On 2 October 2024, the Bank of England (the BoE) conducted its latest UK market-wide simulation exercise, SIMEX 24. SIMEX 24 tested the UK financial services sector's response to a major infrastructure failure that would require a total sector shut down and restart. Similar tests were conducted in 2018 and 2022.
This simulation exercise was carried out by the BoE in partnership with HM Treasury, the Financial Conduct Authority (the FCA), UK Finance and participants in the financial services sector as part of the Cross Market Operational Resilience Group.
In this article, we will look at what is meant by operational resilience and why it matters, the purpose of these simulation exercises and some key takeaways and recommended next steps that UK financial services firms may wish to consider taking.
Operational resilience
The FCA has summarised operational resilience as the ability of firms to "prevent, adapt, respond to, recover and learn from operational disruptions".
The FCA and the Prudential Regulation Authority (the PRA) rules do not define the term "operational resilience". Rather, they create an obligation for firms to ensure that they are able to remain within their impact tolerance for each of its important business services in the event of a "severe but plausible disruption to its operations".
Important business services are, broadly speaking, those services which, if disrupted, could pose a risk to the firm's clients, its own safety and soundness or to the UK financial system. Impact tolerance is the maximum tolerable level of disruption to an important business service.
Among other things, firms are required to conduct scenario testing of their ability to remain within their impact tolerances for each of their important business services. Firms must identify an appropriate range of adverse circumstances of varying nature, severity and duration. Under FCA rules, firms are expected to involve third parties to whom they rely on for the delivery of important business services to ensure the validity of scenario testing, though the firm will always be ultimately responsible for the quality and accuracy of any testing.
Why does it matter?
The FCA and the PRA both view operational resilience as a key priority as is evident from their respective business plans. In particular, the regulators expect firms to identify weaknesses in their operational resilience and resolve to (among other things) invest in improving processes, infrastructure, training, back-up systems to combat such weaknesses and improve contingency plans.
The increased focus on operational resilience has come at a time where the risks to firms operating within the sector have become increasingly challenging and complex to address. Examples of recent disruption include the impact of the COVID-19 pandemic, the increased risk of cyber-attacks (including by state-sponsored actors as flagged recently by the National Cyber Security Centre) and risks to the financial services industry arising from increasing reliance on third-party service providers, especially in relation to technology providers.
A recent example of the latter is the CrowdStrike outage which affected millions of users including in the financial sector. The FCA has recently reiterated the importance of scenario testing and analysis in the aftermath of the 2024 CrowdStrike outage and detailed how this particular disruption presents lessons for firms in improving their ability to and recover from future disruptions. The FCA, in particular, outlined that firms who had tested scenarios that were severe but plausible, and mapped their important business services and allocated appropriate resources necessary to deliver these services, were able to reduce the overall impact the incident had on their operations.
These risks are perhaps likely to only increase in the short term due to continued geopolitical tensions and the emergence of new potential technological threats such as the malicious use of artificial intelligence and, perhaps further down the line, quantum computers.
Purpose of exercises like SIMEX 24
The Cross Market Operational Resilience Group is at the heart of industry efforts to improve operational resilience through, amongst other initiatives, developing market-wide simulation exercises such as SIMEX 24 to identify risks to operational resilience, create solutions to improve the operational resilience of the sector, and share knowledge for the benefit of the wider industry.
SIMEX 24 is the latest exercise in a continuous programme to test the financial sector's response to challenging scenarios. This includes scenarios included on the UK Government’s National Risk Register such as cyber-attacks (state sponsored or otherwise), terrorist attacks, natural disasters and societal disorder. We can almost certainly expect similar exercises to be conducted in the future.
With respect to SIMEX 24, the Cross Market Operational Resilience Group will use the findings of the exercise to ensure that the sector develops collective capabilities that are able to mitigate risks posed during the exercise to deliver operational resilience improvements benefiting the safety and security of customers and the wider financial sector.
Key takeaways for firms
SIMEX 24 demonstrates that operational resilience is high on the regulatory agenda. As a result, firms should review any recommendations arising from the SIMEX 24 exercise and may need to update their scenario testing and related policies and procedures to reflect the findings. In particular, firms should have regard to the FCA's findings in relation to the CrowdStrike outage and consider including third party service providers who are crucial to the delivery of important business services (where relevant) in scenario testing and scenario analysis. Finally, firms should also consider whether their use of emerging technologies such as DLT and artificial intelligence could result in additional risks that would cause "severe but plausible disruption" to their important business services.
This article was originally published in Law360.