Sheffield Haworth logo

SH INSIGHTS

Risk and Resilience

Boards and senior management bear the ultimate responsibility for their company's operational resilience.

The PRA stresses the importance of Boards and senior management actively supervising the implementation of the firm’s operational resilience program.

The Chief Operating Officer (COO) or Chief Information Officer (CIO) should prioritise operational resilience and compliance, being responsible for the approach.

Taking a proactive stance is crucial for firms to meet regulatory standards.

Sheffield Haworth offers support to firms by:

-ensuring the effective implementation of the resilience program plan in compliance with PRA guidelines and continuously enhancing it.

-identifying operational resilience gaps and suggesting areas for improvement.

-keeping operational resilience policies and procedures current and well-tested.

Regulators are now emphasising the urgency for Financial Services firms to enhance their response capabilities to various operational events that could potentially disrupt their operations due to increasing concerns about operational continuity failures.

This shift is noticeable in supervisory statements and expectations released since 2015. Recent engagements between regulatory bodies like the PRA and FCA and firms highlight the growing focus on operational resilience. Furthermore, regulations such as the discussion paper on Critical third parties in the UK financial sector and the Digital Operational Resilience Act (DORA) in the EU have become crucial guidelines actively followed by firms within their jurisdiction.

The operational resilience policy, jointly introduced by the Bank, PRA, and FCA, requires firms to identify critical business services, set impact tolerances, and proactively ensure the continuous delivery of these services during severe disruptions. This policy, along with updates on outsourcing and third-party risk management, acknowledges firms’ increasing reliance on third parties, including cloud service providers. The PRA is committed to evaluating firms’ progress against its policy expectations, ensuring the ability to deliver essential business services within established impact tolerances by March 31, 2025.

The review has been written by Charles Matthee​, Risk Advisory Lead. To discuss the review further, reach out to Charles or Adriaan Hugo, Executive Director, Change Consulting.

Share this document

LinkedIn