4

Identifying and documenting critical services

4.1

This chapter sets out the PRA’s expectations on the identification and documentation of firms’ critical services, required under Operational Continuity 3.1(1).

4.2

The PRA expects firms, irrespective of their service provision model, to undertake identification and documentation of their operational arrangements for critical services. This is referred to as mapping and should include:

  • identification of services. This involves identifying legal entities, business lines, or divisions that perform critical functions or are core business lines. Firms should determine an appropriate scope of critical services that support these, as well as the underlying cost structures, operational assets, and any interdependencies; and
  • documentation of operational arrangements. Firms should maintain comprehensive documentation of service arrangements. This should be updated at least annually or in a timely manner following material changes to firms’ service provision. Documentation could take the form of a service catalogue and should enable timely access to, at a minimum:
    • identified critical services and the critical functions or core business lines they support;
    • the service provision model used;
    • information about each party, including jurisdiction;
    • service level agreements;
    • contractual arrangements;
    • pricing;
    • operational assets used, including ownership information;
    • relevant policies, processes, and procedures; and
    • interdependencies.

4.3

The PRA expects firms to ensure that information relating to their operational arrangements for critical services is available when and where needed. Firms should be able to access, search, extract, and leverage the information in a timely manner in planning for and executing recovery actions, resolution, or both. This should also include providing information, where requested, to the PRA, Bank (as resolution authority), a bail-in administrator appointed by the Bank, or (for hosted firms) the home resolution authority.

4.4

The PRA expects that firms should be able to use the identification and documentation of their critical services to demonstrate to the PRA that they have comprehensively identified all critical services.

4.5

The PRA expects firms to consider how they may be able to use the identification and documentation of their critical services to support implementation of other PRA policies, or leverage other record-keeping requirements to support their OCIR identification and documentation. Other relevant requirements include the expectations on record-keeping contained in SS2/21 ‘Outsourcing and third party risk management’,[14] and Rule 4.1 (Mapping) in the Operational Resilience Part of the PRA Rulebook.[15] Chapter 1 of this SS sets out further links to other, non-OCIR requirements and expectations.