Flow operational resilience requirements into services contracts

The good news is that many of the provisions that firms already include in contracts in order to meet regulatory requirements on outsourcing or the use of third party providers will help firms satisfy operational resilience requirements. However, that should not diminish the need to keep operational resilience front-of-mind for firms when contracting with suppliers.

Navigating sensitivities around disclosure

The UK Prudential Regulation Authority (PRA) defines ‘operational resilience’ as “the ability of firms, their groups and the financial sector as a whole to prevent, adapt to, respond to, recover from, and learn from operational disruptions”. This concept does not suggest that disruption will never happen, but instead focuses on how financial services firms should manage it and learn from it, and to keep it within appropriate tolerances they set.

The first step for financial services firms is to identify their important business services and map “the people, processes, technology, facilities and information necessary” to deliver those services. This mapping exercise will need to consider third party arrangements. Firms will need to review mapping regularly, so it is important to ensure that third party contracts permit disclosure of this information. Firms should strive to ensure that the information is shared with them through the operation of normal governance and management information provisions, rather than having to rely on audit provisions.

Suppliers may be nervous about disclosing sensitive information around potential vulnerabilities in relation to their systems or services, but this information is necessary to consider how disruption would manifest and be mitigated. Therefore, confidentiality provisions should be drafted to permit disclosure where required to satisfy regulatory requirements.

Reflecting tolerances in service levels

Financial services firms need to set impact tolerances for important business services – this is about ensuring that a maximum tolerable level of disruption is set. Once done, the firm must ensure that the tolerances are reflected in service levels. For example, if payment of an annuity must happen within 36 hours, because any further delay would have a significant impact on vulnerable customers, the service level around supporting that annuity payment must be set at less than 36 hours in the services contract.

Some financial services firms may wish to include specific clauses relating to operational resilience, where they task suppliers with ensuring that the services are not overly dependent on key personnel or specific locations. It is important that the contract also places obligations on the supplier to provide information about how it meets these requirements, to allow the financial firm to assess compliance and manage risk.

Reflecting operational resilience requirements in outsourcing contracts

Compliance with regulatory outsourcing and third party contracting requirements will already drive a need for certain contract clauses, but financial services firms should note that there is an operational resilience angle to the requirement as well.

In relation to business continuity, the PRA’s supervisory statement SS2/21 requires both customer and supplier to support one another on the testing of business continuity plans – the operational resilience angle is that the plans should take account of the impact tolerances for important business services.

Termination and exit provisions are another core regulatory consideration. Financial services firms need to ensure that the contract includes termination rights that support regulatory compliance, and that any termination allows a smooth transition of the services to another supplier, or back in-house.

The European Banking Authority’s (EBA’s) outsourcing guidelines contain some specific termination triggers to be included in contracts; PRA SS 2/21 is less prescriptive. However, the PRA’s list of “non-exhaustive examples” of potential termination triggers includes “a significant incident at a sub-outsourcer caused extensive and unmanageable operational disruption to a firm so that it could no longer stay within its impact tolerances for important business services”. That will support arguments by financial services firms that they need to be engaged in supply chains and aware of issues that may develop.

Keep operational resilience front-of-mind

Financial services firms are very aware of the contractual requirements driven by regulatory rules around third party contracting such as the PRA’s SS 2/21 and the EBA outsourcing guidelines. Operational resilience is a closely related issue which also feeds into third party contracts. It provides additional justification for financial services firms’ negotiation requirements around sub-outsourcing, audit, business continuity and exit.

While many operational resilience requirements can be covered through these provisions without specific reference to the words “operational resilience”, that does not diminish the need for operational resilience to be an important consideration when drafting and negotiating third party services contracts.