Step 3: plan for recovery and restoration
The regulated entity should plan for effective recovery and restoration of operations following disruption. Those plans need to consider the extent to which third party suppliers’ people, processes, technology, facilities and information can contribute to that recovery. The regulated entity will likely want assurances around capacity specifications, recovery time objectives and restoration of service priorities, and recovery point objectives for data/processes.
The conditions that prompt activation of a recovery plan should be clear and the role that the supplier has in meeting recovery objectives should be agreed. The scope and frequency of backups of data and underlying ICT systems and technology infrastructure, for example the use of active/active or active/passive data centres, should be proportionate to the risk.
Regulated entities should be able to demonstrate that they can retain flexibility to deliver important business services when disruption occurs. The PRA expects regulated entities to consider temporary measures that may need to be put in place, even if those measures will not be suitable as long-term solutions.
The FCA similarly expects regulated entities to consider circumstances where it may be preferable to require a supplier to provide a degraded service rather than keep it offline until it can be fully restored. The regulated entity should have the ability to determine whether “the benefits of resuming a degraded service outweigh the negatives of keeping the service unavailable until the issues have been fully remediated”.
Step 4: test your plans – “war gaming”
Disruption scenario testing against the recovery/restoration plans should be run regularly. As part of this, scenarios for testing, including “severe but plausible ones” need to be selected.
The PRA gives a failure at a third party or in their supply chain as one example of a scenario to test. It also says that previous incidents or near misses within the organisation, across the financial sector or those of other sectors and jurisdictions can also be used.
Four scenarios the FCA lists for regulated entities to consider testing are:
- corruption, deletion or manipulation of critical data;
- unavailability of facilities or key people;
- unavailability of third party services critical to the delivery of important business services; and
- loss or reduced provision of technology underpinning the delivery of important business services.
The regulated entity should work with their suppliers to validate their scenario testing. According to the FCA this should involve assessing “the suitability of the methodologies, scenarios and considerations adopted by the third party in carrying out testing”.