Operational Resilience: UK’s PRA Extends Coverage to New Companies
Operational Resilience – the ability for financial institutions to remain effective despite the impact of business interruptions – has shaped the plans of senior managers in financial services in the UK for over three years.
The UK’s Prudential Regulatory Authority (PRA) regulations in this area – SS1/21 and SS2/21 – come into effect in March 2022. The influence of these regulations covers institutions themselves and the third parties they use to deliver their services. Plans are in development to extend the provisions of Operational Resilience to creating a register of incidents, the third-party arrangements themselves, and potentially even attempt to regulate the most important third-party suppliers as well.
The PRA continues to develop the Operational Resilience framework further and recently published a consultation paper, exploring how best to bring holding companies into the regime.
Currently, the requirements of Operational Resilience focus on individual companies and their capacity to withstand disruptions to their business. The PRA is seeking to raise its scrutiny to another level, to assess the impact of an interruption on holding companies. Holding companies are businesses that retain the ownership of other companies, for a range of operational, legal, and commercial reasons.
Extending Operational Resilience to cover holding companies highlights two issues.
Firstly, what happens if a company, already subject to the Operational Resilience framework, becomes dependent – potentially in extremis – on the support of its holding company to maintain its operational continuity. The consultation paper suggests that the PRA will need to understand and see evidence that the arrangements to provide this support are comprehensive and consistent with the broader principles of Operational Resilience.
Another issue centers on concentration risk. Where holding companies hold investments in multiple institutions covered by Operational Resilience, a situation can quickly emerge where two or more companies call on the same set of financial resources to address an interruption. The PRA will want to ensure that sufficient resources are available so that all the relevant businesses held in the holding company can be fully supported as needed.
From the consultation paper, the PRA’s view is that it would be pragmatic in managing holding companies subject to its requirements. A holding company that only has a single institution impacted, would be treated differently to one where all entities it held are affected by Operational Resilience.
So how might this work in practice?
That depends on the nature of a holding company, and the extent to which the companies it holds are dependent upon it to operate effectively.
Where a holding company is an administrative arrangement, designed to address legal, reporting issues, or ownership issues, with limited impact on the operations of its subsidiaries, then engaging with the PRA will likely be a fairly limited exercise.
It becomes more challenging where the holding company is a vehicle focused on enabling more sophisticated tax, investment, ownership, or M&A arrangements. Here, the obligations between the holding companies and their subsidiaries become significantly more complex. The PRA will likely require visibility of the systems, processes, and resources used to monitor these arrangements, and ensure that the Operational Resilience requirements are consistently applied, regardless of changes in the businesses.
The Extensive Use of Spreadsheets: While powerful and flexible, they lack the controls essential to delivering the transparent and auditable results that businesses need.
The challenge for holding companies is that their value lies in their financial and legal structures, rather than any operational expertise. They are not typically operationally large or sophisticated operations, with extensive headcounts. While some systems and processes are likely to be automated, a great many will be manual, likely featuring the extensive use of spreadsheets.
While powerful and flexible, spreadsheets lack the controls essential to delivering the transparent and auditable results that businesses need to show regulators. This process is exacerbated when a company uses a third party to provide core infrastructure and capabilities. In both cases, the PRA will expect that businesses can demonstrate these capabilities under the provision of Operational Resilience.
How can you best deliver this?
Spreadsheet risk management capabilities allow companies to apply enterprise-strength controls to their most critical spreadsheets. These capabilities allow banks to proactively monitor these spreadsheets to identify issues – missing data, broken links, or formula errors, for example – that can impact a business’ Operational Resilience.
A spreadsheet inventory provides a foundation for centralizing the management, review, and visibility of the critical spreadsheets used in the business. It also provides a repository for the documentation essential for defining and controlling the core spreadsheets used in a company.
Powerful spreadsheet discovery capabilities help to identify the key spreadsheets that need to be proactively monitored so that issues can be captured, fixed, and reported.
Third-party Risk Management (TPRM) capabilities help an organization to proactively manage complex and deep supply chains so that issues around the resilience of one part of it do not turn into a major resilience issue for the prime customer. Powerful SaaS-based capabilities offer a decentralized but robust approach to managing suppliers deep into the third, fourth and fifth level supply chain. Delivering this would need a centralized repository containing the relevant contracts, policy standard documentation, and the risk profiles of the various suppliers. Managers can monitor the various elements of the supply chain proactively, so they can respond swiftly if issues emerge at any level before a minor issue develops into something more serious.
Mitratech’s GRC Platform offers powerful capabilities that help financial institutions around the world enhance their TPRM and their spreadsheet risk management. Quick to deploy, they solve your issues quickly and deliver value fast.