Our previous blog, on the proposed UK and Basel Committee operational resilience frameworks (ORFs), offered a few high-level remarks regarding the challenge of identifying an important business service (IBS) under the UK ORF.  Given comments received, this short article will take a closer look at this key issue.

However, before launching into this discussion, it is essential to recall that the regulatory motivation for this new regime is rooted in past disruptions in the business services provided by financial services firms (e.g. TSB’s botched IT upgrade in 2018) that had a detrimental impact on end-users. Moreover, there is a view that new threats (e.g. crypto assets, cyber incidents) are mounting.  Each disruption to a business service has the potential to significantly undermine the regulatory objectives of the BOE, PRA and FCA (namely, financial stability, the safety and soundness of firms, secure insurance policyholder protection, consumer protection, market integrity, and effective competition). Hence, the more important the business service, the greater the threat to the public interest.  

This view of business services will not be natural for business heads who typically think in terms of business lines and products; so they will instinctively wish to see how these relate to business services.  Moreover, directly linked to each IBS is a chain of activities that make-up the service: from the taking up of the obligation to those activities that are essential to its delivery. Hence, an increasingly complex view of business services will be built-up by firms as they seek to identify their respective IBSs. A process which may prompt a few fundamental questions.

Consider (i) a retail client who is waiting for funds to be released, by Bank A, so that he/she can purchase a property; and (ii) a pension fund that has lent out its bonds (via an asset manager), to Bank B’s repo desk, for cash. (That the pension fund, then posts as variation margin for derivative transactions, it clears, via another Bank, through a CCP.)  Banks A and B might determine that the IBS is the outcome for the client whereby the receipt of loan monies allows the client to a purchase a property or meet an other financial obligation. 

They may also determine that a disruption to these services will only cause intolerable harm when a payment or settlement is missed.  Arguably, this means that payments and settlement are activities that are essential to the performance of these IBSs.  However, these activities aren’t business services in themselves and might be related to numerous business services delivered to end-users.  So how are firms to deal with this? Make all business services (relying on payments or settlement) important, and determine that the only parts of the chain that needs to be resilient are payments, settlement, and anything related to them?  Or should the entire chain be required to be resilient? Also, if all these business services are potentially important, to what degree can they actually be filtered for factors already identified by the BOE/PRA/FCA? Factors include the impact on the wider functioning of the UK economy or the ability of end-users to substitute the service.  

This discussion has not delved into all aspects of the above example (such as the business services provided by the asset manager, the CCP, or its clearing member). It only provides a flavour of the questions firms might include in their 1 October 2020 responses to the five separate consultation papers issued by the BOE/PRA/FCA in December 2019. The policy statement(s) and/or guidance that emerge will be watched closely, particularly by those firms who have already started looking closely at the ORF requirements. Those firms that haven’t started yet, need to be aware that the BOE/PRA/FCA have stated that they will not publish a taxonomy of IBSs.  

No matter where you are in the formulation of your ORF, if you need help, please contact Anita Millar (Director, ADM Risk, Regulation & Strategy Ltd). We can work alongside your team(s) and/or help you build a project team.  

Posted in Operational Resilience