2. Operational Resilience (▲3)

Why is it important?

Internal Audit, as the third line of defence, was uniquely placed to play a key role in the response to the crisis, from a position of good organisational knowledge and often with a highly relevant skill-set. We’ve seen many functions providing assurance on resilience programmes and the associated controls adopted by organisations, on a real-time basis as the crisis unfolds, however they will need to continue to do so going forward with the benefit of looking back and leveraging lessons learned.

Building the operational resilience of firms and Financial Market Infrastructures (FMIs) remains a key shared priority for the Bank of England (BoE), the Prudential Regulatory Authority (PRA) and the Financial Conduct Authority (FCA). UK Regulators have been monitoring the operational resilience of financial services firms during the pandemic, looking particularly closely at how firms refine their resilience plans, how they approach the governance of their operational resilience (including the role of the board and SMF24¹) and the quality of their crisis communications.

What’s new?

The three UK supervisory authorities published a shared policy summary and coordinated consultation papers (CP 19/32 and CP 29/19²) on new requirements to strengthen operational resilience in the financial services sector. The CP principles establish the draft rules that firms will be required to follow, placing particular focus on identifying important business services, setting impact tolerances and the need for regular self-assessments. It builds on the concepts set out in the operational resilience Discussion Paper published in 2018, and addresses many of the proposed policy changes based on the responses received.

What should Internal Audit be doing?

As part of the next phase, organisations must recognise that they will have to face a period of uncertainty and disruption over many months. Throughout this period, they will need to rebuild confidence for the future by ensuring their response is resilient, safeguards the welfare and well-being of people, and is able to adapt to demand and supply challenges. Internal Audit will need to focus on:

• Challenging and benchmarking management’s scenario-planning and assumptions regarding the nature, extent and duration of the situation, as well as the plan to deliver services during prolonged uncertainty in a way that is safe, flexible and resilient based on a clear action plan. 
• Understanding whether the resilience achieved to date was by design. If not, then what lessons should be drawn for the future? What are management’s ‘crunch points’ in the ability to deliver services against planning assumptions?
• What is management’s strategy to return to “business as usual” after the crisis, and move from “respond” to “recover” and then to “thrive”? How can it turn the crisis into an opportunity to emerge stronger?

The PRA has asked IA functions across a number of firms to undertake an operational resilience audit against the principles in the consultation paper or broader governance and approach. IA will need to:

• Review how the organisation has interpreted the regulation and taken actions in response to this whilst also leveraging industry response and lessons learned from COVID-19.
• Challenge management’s process to identify their most important business services in order to prioritise their work and investment in operational resilience. 
• Ensure that operational resilience is established across end-to end business services, looks at business outcomes from a customer perspective and takes into account third parties and the ecosystem of the firm as a whole.
• Validate whether the organisation has an adequate internal governance and a supporting control framework in place for managing operational resilience. Ensure management has plans to embed operational resilience across the organisation.
• Ensure that it has set appropriate impact tolerances for their important business services, and has documented the people, processes, technology, facilities and information that support their important business services.
  

__________________________________________________________________

¹ Chief Operations Senior Management Function (SMF24) as introduced in 2017, by the UK Financial Services regulators (FCA and PRA), in line with the Senior Managers and Certification Regime (SM&CR).
² https://www.bankofengland.co.uk/prudential-regulation/publication/2018/building-the-uk-financial-sectors-operational-resilience-discussion-paper