Articles » Latest Articles

New Operational Resilience Regulations: Are You Prepared?

Apr 11, 2019 Red Flag Alert Updated On: August 16, 2023
New Operational Resilience Regulations: Are You Prepared?

If Financial Markets Infrastructure (FMI) services are left open to risk, the consequences can have a devastating impact on people’s lives. 

Just take the 2008 banking collapse as an example: banks went bust, companies closed, redundancies were made, families lost homes. 

Since then, we’ve seen several high-profile incidents at FMIs involving technology issues, supply chain concerns and cybersecurity breaches. These all resulted in outages in vital financial infrastructure services and caused economic turmoil. 

With this in mind, the Bank of England has worked with the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) and issued a joint discussion paper outlining their views on the approach to operational resilience for FMIs. 

They propose that regulations governing the way that FMIs monitor their supply chain should be tightened and that they should also have procedures in place to mitigate risk and manage issues. 

In this article, we’re going to provide an overview of the new regulations, as well as explain how Red Flag Alert can help ensure that your organisation is compliant with the requirements.

Rethinking Operational Resilience

In a recent paper, PwC has a clear definition for operational resilience: “the embedding of capabilities, processes, behaviours and systems, which allow a firm to continue to carry out its mission in the face of disruption regardless of its source.” 

Service continuity is at its core, and the discussion paper proposes that operational resilience should be integrated into every FMI’s strategy and business plan. In particular, it states that the loss of critical financial services should be treated as inevitable and that FMIs should plan for when something goes wrong, not if.

This means that rather than targeting specific threats, companies will focus their efforts on minimising disruption and make the service resilient to a wide range of potential problems.

To do this, the paper suggests four areas for supervisory expectation and assessment:


Companies focus on the continuity of their most important business service and prioritise their own analysis, work and investment in operational resilience. 


Develop the means by which FMIs can adapt their business processes and practices in the event of shocks to preserve continuity of service. 


Develop strategies for communicating with stakeholders in the event of disruption to minimise its impact. 


It is the responsibility of boards and senior management to set operational resilience strategies and see them implemented. 

Staying compliant with this level of regulation will no doubt be challenging. However, the Bank of England is under increasing pressure from government to ensure the security of the UK’s financial services market, and so this kind of scrutiny looks set to stay. 

Also, the discussion paper states that this kind of business practice is in the interest of FMIs and would drive better decision-making and, ultimately, make companies more robust.

Good Governance Requires Powerful Insight 

Good governance will play a key role in achieving operational resilience as it sets the rules and procedures through which a company sets its objectives, delivers its strategy and monitors its performance. 

To reflect the scale of the task, a new board responsibility, designated Chief Operations Senior Management Function (SMF24) should be assigned to comply with PRA regulations. 

SMF24 has six areas of responsibility, all of which support resilience: 

  • Business continuity
  • Cybersecurity
  • Operational continuity, resilience and strategy
  • Outsourcing, procurement, vendor management and shared services
  • Information technology
  • Internal operations 

The challenge here is that financial firms have traditionally been organised by their function or service – as a result, different parts of the business are not always well aligned. 

To achieve operational resilience, the SMF24 will need to connect these fragmented structures and put a new strategic focus on reporting and decision-making. This means that the senior management board will need to have a strong understanding of the technical details of how these services are delivered. 

Management teams will need to have access to high-quality and predictive data, and advanced tools like performance and risk analytics. This data must be aligned with management’s understanding of their critical services to generate powerful insights that inform governance decision-making. 

However, a strong understanding of internal structures alone isn’t enough to ensure operational resilience. With more functions being outsourced and the industry moving towards open banking, FMIs are finding themselves working in an increasingly networked environment supported by a range of different suppliers. 

It is, therefore, vital that they have wide oversight of all the partners and external bodies that impact delivery of their most important products, services and assets, and use a wider set of considerations when assessing them. 

Use Data to Assess Partners

One of the main ways which FMIs can avoid loss of critical services is by ensuring that they work with well-managed, financially healthy partners.

Red Flag Alert provides business intelligence on 6.5 million UK businesses, delivering the kind of granular, high-quality and predictive data that is required.

We offer unique financial health ratings that can accurately predict when a business supporting your critical functions is in trouble or likely to fail.

We use multiple sources to gather 100+ data points on each UK business. We make 100,000 data updates every day and offer a view of the country’s business landscape that is unmatched in its breadth and depth.

Over 13 years of learning has allowed us to develop complex algorithms that put business events into context. This means that every financial health rating is supported by millions of data points and a decade of data. If a CCJ of a certain size normally leads to failure in a certain sector, our algorithm picks that up and calculates the company health rating accordingly. 

This enables you to make informed and reliable decisions, even when the information available is limited. 

For a free trial, click here.

Published by Red Flag Alert April 11, 2019

Stay informed

Sign up to receive expert insights direct to your inbox.