Operational Resilience: the new regulatory focus on business services
Over the last few years the UK regulators have been focused on introducing a stronger regulatory framework to promote the operational resilience of firms, including insurers. This comes against a backdrop of firms battling an increasing number of operational threats such as cybercrime and large scale technology changes. At the end of last year the regulators published their shared proposals which set out the new regulatory regime and its impact on firms.
The regulators define operational resilience as the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions. Their approach assumes that major operational disruptions will occur and they have proposed an outcomes based regime requiring firms to put in place robust and reliable arrangements to minimise harm to consumers when disruptions do occur. To achieve this, firms are expected to be able to identify their important business services and set impact tolerances for each service. The concept of a business service is not familiar language to an insurer or broker, however the regulators have provided examples of what they mean by this, for example the renewal of motor insurance is considered a business service. The PRA proposes that a business service is important if its disruption could pose a risk to the firm's safety, soundness, financial stability, or policyholder protection whilst the FCA looks at the potential of the disruption of that service to cause intolerable levels of harm to consumers or market integrity. Examples of relevant risks include disruptions in annuity payments relied upon by policyholders to pay bills or businesses which require insurance in order to operate.
Impact tolerances (thresholds for maximum tolerable disruption) will need to be expressed by reference to specific outcomes and metrics and should always include the maximum tolerable duration. The regulators have provided a list of factors for firms to consider such as the numbers and types of consumers adversely effected and the level of tolerable reputational damage. Firms may wish to seek clarity on whether they should also be considering their position in the market when setting an impact tolerance. Should the threshold be lower when policyholders have limited options in the market for a particular type of cover?
The new regulations will require boards and senior management to collectively have the appropriate level of knowledge, skills and expertise to meet their operational resilience responsibilities and to be sufficiently engaged in setting effective standards for operational resilience. Regardless of firm size or complexity the FCA expects clarity on the lines of responsibility within a firm. Firms that have an individual performing the Chief Operations Function (SMF 24) may find that responsibility for implementing these proposals falls within the scope of that individual's responsibilities. Where firms do not have that function, it will be for the firm to determine the most appropriate individual who is accountable for operational resilience. Boards will be required to approve important business services, impact tolerances and conduct regular reviews of the self-assessment.
The final regulations are expected to be published this autumn however insurers should start preparatory work now. The consultation period ends on 3 April 2020 and firms should review and can provide feedback on any concerns around the proposals. One particular area to consider is whether the guidance provided on identifying important business services and setting impact tolerances is sufficient. Boards and senior management should be educated on the new requirements and how these differ from other established risk and governance frameworks and set an initial vision for operational resilience. Insurers should then review the business and identify the most important business services and map the processes and resources required to deliver an end-to-end service to policyholders. Starting early is likely to reduce the overall cost of implementation and ensure a smoother transition to the new regime.
This article first appeared in Insurance Day