What Is An Important Business Service? - 9 Questions Your Firm Needs to Ask Itself
Drafted by Ben Saunders: OpRes Founder
Roughly a 2-minute read
We have spoken at length over the last several weeks, covering various policies and standards that firms must follow in order to adhere to wide-ranging operational resilience regulations. We’ve discussed impact tolerances, cross-border considerations, 3rd & 4th party supply chains. As well as the key resilience indicators that your firm should track, to gain real-time insights into your resilience posture. However, all of this starts with understanding the important business services that your organisation provides to customers.
But what exactly is an important business service? And, how can your firm build a view of its customer & market critical functions? Let’s firstly explore what the Financial Conduct Authority (FCA) & Prudential Regulatory Authority (PRA) have to say on this subject.
Over the course of the last two years, the PRA & FCA have been in joint consultation with firms to shape and define a common understanding of what an important business service is. The joint consultations “proposed that firms and FMIs would be required to identify and prioritise the services that, if disrupted, would impact the supervisory authorities’ objectives and thereby the public interest as represented by those objectives.”
Furthermore, firms have been informed that they must consider how disruption to these business services can cause impacts “beyond their own commercial interests”. In other words, if things break, what is the impact on both customers and the wider financial system? (See our blog about complying with cross-border operational resilience policies for more in this space). What’s more, the collective definitions of what an important business service is has differed between both the FCA and PRA.
That aside, an effort has been made to converge to a common definition as much as possible. The illustration below is taken from a joint PRA & FCA covering document regarding operational resilience policies. It describes both of their respective definitions as to what an important business service is.
Image is taken from PRA & FCA Joint Covering Document: Operational resilience: Impact tolerances for important business services
If we dissect the points raised above, then firms need to:
Consider a number of severe, yet possible disruptions to business services.
If disruptions are experienced to these business services, what would the impact be to customers and the wider financial system?
How would the firm's obligations be affected if their safety and financial soundness suffered a significant impact?
All in all, this comes down to potential risk. And, the likelihood of risks manifesting into disruptions that cause intolerable harm to both customers and the financial system. Taking this into consideration, what are the deeper data points firms need to consider in order to qualify if a business service is important or not?
Let’s expand on this with 9 questions we think firms need to ask themselves to correctly identify their important business services….
Financial Volume: Firms should conduct a cross-product review of their portfolio to understand the financial volumes moving between their systems and other firms, on a day-to-day basis. Whether these be payment processing, or trade confirmation systems. Firms need to question if their financial position could be threatened should a significant disruption occur to a business service.
Customer & User Segmentation: As well as the financial volumes which flow through their products. Firms need to understand the overall demand for their services by customers and the wider market. This includes both internal and external users of their business services. As an example, an internal user could be a trader or broker. Whilst an external user could be a current account customer or 3rd party electronic payments institution. Additionally, in the event of a business service experiencing disruption, would the customer be able to procure it from another provider? If so, in what time frame? Finally, in the event, the business service does experience a disruption. What could the impact be to customers who fall into the “vulnerable” category?
Reputational Damage: Whilst they correlate points 1 & 2, firms also need to ask the question, “If this business service is disrupted, what would the reputational damage be?”. This needs to be looked at through two lenses. Firstly, what could the reputational damage be to the firm itself? Secondly, what could the reputational damage be to the wider financial system in the U.K.? And, how would this affect the wider markets' confidence in both the firm and the U.K.’s financial services sector?
Time Sensitive Criticality: Firms should consider the time criticality of particular business services. Both in the guise of customers and the wider financial market. For example, when looking at this from a customer's perspective. Do they have the ability to make payments that cover bills and essential costs? Or in the example of the wider financial markets, can the firm commit to its end-of-day reconciliation obligations in the event of a business service experiencing disruption?
Data Sensitivity: Firms need to understand the sensitivity of the data being exposed and transferred as part of the business service. Both internal systems and external market dependents. For example, is the data public, internal-only, confidential, or restricted? In the event of a data breach, or corruption, how would this impact customers, the firm, and the wider market?
Loss of Functionality: Firms need to assess the impacts which the loss of key functionality could bring to their customers, across important business services. In an ever-increasing digital-first landscape, the face of financial services is changing on a daily basis. As an example, many banks are becoming increasingly reliant on servicing customers through mobile and web channels only. What happens if these channels experience disruption? How can customers be updated of an operational outage? Who do they speak with and how can you assure them that their investments with you are secure?
Legal or Regulatory Censure: If we expand on questions 4 & 5. What is the likelihood of legal or regulatory censure, in the event of a business service disruption? As an example, in the event of a data breach, would the firm face severe penalties in respect of GDPR policies? Alternatively, should a service disruption cause intolerable harm to its customers? Does the firm carry sufficient financial contingencies in the event of fines and penalties from regulatory bodies?
Threats to the Firm: Firms also need to consider the impact of severe operational disruptions on themselves. In the event of a long-tail disruption, how many customers may opt to take their business elsewhere? What would the impact be on the firm's balance sheet? Could the firm sustain those customer losses and if so, what are their financial tolerances and impacts.
Threats to the Market: Whilst we have seeded this point in several of our prior questions. Firms also need to assess the impact of their operational outages on the UK financial system. For example, the firm’s potential to impact the soundness, stability, or resilience of the UK financial system. An outage's potential to cause knock-on effects to other market participants and the importance of a business service to the UK financial system (for example, government services or pension funds). In addition, firms also need to consider factors such as market share, sensitive consumers, and consumer concentration.
What Next?
Hopefully, this has been a useful whistle-stop tour of all things “Important Business Service” related? Whilst not exhaustive, we believe that these 9 initial questions are a useful starting point for firms to ask themselves when preparing their responses to the operational resilience policies. By providing just an initial set of questions for firms to ask themselves, it is evident that this is a tall order for them to complete by March 2022.
Whilst identifying their important business services. Firms also need to then turn their attention to building severe, yet plausible scenario testing plans. That in itself feels like another blog!
Thanks for reading and if you have any questions regarding what we have covered today, then feel free to get in touch: hq@opres.uk