Related links

PS6/21 - Operational resilience: Impact tolerances for important business services https://www.bankofengland.co.uk/prudential-regulation/publication/2018/building-the-uk-financial-sectors-operational-resilience-discussion-paper
PS2/22 - Operational Resilience and Operational Continuity in Resolution: CRR firms, Solvency II firms, and Financial Holding Companies (for Operational Resilience) https://www.bankofengland.co.uk/prudential-regulation/publication/2021/november/operational-resilience-operational-continuity-in-resolution-amendments
SS1/21 - Operational resilience: Impact tolerances for important business services https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/operational-resilience-impact-tolerances-for-important-business-services-ss
SS2/21 - Outsourcing and third party risk management https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss

Chapters

  • 1 Application and Definitions
  • 2 Operational Resilience Requirements
  • 3 Strategies, Processes and Systems
  • 4 Mapping
  • 5 Scenario Testing
  • 6 Self-Assessment
  • 7 Governance
  • 8 Group Arrangements
  • 9 Lloyd’s

1

Application and Definitions

1.1

Unless otherwise stated, this Part applies to:

  1. (1) a UK Solvency II firm;
  2. (2) in accordance with Insurance General Application 3, the Society, as modified by 9; and
  3. (3) in accordance with Insurance General Application 3, managing agents, as modified by 9.

1.2

In this Part, the following definitions shall apply:

external group end user

means a person who receives services and who is outside of the group of which the firm is a member.

impact tolerance

means the maximum tolerable level of disruption to an important business service or an important group business service as measured by a length of time and other relevant metrics.

important business service

means a service provided by a firm, or by another person on behalf of the firm, to another person which, if disrupted, could pose a risk to:

    1. (1) where the firm is a relevant Solvency II firm, the stability of the UK financial system;
    2. (2) the firm’s safety and soundness; or
    3. (3) an appropriate degree of protection for those who are or may become the firm’s policyholders.

important group business service

means a service provided by a member of the firm’s group (other than the firm) to an external group end user which, if disrupted, could pose a risk to:

    1. (1) where a relevant Solvency II firm is a member of the group, the stability of the UK financial system;
    2. (2) the firm’s safety and soundness; or
    3. (3) an appropriate degree of protection for those who are or may become the firm’s policyholders.

relevant Solvency II firm

means a firm which fulfils any of the following conditions:

    1. (1) the firm’s annual gross written premium income exceeds £15 billion; or
    2. (2) the total of the firm’s technical provisions, gross of the amounts recoverable from reinsurance contracts and UK ISPVs, as referred to in Technical Provisions 2.1 to 2.3 exceeds £75 billion,

determined on the basis of the average annual amount assessed across a rolling period of three years, calculated by reference to the firm’s accounting reference date; and where the firm has been in existence for less than three years, the assessment will be made on the basis of the annual average amount for the period during which the firm has existed (calculated by reference to the firm’s accounting reference date).

2

Operational Resilience Requirements

2.2

A firm must set an impact tolerance for each of:

  1. (1) its important business services; and
  2. (2) where Group Supervision 22.2 applies, its important group business services.

2.3

The impact tolerance set for each important business service or important group business service must specify the first point at which a disruption to the important business service or important group business service would pose a risk to:

  1. (1) where the firm is a relevant Solvency II firm, the stability of the UK financial system;
  2. (2) the firm’s safety and soundness; or
  3. (3) an appropriate degree of protection for those who are or may become the firm’s policyholders.

2.4

The impact tolerance set for each important business service or important group business services must specify the length of or point in time, in addition to any other relevant metrics, for which a disruption to that important business service or important group business service can be tolerated.

2.5

A firm must ensure it can remain within its impact tolerance for each important business service in the event of a severe but plausible disruption to its operations.

2.6

A firm must comply with 2.5 within a reasonable time of the rule coming into effect and in any event by no later than 31 March 2025.

3

Strategies, Processes and Systems

3.1

A firm must have in place sound, effective and comprehensive strategies, processes and systems that enable it adequately to:

  1. (1) identify its important business services and, where Group Supervision 22.2 applies, its important group business services;
  2. (2) set an impact tolerance for each important business service and, where Group Supervision 22.2 applies, each important group business service; and
  3. (3) identify and address any risks to its ability to comply with the obligation in 2.5.

3.2

The strategies, processes and systems required by 3.1 must be proportionate to the nature, scale and complexity of the firm’s activities.

4

Mapping

4.1

As part of its obligation under 3.1, a firm must identify and document the necessary people, processes, technology, facilities and information required to deliver each of its important business services.

5

Scenario Testing

5.1

As part of its obligation under 3.1, a firm must carry out regular scenario testing of its ability to remain within its impact tolerance for each of its important business services in the event of a severe but plausible disruption of its operations.

5.2

In carrying out the scenario testing required by 5.1, a firm must identify an appropriate range of adverse circumstances of varying nature, severity and duration relevant to its business and risk profile and consider the risks to delivery of the firm’s important business services in those circumstances.

5.3

The scenario testing required by 5.1 must be proportionate to the nature, scale and complexity of the firm's activities.

6

Self-Assessment

6.1

A firm must prepare and regularly update a written self-assessment of its compliance with this Part and, where Group Supervision 22.2 applies, Group Supervision 22.

6.2

The content and level of detail of a firm’s written self-assessment must be proportionate to the nature, scale and complexity of the firm’s activities and, where applicable, to the activities of the group of which the firm is a member.

6.3

A firm must maintain, and be able to provide to the PRA on request, a current version of its written self-assessment, together with all versions produced during the preceding three years.

7

Governance

7.1

A firm must ensure that its management body approves the important business services and important group business services identified by the firm in compliance with 2.1 and, where Group Supervision 22.2 applies, Group Supervision 22.3.

7.2

A firm must ensure that its management body approves the impact tolerances set by the firm in compliance with 2.2 and, where Group Supervision 22.2 applies, Group Supervision 22.3.

7.3

A firm must ensure that its management body approves and regularly reviews the self-assessment required by 6.1.

8

Group Arrangements

8.1

Where a firm is a member of a group, the firm must ensure it accounts for any additional risks arising elsewhere in the group that may affect the firm’s ability to comply with 2.5.

9

Lloyd’s

9.1

This Part applies to the Society and managing agents separately.