So this should come as no surprise to UK Financial Institutions. Since 2017, the FCA has been working toward a March 2025 deadline of implementation of the UK Operational Resilience Act.
However, what has changed is the deadline, which has now been moved to January 2025, with the FCA appearing to pip the European Digital Operational Resilience Act to the post in terms of implementation.
In essence the FCA’s Operational Resilience act is being implemented “to manage the systemic risks posed by certain third parties to the UK financial sector”, laying out requirements of Critical Third Parties (CTP’s) to ensure that UK financial institutions are strengthened and stable, and that third parties cannot pose a significant threat in light of escalating and evolving cyber risk landscape.
DORA – the Digital Operational Resilience Act – heavily focuses on Third Party risk and, whilst there is alignment with the FCA’s Operational Resilience Act, DORA focusses on harmonising ICT risk management and digital operational resilience, addressing cyber threats, IT Failures and incident reporting, including those posed by 3rd parties. The FCA’s Operational Resilience Framework takes a broader approach on operational disruptions including non-digital risks in the supply chain, or extreme weather as examples.
What are the key considerations for the FCA UK Operational Resilience Act:
- Identify Important Business Services (IBS)
- Firms must identify the services they provide that, if disrupted, could cause significant harm to consumers or market integrity.
- Set Impact Tolerances
- Define the maximum tolerable level of disruption for each IBS, measured by duration or other metrics (e.g., volume of transactions).
- Mapping and Dependencies
- Map all processes, systems, people and third-party providers that support each IBS to understand dependencies and potential points of failure.
- Scenario Testing
- Conduct regular tests of extreme but plausible scenarios to evaluate the firm’s ability to stay within its impact tolerances.
- Tests should include disruptions such as cyberattacks, IT failures and third-party outages.
- Third-Party Risk Management
- Assess and manage risks introduced by outsourcing and third-party providers to ensure their resilience aligns with the firm’s operational requirements.
- Governance and Accountability
- Ensure that senior management and boards are responsible for embedding operational resilience within the firm’s strategy.
- Firms must maintain clear accountability for decision-making and oversight.
- Communication and Transparency
- Develop a clear plan for internal and external communication during disruptions to minimize harm and provide timely updates.
- Regular Reviews and Updates
- Continuously improve operational resilience through annual reviews of the IBS, impact tolerances and testing outcomes.
The Revised Time Line – Why this matters
Well for starters, UK Financial Institutions now only have until January to comply and not the March deadline, meaning that whatever steps are left to take need to be implemented quickly.
However, this is of no surprise at all as this has been in consultation since 2018, so hopefully financial institutions have been building to this date. However, whilst this in some way helps to align with DORA, organisations that were relying on the extra two months and had accounted for the extra time in terms of tracking and ensuring oversight on 3rd parties was complete, will now come under extra pressure. This also underscores the FCA’s commitment to bolstering the UK’s financial stability.
Confusion or alignment? How DORA implementation is impacted
It’s a tale of two aspects really that could cause confusion but also help with alignment between DORA and the FCA Operational Resilience Act. The areas of alignment include:
- Shared focus on resilience: Both the UK Operational resilience Act and DORA focus on strengthening the resilience of financial institutions which provides focus for firms to streamline and monitor their compliance.
- Overlap in Key Practises: Scenario testing, impact tolerances and 3rd party risk management are central to both the FCA and DORA which creates a unified approach.
- Timelines that are harmonised: With the FCA deadline being moved from March to January, it means there is a harmonised approach to achieving. Compliance with both.
- Automation is key: Continuous Monitoring is a key message in both the UK Operational Resilience Act and DORA, pushing financial institutions to adopt shared tools and processes that meet both requirements.
What’s the potential confusion?
- DORA has one scope, the FCA has another: DORA very specifically focuses on ICT Risk management while the FCA covers a much broader aspect of operational disruptions which could mean that financial institutions will need to take separate approaches.
- 3rd Party Oversight: No doubt that 3rd party risk is a core focus for each regulation, however under DORA regulatory must monitor directly critical ICT Providers, however, the FCA is going to hold financial institutions directly accountable for 3rd party risk.
- Prescriptive Vs Principle: DORA is exceedingly prescriptive in its ICT resilience, whereas the FCA are taking a far more flexible approach, allowing firms flexibility to interpret guidelines.
- Resource Allocation: The FCA and DORA will be competing for resource allocation which could prove exceedingly challenging for teams trying to complete both.
What’s the answer to achieve the FCA Operational Resilience Act and DORA all at the same time?
So, with both timelines aligning, financial organisations are going to need to take proactive steps to ensure they meet the deadline. Here’s what we would suggest:
- Conduct the gap analysis now if you haven’t already
- Define your important business services
- Set and validate impact tolerances
- Review your 3rd party risk management
- Implement continuous monitoring
- Conduct scenario testing
- Enhance Incident Response plans
- Track Regulatory updates.
Should you need support in your implementation of DORA and the FCA’s UK Operational Resilience Act, reach out to Quod Orbis here.