The regulators say an operational disruption such as one caused by a cyber-attack, failed outsourcing or technological change could impact financial stability by posing a risk to the supply of vital services on which the real economy depends, threaten the viability of individual firms and FMIs, and cause harm to consumers and other market participants in the financial system.

The discussion paper considers the need for firms and FMIs to develop and improve response capabilities so that any wider impact of disruptive events is contained. The speed and effectiveness of communication with the people and institutions most affected, in particular customers, should be at the forefront of every firm’s response.

Among the concepts discussed are the need to set board-approved impact tolerances which quantify the level of disruption that could be tolerated. The paper also highlights the need to focus on the continuity of the most important business services as an essential component of managing operational resilience and the requirement for firms to plan on the assumption that disruption will occur as well as seeking to prevent it.

The regulators say the approach to operational resilience set out in the discussion paper is consistent with the Financial Protection Committee's (FPC) recent plans to establish its tolerance for disruption to financial services from cyber incidents, with both focusing on continuity of business services.

David Strachan, partner and head of Deloitte’s EMEA Centre for Regulatory Strategy, said: ‘Some firms will already be doing elements of this work across their business, but not necessarily by design. Governance is key, and the discussion paper underscores how boards will need to take greater responsibility for operational resilience in their firms.’

Strachan also pointed out that the approach outlined in the discussion paper place data as now one of the most critical resources for a firm, alongside capital and liquidity.

‘Impact tolerance is an important aspect of this discussion paper and, in essence, is a set of metrics describing how firms should recover from operational disruption to important business services. “Focusing on this impact tolerance rather than, say, a single downtime target for critical systems, is a powerful concept that has the potential to accelerate thinking on how to recover from serious operational disruptions.

‘It is unlikely to be easy to implement and all parties may ultimately need to distinguish between recovery from a severe attack and dealing with the consequences of a near-extinction event.’

Andrew Husband, partner and head of operational resilience, KPMG UK, said the paper is a strong signal of intent from the regulators that firms need to take action.

‘Every aspect of end-to-end business services, from staff to third party suppliers, needs to be looked at through an “operational resilience” lens, with a focus on both protecting financial stability and consumers when, not if, the worst happens.

‘Boards need to be fully accountable for all aspects of operational resilience and they will be held to account,’ he said.

The discussion period ends on 5 October.

Discussion paper: Building the UK financial sector’s operational resilience is here.

Report by Pat Sweet