Operational Resilience: Building Effective Frameworks

Session 1: Introduction – the regulatory position

• FCA and PRA positions – operational risk resilience to regulatory objectives
• Where we are now and how we got here
• Looking forward to March 31, 2022 – what are the expectations and timelines
• Key milestones and practical validation requirements
• Rules or guidance – specific firm applicability

Case Studies: Issues at British Airways, O2, TSB Bank, HSBC

Session 2: Governance & Strategy

• Messaging – more than “Everyday Business Continuity”
• Prevent, Adapt, Respond, Recover, Learn
• SM24 responsibilities and broader Senior Managers and Certification Regime (SMCR) integration
• Roles for all leaders, line of sight to senior management
• Leadership in a hostile cyber environment 

Session 3: Building an effective and compliant operational resilience program

• Identifying key business services

• Definitions
• Single activities – not groups
• Criteria for consistent assessment
• Alignment with other business themes

• Setting operational resilience impact tolerances

• Identifying operational Risks resilience and Disruptors
• Probability / Impact / Control Effectiveness
• Value-based / Volume-based / Time-based
• Quantifying the maximum tolerable level of disruption
• Addressing both FCA and operational resilience PRA concerns

• Understanding upstream / downstream dependencies by identifying and documenting:

• People
• Processes
• Technology
• Facilities
• Information

• Ongoing operational resilience management

• First Line - Monitoring / Surveillance
• Second-line - Testing
• Scorecards / Dashboards – what, how, where
• Stress testing / Scenario modelling
• Annual review / Material change

Exercise – Breakout Rooms – Groups to discuss challenges and opportunities in building an effective program using templated handouts  

Session 4: Holistic management considerations

• Links to Business Continuity / Disaster Recovery
• Front, middle and back office – connecting the lines to benefit consumers
• What actually happens when business services are disrupted – roles and responsibilities
• Communication plans – internal and external
• Employees – engage, empower, evolve
• Documenting effective FCA operational resilience self-assessment and lessons learned 

Course Wrap-up:

• Summary
• Questions
• Open forum

With over 20 years of training experience in operational resilience in financial services, the operational resilience training leader is well-placed to support you across a range of compliance-related topics. He is a former Head of Education for HSBC covering the UK and Europe, responsible for regulatory and financial crime-related compliance learning. His time at HSBC was during intense scrutiny from regulators and government functions during the bank’s Deferred Prosecution Agreement.

Alongside expert delivery of Redcliffe’s operational resilience course, other roles include leading the Monitoring and Operational Resilience Scenario Testing programme for a UK Wealth Manager, and Senior Vice President responsible for Global Risk & Compliance training at a US-based bank. He also worked in the Operational Resilience Insurance Firms division at the Financial Conduct Authority (in the Financial Services Authority (FSA) days) where he was the divisional expert for the rules and outcomes required under the Training & Competence handbook.

The HSBC role, along with five years at Barclays in their Private Clients and Wealth functions, has seen the trainer work with retail, commercial, wholesale and private operational resilience in banking channels. Since leaving HSBC, he has worked with the compliance, HR and operational teams of firms to enhance their operational resilience regulations understanding, as well as delivering content across private equity firms, investment houses, banks and wealth managers. He regularly provides core programmes for the Truth in Savings Act (TISA) and the Investment Association.

He is a former member of the Investment Management Association Training & Education Committee and won the Thomson Reuters award for “Most Effective Compliance Training at a Regulated Firm” in 2010.

• Understand the regulatory drivers and priorities.
• Recognise the milestones and timelines to full compliance.
• Consider the factors you should promote to build an inclusive operational resilience framework FCA that staff can buy into.
• Provide a foundation for your in-house strategies.
• Understand the criteria by which you can identify operational resilience.
• Recognise common risks and disruptors to business continuity and operational resilience stability.
• Consider appropriate operational resilience governance and oversight models.

• We are well aware of how FCA expectations have changed alongside the best practices and mandatory updates.
• We have served clients of all shapes and sizes in the financial sector and are fully aware of the obligations of a regulated firm and what is expected from them by the regulator.
• We have been delivering training for over 20 years. We are certain we know the topic as well as anyone in the marketplace.
• Your course director is experienced as both a regulator and in training operational resilience regulation requirements across wholesale and retail financial firms. He will pass on past experiences to enhance the workshop and help bring it to life.
• We do not use academics. All our trainers are highly experienced professionals with relevant vocational experience in the real world.
• Our case studies enhance the learning points and are often found to be essential in truly understanding the requirements and growing the skills to apply them.
• We are always judged by our results which speak for themselves and the feedback received from previous delegates has always been excellent.

One way that regulators assess their performance is by measuring whether consumers get the products and services they need and want from firms they can trust. Principle 6 (of the Principles for Operational Resilience Business) and the subsequent 6 Treating Customers Fairly Outcomes explicitly call out the obligation to pay due regard to our customer’s needs and for products and services to perform as reasonably expected.

Yet things can (and do) go wrong – and regulators remain concerned that Financial Institutions are not doing enough to identify where this might happen or to remedy weaknesses in their businesses which allow this to happen.

This operational resilience training course explores the FCA building operational resilience and PRA proposals, explains the requirements and considers how we in firms can deliver a more resilient operational framework to deliver what our customers and clients expect.

Who Should Attend?

PRA and FCA have differing application criteria, though in the main; banks, building societies, PRA-designated investment firms, Recognised Investment Exchanges (RIEs) and ‘Enhanced’ SM&CR firms will have rules mandated. That said, the FCA’s building operational resilience expectation is that all firms will have properly tested contingency plans and it is considered likely that the rules will apply as guidance for Core SM&CR firms who are solo-regulated.

Relevant staff roles include Risk and Compliance, Operational Oversight and Operational Resilience Management plus those in Business Continuity and Disaster Recovery who will have crossover responsibility for operational resilience in financial institutions.