Sector Context

Operational resilience has been a key focus area across regulatory jurisdictions. Since the regulators’ rules and guidance came into force in the UK in March 2022, firms within the Financial Services (FS) sector have continued to establish and embed resilient processes into their organisations as they remain on track for complying with Bank of England’s operational resilience regulations by the end of the transition period in March 2025.

Whilst regulatory focus has been on FS institutions to enhance their resilience capabilities, the supervisory authorities continue to be concerned about the stability of the financial ecosystem as a whole, particularly given that in recent years the FS sector has increasingly outsourced its critical operations and important business services in order to reduce costs, improve flexibility and achieve greater efficiencies.

As a result, the FS sector is now heavily reliant on third party providers, and whilst FS firms may be increasingly resilient following the regulation, the sector is only resilient to the extent that the supply chain is.

Failure and/or disruption to third party provided services could therefore have an impact on the stability of the financial system. In the last few years, there has been limited to no powers over third parties providing services to the sector, although this is now changing with the release of new regulations such as the Digital Operational Resilience Act (“DORA”) and the UK’s Critical Third Parties Consultation Paper. These will bring certain designated critical third parties under direct supervision of FS regulators. 

Implementation Challenges for Third Party Providers

Going forwards, the FS sector and regulatory bodies expect that third party providers will need to enhance their mechanisms and operational frameworks to be able to evidence their resilience capability and posture.

For third party providers, resilience isn’t just a regulatory imperative, it presents a strategic opportunity to establish a competitive advantage in the marketplace and earn customer and regulatory trust. However, this won’t be without significant challenges, as third party providers strive to develop the key resilience principles and requirements into actionable plans, working from a starting-point of limited operational resilience expertise.

The diagram below outlines the common implementation challenges that third party providers are likely to face, which are no different to the experiences encountered by financial services organisations when initiating their operational resilience activities.

Call to Action

In order to design and embed resilient practices and avoid some of the challenges outlined above, third party providers should look to act now and establish early programmes of work in order to put themselves into a good position.

Obtaining senior executive stakeholder buy-in early on and cascading ‘tone from the top’ messaging will be key for third party providers seeking to drive operational resilience activities, particularly for those that will require time and expertise to ensure that capabilities are up to sector and regulatory expectations, such as internal risk management frameworks, supply chain risk management and scenario testing.

Getting ahead of the curve and starting sooner rather than later is critical and will set organisations up for greater success. Third party providers that are likely to be designated as critical are expected to have a short lead time to adopt and implement the requirements to ensure compliance, whilst other third party providers should seek to implement these principles and measures to operate at a new level of resilience in order to maintain their competitive advantage and retain the services they provide to the FS sector. 

Our Resilience Approach

KPMG has successfully worked with 300 clients globally to establish and embed Operational Resilience practices. We have significant global experience, having developed expertise supporting clients, including significant third party service providers across Europe, Asia and the US, leveraging our capabilities, assets and accelerators in order to achieve key operational resilience outcomes, from vulnerability identification and risk assessments, scenario testing and recovery planning as well as supply chain risk and resilience across the entire lifecycle.

For more information please get in contact with Ashley Harris or Georgia Hunter, or visit our Powered Resilience website for more information.