GFSC 2024 focus: Operational resilience

insight featured image
The Gibraltar Financial Services Commission (GFSC) reminds firms of their expectations in relation to Operational Resilience during their annual Insurance Market Update on the 8th of March 2024, and announces their intention to conduct a thematic review of Operational Resilience post July 2024.

Implementing operational resilience

The implementation process necessitates firms identifying important business services, establishing impact tolerances, and document mapping and scenario testing programs to anticipate and mitigate failures.

Mapping should include all critical resources - such as people, IT systems, assets, third parties, facilities - and consider internal and external dependencies. Mapping and scenario testing should evolve as the industries environment changes.

Firms’ approaches need to acknowledge failures are inevitable, and the Board should be able to demonstrate their ownership, direction, evaluation and monitoring of the Operational Resilience Framework.

When implementing the framework, some key areas to consider from an operational standpoint include:

An entity-level approach

Regulators expect insurance firms to take an entity-level approach to operational resilience, with an understanding of how group-level risks will affect the ability to stay within pre-agreed tolerance levels.

Outsourcing and third-party risk

When mapping and assessing processes, this must include those that are outsourced to a third party. This may include intermediaries underwriting businesses, which would be considered a critical service, and third-party payment service providers.

Business continuity

It’s important to differentiate between business continuity arrangements and operational resilience while recognising that business continuity is an important component of operational resilience.

Bearing in mind the complex operating environment for insurers, including intra-group and third-party risks, firms need to make sure they have an appropriate framework and target operating model in place to embed operational resilience standards and prevent economic harm in the event of an outage.

Scenario testing & building resilience

The vulnerabilities identified as part of the mapping of critical services exercise must link to the scenario testing, which must assume disruption has occurred and include failures of backup arrangements and cases where multiple parts of the organisation are disrupted.

The testing must be appropriate, robust, and have continuous involvement with the Senior Management and the Board.

Resilience strategies should prioritise outcomes, considering substitutability of services, reviewing and adapting outsourcing arrangements, and rebuilding and replacing legacy systems.

Early completion of mapping and testing allows firms more time to fortify against vulnerabilities, ensuring operational resilience in a dynamic regulatory landscape.

Operational resilience thematic reviews

Areas that will be covered by the thematic review will include a review of:

  1. The important business services (IBS) identified by the firm and the criteria used by firms to define these.
  2. The impact tolerances set and justifications for such.
  3. The mapping of the IBS to people, processes, technology, data, and facilities.
  4. The vulnerabilities identified.
  5. The firm’s plan for scenario testing and linkage to mapping and vulnerabilities.
  6. Any lessons learnt exercises or scenarios.
  7. How the plan has been considered and approved by the Board, including:
  8. The annual Self-Assessment review of Operational Resilience Framework.
  9. The management information embedded into the cadence of Board reporting.
  10. The interaction between the operational resilience and financial resilience assessment.
  11. The interaction between operational resilience and BCP, Disaster recovery, Cyber Resilience, and Incident Management.

Key considerations and next steps

As the compliance deadline of July fast approaches, the GFSC have published Guidance Notes on Operational Resilience in March 2024 (GFSC guidance notes on operational resilience), and with further impending requirements coming into force from July 2024 and July 2026, insurance firms have a significant amount work to undertake in order to meet regulatory expectations within each timeframe.

How can we help?

Grant Thornton is a market leading firm in preparing financial entities for the introduction of Operational Resilience.

We have worked with several financial entities that fall within the scope of Operational Resilience requirements in supporting them through readiness, business function / service mapping and implementation in preparing those entities for the requirements across the key aspects of GFSC’s Operational Resilience in advance of the July 2024 deadline.

In addition to this, we have received accreditations and possess first-hand experience in engaging with the regulator in this area. We also provide support for firms to comply with the Digital Operational Resilience Act (DORA) requirements, set to come into force in 2025.