlighted above will now come to the fore in the run up to 2025.
The regulators are looking for:
Internal Audit has an important role to play in the development of firm’s framework over the next three years ahead of the regulatory deadline of 31 March 2025. Firms should expect significant scrutiny and follow-up from UK supervisors after the implementation and into the transition period as they will be keen to ensure that the sector is on track to put in place the new framework according to the timeline they have set, and Internal Audit should now be providing internal challenge in anticipation of this regulatory focus.
The Deloitte Financial Services Internal Audit practice has worked with in-house Internal Audit functions across the sector, providing guidance and support at each stage of Operational Resilience Framework development both during the consultation stage and as firms finalise their approach in line with the policy statements.
The team has built up the skills and experience, backed by industry wide insight, to be able to support any in-house Internal Audit needs. We provide subject matter and methodology training, specialist input and benchmarking to support work delivered by in-house teams and outsourced Internal Audit reviews.
For more of our views on Operational Resilience, emerging regulatory approaches and the hot topics Internal Audit should be considering in the coming year, you can consult the following resources:
Sarah leads Operational Resilience across Financial Services and has over 18 years’ experience in global regulatory, technology and change programmes. Sarah has led technology and operations risk programmes across a number of our largest financial services clients, ranging from designing and embedding risk and control frameworks, implementation of Operational Resilience frameworks and assurance with regulatory requirements, risk and compliance operating models, as well as managing broader change and transformation programmes.
Mark is a Director in our Technology and Digital Risk practice. Based in the Manchester office, he has over 15 years of experience in the financial services sector. Mark has a broad range of experience in IT internal audit, IT control framework design, IT risk management, IT controls assurance IT external audit, IT governance, and third party service auditor reporting. Mark is a member of Deloitte UK Financial Services Internal Audit Leadership Team, and is currently leading a portfolio of IT risk and internal audit engagements across FTSE-100 financial services clients.