Key regulatory focus in 2025
Unfortunately, all spaces for the upcoming banking event at our London office have now been taken. If however, you would like to speak with a member of our team to discuss the below topics, feel free to get in touch.
The Operational Resilience Regime: Less than 3 months to go…
16 January 2025
The Operational Resilience Regime in the UK aims to enhance the ability of financial services firms to withstand and recover from disruptions, ensuring critical services remain available. The goal is to protect consumers, market integrity, and overall financial stability by making firms more resilient.
The final deadline for implementing all aspects of the Operational Resilience Regime is 31 March 2025. By this date, applicable financial services firms in the UK will have to demonstrate compliance with the regime. This consists of identifying, mapping and testing important business services (IBS) to ensure they can remain within their impact tolerances. Firms will also need to show they’ve made the necessary investments to support operational resilience. Operational resilience timeline What should firms have already done?• Refined list of IBSs and impact tolerances with the business and board input until a consensus is reached. IBSs represent services that are essential for the firm’s operation and customer experience. Impact tolerances represent the maximum acceptable level of disruption. • Demonstrated you understand how services are delivered, at what point intolerable harm is reached, and most importantly if you can remain within your stated impact tolerance. • Built a case through exercises to validate your confidence in set impact tolerances and your ability to remain within those tolerances. • Matured your analysis for a deeper understanding of the single points of failure and vulnerabilities that could make it difficult to remain within your set impact tolerances. • Identified gaps in current approaches and assessed readiness for the 31 March deadline. Detailed records of the above should be maintained to illustrate the firm’s rationale and demonstrate compliance with the regime. What do firms need to consider going forward?Most firms have made significant progress since 2021 in meeting the operational resilience requirements. However, the CrowdStrike outage in the summer of 2024 evidenced the complexity associated with maintaining operational resilience, particularly in relation to reliance on third parties in delivering important business services. In particular, it highlighted the importance of: • Rigorous mapping of important business services and identifying single points of failure. • Regularly reviewing and improving change management processes for software and content updates. • Deep understanding, risk assessment and detailed mapping of third- and nth-party relationships, and established relationships and protocols to share information with third-party providers. • Appropriate range of severe but plausible scenario testing, including those impacting multiple important business services at the same time. • Established and regularly tested incident response and crisis management processes. • Defined and tested communications strategies. |
Maintaining ongoing resilience requires ongoing effort past the implementation deadline, requiring firms to test, learn and improve their arrangements on a continuous basis. Firms need to: 1. Develop and embed capabilities aligned to the evolving risk and operational landscape. This will require investment and time spent creating a sustainable operating model. This should consist of integration of operational resilience within enterprise and operational risk frameworks. 2. Prioritise action to address the key gaps that would impact the ability to remain within tolerance. 3. Enhance monitoring and reporting on operational resilience. This should consist of results from regular testing, self-assessments, and lessons learned from past disruptions. 4. Embed annual operational resilience self-assessments (or more frequently if material changes occur). |
Get in touch with our risk, regulation and operational resilience expertsFor insights and guidance on meeting the regulatory requirements and evolving expectations, get in touch with our risk, regulation and operational resilience experts. |
Regulatory Compliance
Regulatory reporting requirements for the banking sector are ever-increasing, posing significant challenges for banks. The EU Capital Requirement Directive (CRD), implemented through UK law, introduced Internal Capital Adequacy Assessment Process (ICAAP) and Internal Liquidity Adequacy Assessment (ILAA) documents and the Pillar III disclosures.
Key contacts
Sarah Ouarbya Partner - Risk and Regulatory Consulting - London
Huseyin Sahin Partner - Banking Risk Consulting - London
