BLOG — Mar 03, 2022

5 insights to prepare for the 31 March Operational Resilience & Risk Requirements deadline

Financial services firms are busy making final preparations for the 31 March Prudential Regulation Authority (Bank of England) deadline for new requirements on operational resilience, third party risk management, and outsourcing.

We recently hosted a webinar to discuss implementation of Supervisory Statement (SS1/21 and SS2/21) requirements, the challenges, and the opportunities. It attracted an audience of over 120 professionals across financial institutions. The distinguished panel included representatives from the PRA, HSBC, PwC, and UBS, as well as our own experts.

Here are five key insights from the webinar (removing attribution in accordance with the Chatham House Rule) to help firms prepare for the deadline.

Key insights on PRA SS1/21 and SS2/21
1. Operational resilience requires firms to identify important business services and relevant third parties, set impact tolerances, map, and test. Mapping entire business flows (front, middle, and back office) may be a requirement if they support important business services. Teams often find success adopting a cross-functional approach. Silo-based thinking, in which business verticals plan by themselves, is counterproductive to meeting requirements.

2. In implementing operational resilience requirements, firms should adopt their customer's perspective across offerings and operations and understand how third parties support customer activities. At some organizations, this mindset may never have been applied firmwide. The work done for operational resilience can yield added benefits in unlocking value for customers and improving their experience.

3. Robust third-party risk management and operational resilience work should not be a box-ticking exercise. For instance, firms should assess the materiality of all their third-party arrangements and implement appropriate controls based on these materiality assessments, rather than focusing 'unduly' on whether a given third-party arrangement meets the regulatory definition of 'outsourcing' or not. Likewise, firms should approach their business continuity and exit plans as genuine, practical mechanisms to prepare, respond to and recover from operational disruption rather than as mere regulatory compliance exercises. Whilst the guidelines/regulations are fairly prescriptive, they are also explicitly outcomes-focused and risk-based. Firms should ensure they take a risk-based approach to adoption and remain focused on outcomes rather than tasks.

4. Firms typically have existing systems and teams in place across a range of risk areas, including cyber, information security, business continuity and financial crime. It is vital to leverage existing culture, structures and initiatives when building out operational resilience, rather than build something new. Programs should continue to evolve post March 31; this is not a 'one and done' initiative. Programs should accommodate local/regional requirements.

5. Third-party risk management professionals are difficult to find and retain. Against this background and the growing requirements, the industry recognized that firms must work together to adopt community and technology-driven approaches and standards, including shared assessment offerings. Managed services can also be part of the solution.

How KY3P® by IHS Markit can help
KY3P® helps you manage your end-to-end vendor portfolio lifecycle on a single platform with on-demand, multi-dimensional vendor risk assessments. Our tools let you continuously monitor risk through partnerships with industry-leading data providers that specialize in financial health, cybersecurity ratings, data-breach analysis, location risk, and more. Our managed services scale your third party risk management program, while minimizing constraints caused by the difficulties of attracting and retaining risk management teams.

Posted 03 March 2022 by Will Kendal, Director, Product Management, KY3P, S&P Global Market Intelligence

S&P Global provides industry-leading data, software and technology platforms and managed services to tackle some of the most difficult challenges in financial markets. We help our customers better understand complicated markets, reduce risk, operate more efficiently and comply with financial regulation.

This article was published by S&P Global Market Intelligence and not by S&P Global Ratings, which is a separately managed division of S&P Global.

Theme

Financial Services

Location

Europe

S&P Global Offerings

Market Intelligence

Ratings

Commodity Insights

S&P Dow Jones Indices

Mobility

Sustainable1

Featured Topics

Featured Products

S&P Capital IQ Pro

Platts Connect

S&P Global ESG Scores

AutoCreditInsight

Ratings360

SPICE: The Index Source for ESG Data

Events

Careers

Market Intelligence

Ratings

Commodity Insights

S&P Dow Jones Indices

Mobility

Sustainable1

S&P Capital IQ Pro

Platts Connect

S&P Global ESG Scores

AutoCreditInsight

Ratings360

SPICE: The Index Source for ESG Data

S&P Global Offerings

Market Intelligence

Ratings

Commodity Insights

S&P Dow Jones Indices

Mobility

Sustainable1

Featured Topics

Featured Products

S&P Capital IQ Pro

Platts Connect

S&P Global ESG Scores

AutoCreditInsight

Ratings360

SPICE: The Index Source for ESG Data

Events

Careers

Market Intelligence

Ratings

Commodity Insights

S&P Dow Jones Indices

Mobility

Sustainable1

S&P Capital IQ Pro

Platts Connect

S&P Global ESG Scores

AutoCreditInsight

Ratings360

SPICE: The Index Source for ESG Data

Featured Products

S&P Capital IQ Pro

RatingsDirect

iLevel

Purchasing Managers' Index

Bond Pricing

RiskGauge Desktop

Supply Chain Console

Power Evaluator

Credit & Risk

Data, Insights, & Advisory

Artificial Intelligence Solutions

Consulting & Advisory

Data & Delivery

Deep Sector Coverage

Defense & National Security

Economic Indicators & Forecasts

Global Risk & Maritime

Investor Relations Services

Enterprise Software & Solutions

Managed Services

Private Markets