Operational Resilience and TPRM

Operational disruptions can cause wide-reaching harm to consumers and pose a risk to market integrity, threaten the viability of firms and cause instability in the financial system. Following several high profile operational failures and the widespread disruption during the Coronavirus pandemic, regulators felt it necessary to improve resilience. 

In 2021, the FCA, PRA and the Bank of England published a policy statement (PS21/3) setting out new requirements to strengthen operational resilience in the financial services sector. 

Operational resilience is the ability of firms and the financial sector to prevent, adapt, respond to, recover and learn from operational disruptions. It’s not a new concept and there’s no prescription for how to achieve operational resilience. Firms choose how they get there, but being operationally resilient is not optional.

The regulation applies to banks, building societies, designated investment firms, insurers, Recognised Investment Exchanges (RIEs), enhanced scope senior managers’ and certification regime (SM&CR) firms and entities authorised or registered under the Payment Services Regulations 2017 (PSRs 2017) or the Electronic Money Regulations 2011 (EMRs 2011), UK Solvency II firms, the Society of Lloyd’s and its managing agents (insurers), Central Counterparties; Recognised Payment System Operators and Specified Service Providers; Central Securities Depositories

The long transition period for compliance ended in 2025, and firms now need to be able to continually operate within their impact tolerances, and maintain evidence that this has been tested successfully.

The huge expansion of cloud computing services, various “as a Service” (aaS) offerings (e.g. Banking as a Service, BaaS; Software as a Service, SaaS), has resulting in most firms’ infrastructure stack being dependent on multiple third parties, in addition to traditional group dependencies.

While simplifying systems development and reducing time to market and up-front investment, these complex third-party tech stacks rely on complex networks of connectivity. The failure of a single element of a third party service can cause critical service failure. Replacing a third party (or group support) due to service level agreement failures can be difficult, time consuming and costly.

Regulators have responded to the increasing risk posed by these complex interdependencies by strengthening their oversight of third parties (including group service providers).

Third Party Risk Management (TPRM) and managing Material Third Parties (MTPs) is an essential operational and regulatory obligation. It is a challenge for many firms, who may be dependent on these same third parties for the expertise required to manage them, creating conflicts and confusion.

Our Approach

We bring together big four consulting with operational industry experience to provide creative and pragmatic solutions. We help firms take the following practical steps to embed and evidence their operational resilience:
  • Identify Important Business Services (IBS) and set impact tolerance for each.
  • Perform mapping of the people, processes, technology, facilities and information resources necessary to deliver each IBS (including external third parties).
  • Identify how IBS could fail and list procedures and measures to mitigate the risk of failure.
  • Identify critical and material third parties.
  • Identify any current vulnerabilities in the operational resilience framework and develop an action plans to address them.
  • Develop a testing plan to ensure ‘regular’ risk based testing of scenarios against a range of severe but plausible scenarios.
  • Embed into governance and develop or repurpose communications plans accordingly.
Our team has expertise in crisis management and building operational resilience from delivering business transformation programmes over many years. We work closely with our clients to achieve sustainable, business-as-usual, regulatory-compliant operational resilience frameworks.

Our Services

Assurance and Testing Services

  • Reviewing operational resilience or BCP frameworks against regulatory requirements and leading industry practice and providing pragmatic enhancement recommendations.
  • Providing outsourced independent testing of operational or BCP frameworks to assure resilience.

Advisory Services

  • Assessing current operational resilience frameworks to provide recommendations to meet the latest regulatory requirements.
  • Supporting firms in designing robust and evidence based operational resilience frameworks that are proportionate to their role in the financial system.
  • Providing SME implementation support to deliver enhanced operational resilience frameworks
  • Post implementation reviews of inhouse operational resilience transformation.

Remediation Services

Following an operational incident, crisis or regulator intervention, we support firms through the end to end process of remediation and make sure lessons are learned. This includes:
  • Root cause analysis.
  • Remediation planning.
  • Remediation programme management.
  • Design and implementation of framework remediation.
  • Testing remediation effectiveness.