10

Business continuity and exit plans

10.1

For each material outsourcing arrangement, the PRA expects firms to develop, maintain, and test a:

  • business continuity plan; and
  • documented exit strategy, which should cover and differentiate between situations where a firm exits an outsourcing agreement:
    • in stressed circumstances, (eg following the failure or insolvency of the service provider (stressed exit)); and
    • through a planned and managed exit due to commercial, performance, or strategic reasons (non-stressed exit).

10.2

The PRA’s primary focus when it comes to business continuity plans and exit strategies is on the ability of firms to deliver important business services provided or supported by third parties in line with their impact tolerances in the event of disruption. Consequently, notwithstanding the importance of effectively planning for non-stressed exits, the main focus of this chapter is on business continuity and stressed exits.

Business continuity

10.3

Firms should implement and require service providers in material outsourcing arrangements to implement appropriate business continuity plans to anticipate, withstand, respond to, and recover from severe but plausible operational disruption.

10.4

An important objective of the access, audit, and information rights in Chapter 8 is to enable firms, the PRA, and the Bank to assess the effectiveness of service providers’ business continuity plans. In particular, they should be able to assess the extent to which they may enable the delivery of important business services for which a firm relies (wholly or in part) on the service provider, within the firm’s impact tolerance in severe but plausible scenarios.

10.5

In material cloud outsourcing arrangements, the PRA expects firms to assess the resilience requirements of the service and data that are being outsourced and, with a risk-based approach, decide on one or more available cloud resiliency options, which may include:

  • multiple data centres spread across geographical regions;
  • multiple active data centres in different availability zones within the same region, which allows the service provider to re-route services if a data centre goes down;
  • a hybrid cloud (ie a combination of on-premises and public cloud data centres);
  • multiple or back-up vendors;
  • retaining the ability to bring data or applications back on-premises; and/or
  • any other viable approach that can achieve and promote an appropriate level of resiliency.

10.6

There is no hierarchy or one-size-fits-all combination of cloud resiliency options. The optimal option or combination of options will depend on various factors, including but not limited to the:

  • size and internal organisation and the nature, scope, and complexity of the firm’s activities (proportionality);
  • potential impact of the outsourcing arrangement on the provision of important business services by the firm (materiality); and
  • the relative costs and benefits of different options, taking into account the risks that failure or prolonged operational disruption may pose to UK financial stability or the safety and soundness of the firm, and (for insurers) policyholder protection.

10.7

If a significant firm wants to outsource its core banking platform to the cloud, the PRA may expect it to adopt one or more of the most resilient options available to maximise the chances to maintain its resilience in the event of a serious outage. Conversely, if a non-significant firm wishes to do so, then a less resilient but nonetheless robust option or combination of options could be appropriate.

10.8

The PRA expects firms to consider the implications of deliberately destructive cyber-attacks when establishing or reviewing data recovery capabilities, either individually or collaboratively.

10.9

In line with Fundamental Rule 7, in the event of a disruption or emergency (including at an outsourced or third party service provider), firms should ensure that they have effective crisis communication measures in place. This is so all relevant internal and external stakeholders, including the Bank, PRA, FCA, other international regulators, and, if relevant, the service providers themselves, are informed in a timely and appropriate manner.

Stressed exits

10.10

Firms’ exit plans should cover stressed exits and be appropriately documented and tested as far as possible.

10.11

A key objective of the stressed exit part of exit plans is to provide a last resort risk mitigation strategy in the event of disruption that cannot be managed through other business continuity measures, including those mentioned in the previous section, (eg the insolvency or liquidation of a service provider).[46]

Footnotes

  • 46. In intragroup outsourcing scenarios, the stressed parts of these exit plans can also help facilitate compliance with Operational Continuity 4.4 where applicable.

10.12

The PRA does not prescribe or have a preferred form of exit in stressed scenarios. Its focus is on the outcome of the exit, (ie the continued provision by the firm of important business services provided or supported by third parties), rather than the method by which it is achieved.

10.13

The PRA does, however, expect firms to identify viable forms of exit in a stressed exit scenario, and give meaningful consideration to those that best safeguard their operational resilience, which may include but not be limited to:

  • bringing the data, function, or service back in-house/on-premises;
  • transferring the data, function, or service to an alternative or back-up service provider; or
  • any other viable methods.

10.14

The PRA expects firms to consider the available tools that could help facilitate an orderly stressed exit from a material outsourcing arrangement. Such tools are constantly evolving, in particular in technology outsourcing, including cloud, and may include:

  • new potential service providers;
  • technology solutions and tools to facilitate the switching and portability of data and applications; and
  • industry codes and standards.

10.15

The PRA recognises that, in an intragroup outsourcing context, firms’ exit options might be more limited than in other scenarios. This is particularly true for third-country branches, which are unable to enter into standalone contractual arrangements with third parties. Nevertheless, the PRA expects third-country branches to take reasonable steps to try and identify options, however limited, to maintain their operational resilience.

10.16

Firms should also actively consider temporary measures that can help ensure the ongoing provision of important business services following a disruption and/or a stressed exit, even if these are not suitable long-term solutions, (eg contractual or escrow arrangements), allowing for continued use of a service or technology for a transitional period following termination.

Governance of business continuity plans and exit plans

10.17

Firms should begin to develop their business continuity and exit plans, in particular for stressed exits, during the pre-outsourcing phase once they have determined that a planned outsourcing arrangement is material (see Chapter 5). Doing so will enable them to:

  • use the due diligence process to identify potential alternative or back-up service providers;
  • estimate the cost, resourcing, and timing implications of the proposed business continuity or exit plan in both stressed and non-stressed scenarios as part of the risk assessment;
  • identify data they may need to access, recover, or transfer as a priority in a disruption or stressed exit; and
  • define the key KPIs and key risk indicators which, if breached, may trigger an exit (both stressed and non-stressed).

10.18

Firms should evaluate what would be involved in delivering an effective stressed exit and use this to formulate plans for such an exit, assisting them to identify any assets and skills required. As soon as practically possible, firms should seek to test the stressed exit plans to ensure they are functional and meet expectations around impact tolerances and costs, etc.

10.19

Once an outsourcing arrangement has been implemented, firms should test their business continuity and exit plans on a risk-based approach. Where possible and relevant, this testing should align to, support, or even be a component of firms’ scenario testing under Operational Resilience – CRR Firms 5 and Operational Resilience – Solvency II Firms 5. For instance, one of the severe but plausible scenarios that firms may select for this testing could involve a failure or disruption at a third party or their supply chain, based on previous incidents or near misses within the organisation, across the financial sector and in other sectors and jurisdictions. In line with paragraph 6.4 and the FSB Effective Practices, firms and third parties should commit to support the testing of such plans.

10.20

For firms subject to the CBEST framework, the CBEST implementation guide notes that ‘malicious Insider and Supply Chain Scenarios are a feature of the threat landscape for many firms. These scenarios should always be analysed and discussed during CBEST’. Where required, these firms ‘should plan in advance the involvement of staff and third parties to increase the reality of assessment’.[47]

10.21

Consistent with the EBA ICT GL, firms should also update their business continuity and exit plans with lessons learned from these tests, including with new risks and threats identified and changed recovery objectives and priorities (if any).

10.22

Firms should assign clear roles and responsibilities for business continuity and exit plans. Subject to proportionality, they may establish cross-disciplinary teams to develop, document, test, and execute their business continuity and exit plans, especially in stressed scenarios (which may include communicating with the PRA and other relevant stakeholders in the event of disruption). Based on the size and complexity of the firm, these teams may include relevant business lines, control functions, technical experts (eg IT specialists), and be chaired by an SMF. Firms should also allocate responsibility for signing off business continuity and exit plans, including updates thereafter, and the decision to activate them.

10.23

When developing business continuity and exit plans, firms should define the objectives of the plan, including what would constitute successful business continuity or a successful exit in both stressed and non-stressed scenarios, by reference to measurable criteria such as costs, functionality, time, and the firm’s impact tolerances for important business services.

10.24

Firms should take reasonable steps to test exit plans; in particular, those relating to stressed exits. The extent and nature of testing will vary depending on the type of outsourcing arrangement and corresponding exit plan. For instance, a firm running a hybrid cloud structure may take into account the potential back-up functions located in its private cloud elements. Likewise, a firm that keeps backup copies of data which it has outsourced to the cloud outside the cloud environment may focus its testing on assessing the ongoing consistency of both sets of data and reconciling them as appropriate. Firms should also assess and take reasonable steps to manage any operational risks that may be caused or increased by the actual testing (eg data theft).

10.25

Business continuity and exit plans should be reviewed periodically to take into account developments that may change the feasibility of the business continuity measures or an exit, eg:

  • an increase in the number of availability zones or regions offered by a current service provider;
  • changes to the firm’s business requirements;
  • the emergence of new, potentially viable alternative providers; and/or
  • developments in technology or other tools to facilitate the porting of data and applications, (eg among cloud providers or between firms’ on-premises environments and the cloud).

Table 9: Contingency planning in outsourced insurance policy administration
Contingency planning – observed best practice in insurers

In 2019, the PRA conducted a thematic review of insurers' contingency plans in the event of the failure of a material outsourced service provider providing policy administration services. The PRA identified the following good practices, which insurers may wish to consider when conducting their contingency planning:

  • Proposals to act collaboratively with other insurers who share a common outsourcer, in the event of outsourcer failure.
  • Evidence of awareness of the challenges of utilising step-in rights where there are shared services.
  • Evidence that the contingency plans had been signed off at an appropriately senior level given the criticality of the outsourced service.
  • A list of named contacts and details of individuals and teams responsible for implementing the contingency plan.
  • Evidence that contractual provisions took contingency planning into consideration, for instance, by including provisions on:
    • step-in rights;
    • provisions to transfer employees of the service provider to the insurer under the Transfer of Undertakings (Protection of Employment) Regulations (TUPE); and
    • access by the insurer to necessary data and systems of the service provider.
  • Consideration of a range of scenarios in which a contingency plan may need to be used, including:
    • financial and/or operational failure of the service provider; and
    • if the service provider enters or is at risk of entering into administration or liquidation.
  • An assessment of the:
    • substitutability of the service being outsourced;
    • availability of alternative service providers;
    • cost and resource implications of implementing a given contingency plan. For example, if an insurer intends to bring an outsourced service back in-house as part of its contingency plan, it should consider whether it would require more staff, where these staff would be based, and whether the necessary infrastructure is in place to support its continued delivery of the service; and
    • time it would take to implement a given contingency plan.
  • Evidence that key assumptions made in the assessments have been tested.