The December 2019 extension of the Senior Managers and Certification Regime (SMCR) is now looming.
From that point, the regulation will apply to Financial Conduct Authority solo-regulated companies, pushing them to put a renewed focus on operational and cyber resilience.
There is an expectation from the regulators that operational resilience and cyber security will be taken seriously and that senior managers will be held accountable for them.
Its importance was underlined in the jointly published Prudential Regulation Authority, FCA and Bank of England Operational Resilience discussion paper which re-iterated the need for operational resilience to be on an equal footing with financial resilience.
The first question to ask is whether the technology is reliable. Is it patched and tested?
A recently published Bank of England Financial Stability Report then made it clear that, under SMCR, the Chief Operations Senior Management Function (SMF 24) will be the individual responsible for the resilience of operations.
In light of this, firms now need to take a number of steps to make sure they are prepared.
Key questions
Make sure there is accountability for the resilience of your most critical services.
Regulators expect firms to understand the criticality of the services they provide in the context of the customers and markets they serve.
To take a simple example, the ability to sell a mortgage may not be considered as critical as a mortgage drawdown. The failure of the latter can hugely disrupt an individual’s life and possibly the wider market, while the former is likely to only impact the firm commercially.
You then need to understand the different components that make up a resilient service and recognise that having a single and senior point of accountability helps to answer the key questions in each of them.
The first question to ask is whether the technology is reliable. Is it patched and tested?
Then you need to consider if there are skill gaps in the teams who support the service and ask, what are the key people risks? That includes looking at your suppliers and checking whether they are acting to promote resilience.
It is also important to consider risks to the current service and any changes that could disrupt it.
Testing is essential in this process and managers need to check if they have tested the resilience of the service recently and that they know what to do if things go wrong.
Resilience is multi-faceted and dealing with each of these questions is likely to need specialist teams to help answer them.