Andrew Sheen March 24, 2021

Don't Tell Your Regulator (8): Operational resilience expectations are met

"My Board meets the regulator’s operational resilience expectations"


This blog is one of a series designed to identify common mistakes made by firms. It explains why the mistake is damaging and could lead to regulatory sanctions, a capital add-on and even a skilled persons review (S166). If you are making this mistake then you need to change your practice.

Despite the regulatory focus on operational resilience and the increased importance of this activity as a result of the pandemic, many boards do not yet meet the regulator’s operational resilience expectations. Publication of the final regulations is imminent, although firms will have a period within which to comply. Firms must therefore take great care to ensure that they are not misleading the regulator when providing assurances about the board’s current capabilities.

The Solution

To be able to confirm that your board meets the regulator’s operational resilience expectations you must be able to demonstrate that:

  1. The board has received training in operational resilience and ensured that training is provided to all staff;
  2. The board has sufficient knowledge, skills and experience to meet its operational resilience responsibilities;
  3. The board has taken an active role in establishing a broad understanding of the bank’s operational resilience approach, through clear communication of its objectives to all relevant parties, including bank personnel, third parties and intra-group entities;
  4. The board has reviewed and approved the bank’s operational resilience expectations, and considered the bank’s risk appetite, risk capacity and risk profile;
  5. Under the oversight of the board, the senior management has implemented the bank’s operational resilience approach and ensured that financial technical and other resources are appropriately allocated in order to support the firm’s overall operational resilience efforts;
  6. The board has satisfied itself that the firm is meeting the requirements to have suitable strategies, processes and systems to identify the important business services, set tolerances, and to perform mapping and testing. As a result:
    1. The board, and the senior management, have approved the important business services identified by the firm;
    2. The identification of important business services has enabled the board to approve the impact tolerance set and investment decisions;
    3. The board has considered a broad range of severe but plausible scenarios;
    4. The board has approved and regularly reviewed the firm’s written self-assessment;
  7. The board receives timely reports from the senior management on the ongoing operational resilience of the bank’s business, particularly when significant deficiencies could affect the delivery of the bank’s critical operations;
  8. The board challenges the senior management constructively on the firm’s operational resilience;
  9. The board meets its oversight responsibilities;
  10. The board has ensured that a senior manager has been allocated responsibility for:
    1. Implementing the operational resilience framework and reporting to the board;
    2. Creating and maintaining the operational resilience framework and undertaking the annual assessment;
  11. The board, and the board risk committee, have regularly reviewed and endorsed the firm’s response to the pandemic.

What would the outcome be if the regulator sat down with your board members individually and sought confirmation that these criteria have been met (not forgetting that, as noted in a previous blog, ‘absence of evidence is evidence of absence’)? Would the result be regulatory sanction, a capital add-on or a skilled persons review?

We hope you find this blog helpful. Chapelle can help firms and senior managers assess their compliance with the operational resilience requirements. For a full overview of our approach to framework improvements, please contact us.