Operational Resilience

1.1

Unless otherwise stated:

1. (1) other than Chapter 8, this Part applies to every firm that is a CRR firm;
2. (2) Chapter 8 applies to every CRR consolidation entity.

1.2

In this Part, the following definitions shall apply:

external group end user

means a person who receives services and who is not a member of the CRR consolidation entity's consolidation group.

impact tolerance

means the maximum tolerable level of disruption for an important business service or an important group business service as measured by a length of time and any other relevant metrics.

important business service

means a service provided by a firm, or by another person on behalf of the firm, to another person which, if disrupted, could pose a risk to:

1. (1) where the firm is, or is controlled by, an O-SII, the stability of the UK financial system; or
2. (2) the firm’s safety and soundness.

important group business service

means a service provided by a member of the CRR consolidation entity's consolidation group to an external group end user which, if disrupted, could pose a risk to:

1. (1) where any member of the CRR consolidation entity's consolidation group is an O-SII, the stability of the UK financial system; or
2. (2) the safety and soundness of any CRR firm within the CRR consolidation entity's consolidation group.

1.3

[deleted.]

2.1

A firm must identify its important business services.

2.2

A firm must set an impact tolerance for each of its important business services.

2.3

The impact tolerance set for each important business service must specify the first point at which a disruption to the important business service would pose a risk to:

1. (1) where the firm is, or is controlled by, an O-SII, the stability of the UK financial system; or
2. (2) the firm’s safety and soundness.

2.4

The impact tolerance set for each important business service must specify the length of or point in time, in addition to any other relevant metrics, for which a disruption to that important business service can be tolerated.

2.5

A firm must ensure it can remain within its impact tolerance for each important business service in the event of a severe but plausible disruption to its operations.

2.5A

Where a firm is a member of a group, the firm must ensure it accounts for any additional risks arising elsewhere within its group that may affect the firm’s ability to comply with 2.5.

2.6

A firm must comply with 2.5 within a reasonable time of the rule coming into effect and in any event by no later than 31 March 2025.

3.1

A firm must have in place sound, effective and comprehensive strategies, processes and systems that enable it adequately to:

1. (1) identify its important business services;
2. (2) set an impact tolerance for each important business service; and
3. (3) identify and address any risks to its ability to comply with the obligation under 2.5.

3.2

The strategies, processes and systems required by 3.1 must be proportionate to the nature, scale and complexity of the firm’s activities.

4.1

As part of its obligation under 3.1, a firm must identify and document the necessary people, processes, technology, facilities and information required to deliver each of its important business services.

5.1

As part of its obligation under 3.1, a firm must carry out regular scenario testing of its ability to remain within its impact tolerance for each of its important business services in the event of a severe but plausible disruption of its operations.

5.2

In carrying out the scenario testing required by 5.1, a firm must identify an appropriate range of adverse circumstances of varying nature, severity and duration relevant to its business and risk profile and consider the risks to delivery of the firm’s important business services in those circumstances.

5.3

The scenario testing required by 5.1 must be proportionate to the nature, scale and complexity of the firm's activities.

6.1

A firm must prepare and regularly update a written self-assessment of its compliance with this Part.

6.2

The content and level of detail of a firm’s written self-assessment must be proportionate to the nature, scale and complexity of the firm’s activities, and where applicable to the activities of the consolidation group of which the firm is a member.

6.3

A firm must maintain, and be able to provide to the PRA on request, a current version of its written self-assessment, together with all versions produced during the preceding three years.

7.1

A firm must ensure that its management body approves the important business services identified by the firm in compliance with 2.1.

7.2

A firm must ensure that its management body approves the impact tolerances set by the firm in compliance with 2.2.

7.3

A firm must ensure that its management body approves and regularly reviews the self-assessment required by 6.1.

8.1

[deleted.]

8.2

[deleted.]

8.3

[deleted.]

8.4

[deleted.]

8.5

[deleted.]

8.6

A CRR consolidation entity must identify each important group business service.

8.7

A CRR consolidation entity must set an impact tolerance for each important group business service.

8.8

A CRR consolidation entity must assess whether each member of the CRR consolidation entity’s consolidation group providing each important group business service could remain within the impact tolerance set for that important group business service in the event of a severe but plausible disruption to its operations.

8.9

The impact tolerance set for each important group business service must specify the first point at which a disruption to the important group business service would pose a risk to:

1. (1) where any member of the CRR consolidation entity’s consolidation group is an O-SII, the stability of the UK financial system; or
2. (2) the safety and soundness of any CRR firm within the CRR consolidation entity’s consolidation group.

8.10

The impact tolerance set for each important group business service must specify the length of or point in time, in addition to any other relevant metrics, for which a disruption to that important group business service can be tolerated.

8.11

A CRR consolidation entity must have in place sound, effective and comprehensive strategies, processes and systems that enable it adequately to:

1. (1) identify each important group business service;
2. (2) set an impact tolerance for each important group business service; and
3. (3) assess whether each member of the CRR consolidation entity’s consolidation group providing each important group business service could remain within the impact tolerance set for that important group business service in the event of a severe but plausible disruption to its operations.

8.12

A CRR consolidation entity must ensure that its management body approves:

1. (1) the important group business services identified in compliance with this Chapter;
2. (2) the impact tolerances set in compliance with this Chapter; and
3. (3) the assessment undertaken in compliance with this Chapter.

8.13

The strategies, processes and systems required by this Chapter must be proportionate to the nature, scale and complexity of the consolidation group’s activities.

8.14

A CRR consolidation entity must comply with 8.6 to 8.13 within a reasonable time of the rules coming into effect and in any event by no later than 30 June 2022.