It’s eight months since the FCA rules on operational resilience for financial services institutions came into force in March this year – so where does the insurance industry find itself?
Well one thing is for certain, regulatory compliance is not a new concept for Insurers! However, the far reaching scope of the FCA amendment to operational resilience means much has been left up to the market for interpretation, with the initial steer that this is “far more” than simply reviewing business continuity and disaster recovery plans. The rules require firms to identify key business services in relation to customer impact and set out timescales (tolerances) for any outages to these services that they then have to adhere to, subsequently running scenario test to self attest compliance to such tolerances.
Mind the gap
This has led to inconsistencies and gaps in approach between firms and between business operations in individual firms. An FCA survey confirms this (it included insurers and intermediaries from the wholesale, retail and life insurance sectors). While some good practices had been observed there were several areas for improvements. These included broad blanket responses used across all identified vulnerabilities for business services, and a lack of understanding of the impact of service disruption on vulnerable customers. There were examples of inappropriate selection of tolerance timescales; selected extremely short impact tolerances (without recognising their practicality) or extremely long impact tolerances (by ignoring the reputation and other consequences of operational disruptions). Firms now have a 3 year transition period to address any remaining gaps or shortcomings in their operational resilience framework.
Operational resilience by design
So with no further guidance forthcoming from the regulator, what can Insurers do during this transition period? There’s much to refine around the regulatory programme itself from revisiting tolerance thresholds from a customer impact perspective, to continuously improving your in house self assessment frameworks (as there continues to be no set template issued by the FCA).
There are however some fundamental IT principles that can be embraced and explored over the transition period to 2025, that will support closing these gaps in approaches. Central to this is acknowledging that IT resiliency can’t be a “bolt on”, it has to be “built in”. Insurance IT organisations need to focus on 3 core principles to ensure operational resilience by design and therefore harden their future compliance to the FCA rules, embedding the ability to pivot to compliance as future regulations evolve.
1. Identify “where” to deploy a hybrid cloud strategy - not “if”
Too big to fail is no longer an acceptable defence in the case of hyperscalers, if azure western region goes down, you don’t want all your client facing apps to go with it…
2. Cyber security needs to be at the heart of everything you do
Embed a culture of cyber; define where you need specific inhouse expertise and where to utilise the global shared intelligence and defences of managed security services (CGI’s cyber escape room is a great starter for engaging employees in Cyber awareness)
3. Future proof with a composable business and technology architecture
Think “lego bricks” when making IT solution decisions - selecting smaller components that are interoperable, while looking at multiple suppliers for key components. During an incident this will allow failed capabilities to be quickly isolated and switched out to minimise enterprise wide consequences.
If you’d like to explore how you can ensure operational resilience by design, CGI can help. Contact me to find out how we can help you.