31st March 2022 represents an important regulatory deadline for financial services firms in the UK. Last March, the Bank of England and FCA released their Operational Resilience Policy Statement. It requires that, by this date, UK financial services companies must have demonstrated that they have identified their important business services, and any vulnerabilities in their operational resilience.
The regulator’s statement last year cemented their view that operational disruptions are a clear and present threat. What classifies as an operational disruption is broad, from system failures to security breaches to governance and oversight issues. In their opinion, they can cause wide-reaching harm to consumers, pose a risk to market integrity, threaten the viability of firms and ultimately cause instability in the financial system.
This regulatory focus proves that resilience is a key issue for both the FCA and PRA as well as the Bank of England. The impact of the pandemic on ways of working in the sector has only exacerbated this. For example, forcing many workers in mission critical or time-sensitive roles to work remotely. Particularly during a period of increased market volatility.
This change in working habits has given rise to a growing risk to operational resilience that firms can’t afford to overlook: the threat of internet and power outages disrupting remote workers.
The government’s work from home guidance, enforced during the more difficult moments of the pandemic, may have ended for now. But the fact remains that a shift has occurred. Many City firms have retained flexible working policies, and plan to do so long term. That means many thousands more people doing mission critical or time-sensitive work, often making complex and important decisions, away from the ‘safe’ surroundings of the traditional office.
But are the firms experiencing this change in working setup alive to the risks this poses? If not, they should be. Staff working remotely are at risk of severe disruption if internet or power supply drops. And these are regular occurrences. Recent events provide ample evidence of this, from the disruption caused by Storm Eunice to the looming threat of conflict in Europe which would impact energy supply. And of course, we may yet witness another virulent COVID variant which turns remote working back into a requirement rather than a choice.
Not only can home connectivity issues cause costly delays, it’s also a potential security risk if workers try to get round outages by relying on less secure backup options.
The new regulatory requirements don’t end on 31st March. As soon as possible after that date, and no later than 31st March 2025, firms must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service. Firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances.Â
It is imperative that before the March deadline, as part of their mapping exercise, financial services firms consider the threat of internet and power outages to their business continuity and overall resilience and report it as part of their assessment. Failure to do so could be costly.