Operational Risk Framework : UK financial regulators provide final clarification

Updated: Aug 25

Following the publication of the final policy in March 2021, although the final operational resilience framework does not depart significantly from the December 2019 CPs – it does include some important clarifications.


In 2019, I identified a number of factors within the latest discussion paper that could affect business continuity specialists in the financial sector. The final policy clarifies these factors and now provides financial sector business continuity specialists with specific guidance for change.

1. Adopting a customer and market driven approach to designing a ‘joined up’ resilience and contingency strategy based on the prioritisation of services and market integrity. For many institutions this may require a rework of existing impact assessments to ensure that they focus on the ‘three lenses’ of impact:

• Financial stability, this applies to large, systemically important financial firms where operational disruption could cause a “ripple” effect throughout financial markets.

• Financial Viability – where a disruption could cause an existential threat to the organisation.

• Potential harm to customers.

The latest policy re-enforces this perspective and will require that financial firms consider these wider impacts when designing their operational resilience framework and when considering BIAs & Risk assessments that have been developed for business continuity purposes.

2. The concept of important business services (IBS). This aspect of the policy requires firms to identify how customer facing and service delivery activities can cause risk sensitivity to the three impact lenses mentioned above. Further clarification is provided in terms of the level of detail required to identify and map the constituent parts of important business services. Regulated organisations will be required to identify vulnerabilities to its delivery of each IBS and this needs to include both internal and external services. They also confirm that this mapping exercise should be iterative and reviewed at least annually and, additionally, when substantial operational change has occurred – such as the introduction of new systems and technology.

The regulator is expecting the mapping exercise to be detailed enough for financial firms to clearly establish vulnerabilities, mitigations and testing for each distinct “node” in the map. For many organisations this will be a large and possibly complex task.

3. Impact tolerances. This has been one of the most challenging aspects of the operational resilience initiative since the publication of original discussion papers. It is an area that is likely to receive significant attention when regulators begin their assessment of the preparation and progress made by financial firms.

Regulators make it clear that there is an expectation that impact tolerances will need to be expressed as something more than just duration of a disruption. Such metrics could include the volume of disruption, levels of impairment, damage or denial of data or the number of customers affected. Impact tolerances are required to create clear metrics so that identify the level of resilience which needs to be established for important business services. Again, for many, this will create a wider perspective than has previously been adopted under “traditional” business approaches.


4. Testing. The regulatory polic