Blog: Flow operational resilience requirements into services contracts – Pinsent Masons

The good news is that many of the provisions that firms already include in contracts in order to meet regulatory requirements on outsourcing or the use of third party providers will help firms satisfy operational resilience requirements. However, that should not diminish the need to keep operational resilience front-of-mind for firms when contracting with suppliers.

Navigating sensitivities around disclosure

The UK Prudential Regulation Authority (PRA) defines ‘operational resilience’ as “the ability of firms, their groups and the financial sector as a whole to prevent, adapt to, respond to, recover from, and learn from operational disruptions”. This concept does not suggest that disruption will never happen, but instead focuses on how financial services firms should manage it and learn from it, and to keep it within appropriate tolerances they set.

The first step for financial services firms is to identify their important business services and map “the people, processes, technology, facilities and information necessary” to deliver those services. This mapping exercise will need to consider third party arrangements. Firms will need to review mapping regularly, so it is important to ensure that third party contracts permit disclosure of this information. Firms should strive to ensure that the information is shared with them through the operation of normal governance and management information provisions, rather than having to rely on audit provisions.

Suppliers may be nervous about disclosing sensitive information around potential vulnerabilities in relation to their systems or services, but this information is necessary to consider how disruption would manifest and be mitigated. Therefore, confidentiality provisions should be drafted to permit disclosure where required to satisfy regulatory requirements.

Reflecting tolerances in service levels

Financial services firms need to set impact tolerances for important business services – this is about ensuring that a maximum tolerable level of disruption is set. Once done, the firm must ensure that the tolerances are reflected in service levels. For example, if payment of an annuity must happen within 36 hours, because any further delay would have a significant impact on vulnerable customers, the service level around supporting that annuity payment must be set at less than 36 hours in the services contract.

Some financial services firms may wish to include specific clauses relating to operational resilience, where they task suppliers with ensuring that the services are not overly dependent on key personnel or specific locations. It is important that the contract also places obligations on the supplier to provide information about how it meets these requirements, to allow the financial firm to assess compliance and manage risk.

Reflecting operational resilience requirements in outsourcing contracts

Compliance with regulatory outsourcing and third party contracting requirements will already drive a need for certain contract clauses, but financial services firms should note that there is an operational resilience angle to the requirement as well.

In relation to business continuity, the PRA’s supervisory statement SS2/21 requires both customer and supplier to support one another on the testing of business continuity plans – the operational resilience angle is that the plans should take account of the impact tolerances for important business services.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s