Spotlight on the UK’s new operational resilience regulation

Simon Fieldhouse, global managing director – software resilience at NCC Group

After years of consultation, the UK’s Prudential Regulation Authority (PRA) is set to publish new rules on outsourcing and third-party risk management this month. In our ‘Spotlight on’ series, we explore what this means for the banking and financial services sector, its resilience, and the pace of digital transformation.

What does the regulation say?

Although the rules are yet to be formally set out and announced, the changes outlined in the Bank of England’s Consultation Paper 30/19 provide an overview of what to expect.

The paper recognises the impact that supply chains have on an organisation’s overall resilience, and the changing nature of risk.

For a long time, risk has been largely considered from a technical or cyber security-focused perspective. However, these incoming regulatory changes broaden the scope of risk in line with the increasing number of third-party supplied services used by businesses. According to the Bank of England, 40-90% of banks’ workloads globally could be hosted on public cloud or software-as-a-service within a decade.

It’s therefore important to consider the impact on business continuity if one of those suppliers were to fail – and this remains a firm focus for financial regulators, both in the UK and around the world, including the Bank of England, the Financial Conduct Authority (FCA) and the PRA.

The regulation reinforces how organisations in the finance and banking sector must remain fully accountable for their own regulatory compliance. This means ensuring that outsourcers have processes in place to anticipate, withstand and respond to disruption.

Every firm must also have a pre-developed “stressed exit plan” in place – meaning that they have measures to maintain business continuity should an IT failure occur within their supply chain. These plans must also be tested to ensure that they work, and the results of this must be presented to the regulator.

Why now?

Supply chains across almost every sector are becoming increasingly complex as organisations seek new cloud-focused tools to boost productivity, drive efficiencies or provide an enhanced user experience. In fact, our research from 2020 found that many businesses were expecting to make increasing use of the cloud a permanent change following the pandemic.

The Consultation Paper notes this, highlighting that ‘in recent years, firms’ interactions with third parties have evolved significantly’. Third-party software has become a permanent fixture of many competitive organisations' supply chains – with the pace of digital transformation only picking up speed.

However, outsourcing also comes with risk. In heavily regulated industries, such as the banking and finance sector, ensuring that sensitive applications and data are constantly protected and available – even in the event of disruption – is crucial.

What should leaders in the finance sector do next?

Organisations should assess the resilience of their supply chain, categorising outsourcers on their criticality, financial stability and concentration risk, with particular attention paid to services in the cloud.

Once this is understood, businesses can put the appropriate strategies and systems in place to manage risk. Organisations should look for suppliers that proactively deliver complementary risk mitigation and business continuity assurance that fits with the organisation’s needs. This can include implementing robust onboarding and procurement policies that ensure that software escrow agreements and verification testing are built into any supplier contracts.

For every outsourcing agreement, organisations are required to develop a business continuity plan in order to protect business-critical applications. This can be tested repeatedly using software escrow verification tests, which ensures that an application can be rebuilt should the need arise.

For many financial institutions and their outsourcers, these regulatory changes could mean that a lot of resource must be used on the creation and implementation of viable stressed exit plans. However, for those with escrow agreements already in place, organisations can test their existing procedures and cover anything that has been missed.

Ultimately, the new regulation aims to boost resilience while facilitating greater adoption of the cloud and other technologies – tools which are increasingly critical to innovation and business adaptability. By increasing resilience in line with the pace of digital transformation, organisations in the sector can boost their agility and growth in a more sustainable way.