Five steps to business continuity in UK financial services – managing third party risk

Step 1: understand the role of third parties in potential disruption

Regulated entities are required to identify and map all third party relationships, and then service delivery infrastructure, on which they depend to deliver important business services. Important business services, generally, are those which have an impact on clients or the soundness or safety of a regulated entity, financial markets or structural elements of the financial system.

Both the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) require that impact tolerances be set for each important business service to deal with “severe but plausible” events. If disruption causes an important business service to fall outside its impact tolerance, the regulators expect to be notified.

The information obtained from the supplier, and associated remedial action, may need to include service levels for:

• peak times, different times of the day and different points of the year;
• clarity regarding any variations in volume or the value of transactions during various disruption scenarios, and
• functionality commitments which clarify the minimum necessary for an important business service to stay within its impact tolerance.

Step 2: plan for a response to disruption

For each third party relationship that is material to the important business services or that affects the ability to remain within the impact tolerance, a regulated entity should be able to demonstrate how its supplier, with the power of its contract, enables the entity to address “severe but plausible operational disruption”.

Both the regulated entity and the supplier should consider the cost, resourcing and timing implications of events – be they service failure or external events – that may lead to disruption. In terms of timing, the impact tolerance may require that in some circumstances standby solutions – with the same or a different supplier – can be switched on automatically. In terms of resources, it may be important to clarify that not only the technology, but also, the people available at alternative locations, are capable of performing all roles necessary to enable the service to maintain operations within set impact tolerances.

The regulated entity should also take the additional steps of:

• identifying potential alternative or back-up service infrastructure and/or suppliers;
• identifying priority capability and data that may need to be accessed in a disruption; and
• defining KPIs and risk indicators which may indicate that an exit from the supplier arrangement may be necessary as it no longer supports the required level of resilience.

When disruption occurs, it is important for effective crisis communication measures to be put in place. That includes thinking about the role of suppliers in communicating with external stakeholders. The objective of these communications should be to enable quick action and effectively “reduce the anticipated harm caused by operational disruptions”. The FCA expects regulated entities to take specific measures as part of an effective communications strategy. Those measures include:

• considering processes for circumstances where there is no direct line of communication available;
• implementing methods that enable information about the cause, extent, and impact of operational incidents to be obtained; and
• ensuring that appropriate methods of communication are used. The circumstances and vulnerabilities of the relevant client-base may need to be considered in determining whether or not a chosen method is appropriate.

Step 3: plan for recovery and restoration

The regulated entity should plan for effective recovery and restoration of operations following disruption. Those plans need to consider the extent to which third party suppliers’ people, processes, technology, facilities and information can contribute to that recovery. The regulated entity will likely want assurances around capacity specifications, recovery time objectives and restoration of service priorities, and recovery point objectives for data/processes.

The conditions that prompt activation of a recovery plan should be clear and the role that the supplier has in meeting recovery objectives should be agreed. The scope and frequency of backups of data and underlying ICT systems and technology infrastructure, for example the use of active/active or active/passive data centres, should be proportionate to the risk.

Regulated entities should be able to demonstrate that they can retain flexibility to deliver important business services when disruption occurs. The PRA expects regulated entities to consider temporary measures that may need to be put in place, even if those measures will not be suitable as long-term solutions.

The FCA similarly expects regulated entities to consider circumstances where it may be preferable to require a supplier to provide a degraded service rather than keep it offline until it can be fully restored. The regulated entity should have the ability to determine whether “the benefits of resuming a degraded service outweigh the negatives of keeping the service unavailable until the issues have been fully remediated”.

Step 4: test your plans – “war gaming”

Disruption scenario testing against the recovery/restoration plans should be run regularly. As part of this, scenarios for testing, including “severe but plausible ones” need to be selected.

The PRA gives a failure at a third party or in their supply chain as one example of a scenario to test. It also says that previous incidents or near misses within the organisation, across the financial sector or those of other sectors and jurisdictions can also be used.

Four scenarios the FCA lists for regulated entities to consider testing are:

• corruption, deletion or manipulation of critical data;
• unavailability of facilities or key people;
• unavailability of third party services critical to the delivery of important business services; and
• loss or reduced provision of technology underpinning the delivery of important business services.

The regulated entity should work with their suppliers to validate their scenario testing. According to the FCA this should involve assessing “the suitability of the methodologies, scenarios and considerations adopted by the third party in carrying out testing”.

Step 5: lessons learned

Plans and measures should be updated with lessons learned from scenario testing. These lessons may result in changed recovery objectives or priorities, changes in suppliers or sourcing models – for example, single- to dual-sourcing – or changes in service infrastructure, such as a move to more resilient hosting.

Where weaknesses are identified, regulated entities are expected to make necessary improvements. Contracts with third parties should be flexible enough to enable improvements to be made as a result of these ‘lessons learned’ exercises – both by way of termination, change, and diversification of supply.

The FCA has given the example of providing a web channel as an “additional service delivery channel to users as a back-up solution” to fill a resilience gap identified through scenario testing. It also uses examples such as conducting benchmarking exercises to identify alternative suppliers, and refreshing internal policies to recognise regulatory requirements, as other potential learned outcomes of lessons learned exercises.

For banks, the Basel Committee on Banking Supervision in its operational resilience principles recommends that lessons learned from “incidents experienced by others” should also be reflected when updating an incident management programme. This may therefore require monitoring of responses to the impact of the Covid-19 pandemic and other recent developments which impact on operational resilience.

Achieving operational resilience

At a practical level, there are many steps that need to be taken to operationalise the five broad steps outlined. When engaging third party suppliers, attention should be given to the role the third party will have in the regulated entity’s overall approach to operational resilience all the way through the lifecycle of procurement, contract negotiation, contract management and exit.