At the end of March, Supervisory Statement 1/21, produced by the UK’s Prudential Regulation Authority (PRA), comes into effect. Banks that fall within the PRA’s jurisdiction have to be ready for it. 

The paper imposes a deadline of March 31st 2022 – less than eight weeks away – for starting the implementation of the Operational Resilience Framework. To comply with the rules, firms are obliged to show their plans for meeting policy requirements to regulators. 

Operational resilience is often taken to refer to the robustness of systems to external and internal pressures, but a key aspect of any firm’s operational resilience is the adequacy of its Risk Control Self Assessments (RCSAs). Good RCSAs should alert senior managers to the key risks across their firm, by region and by asset class, thereby enabling effective risk control mechanisms to be put in place, to galvanize overall business strategy. Unfortunately, RCSAs are very seldom efficient enough to achieve this outcome.  

Key RCSA failings:

• RCSAs are presented and treated as a box-checking exercise. They exist often in isolation in a bubble, unrelated and unconnected to overall business strategy or risk appetite.
• RCSAs are static, one-off and retrospective, completed by relevant managers at the same time every quarter or every year. They fail in their ability to enable senior managers to fight tomorrow’s wars, not yesterday’s.
• Each business or asset class tends to conduct their RCSAs in their own way, with different nomenclature and different methodology. The process is siloed and the results are often inaccessible to other businesses and asset classes.

Key takeaway – RCSAs are failing. They are viewed as a chore, are static and remain siloed within each bank. 

A revolution in philosophy and methodology is required if RCSAs are to do the job they were intended to do. Several key objectives should be kept in mind. 

• Rather than providing a snapshot of the key risks at a moment in time, RCSAs should be continuous, monitoring where weaknesses lie, and implementing solutions. Without this, operational resilience can never be more than a pipe dream.
• Within each bank, RCSAs should be conducted according to the same language and criteria and should be totally transparent. They should give senior executives a completely transparent view of all risks within the institution, which can be seen at any time. 
• RCSAs should provide a view of regulatory risks that have not yet crystallised. This means scanning the horizon for imminent regulatory initiatives and enforcement actions. For example, the moment a discussion paper is released by a key regulator, managers should be alerted to looming changes, and due measures of compliance put into place. Risk controls should also be mapped to regulations, so that at any point in time managers can look through their RCSA with a regulatory lens.  In this way regulators can be assured risk is being managed accurately and appropriately. 

Key takeaway – the philosophy and process currently underpinning RCSAs need to be reversed. RCSAs need to be continuous, not static, and forward- not backward-looking.

Only through the compilation and deployment of more thorough and more uniform data, harnessed to the most appropriate technology, will change in RCSA processes become possible. Today, RCSAs are generally executed manually and individually. For any progress to be made this must become as redundant as voice trading in mainstream FX.  

The core of operational resilience is the RCSA. Today, RCSAs are not fit for purpose. A volte-face of philosophy and procedure is required. 

About Acin

Acin has a comprehensive, pre-built risk and control quick start library of inventories constructed through industry consultation and mapped to regulatory guidance, to provide immediate value and accelerate impact. Easily and proactively demonstrate to the regulator, auditors, investors, shareholders, and boards that you are managing climate risk – ahead of regulatory deadlines.