7
Governance
Board responsibilities
7.1
Boards are specifically required to approve the important business services identified for their firm and the impact tolerances that have been set for each of these. The Operational Resilience Parts[25] require that a firm’s board must approve and regularly review the firm’s important business services, impact tolerances, and written self-assessment (see Chapter 8 of this SS). In delivering this responsibility, boards must regularly review assessments of the firm’s important business services, impact tolerances, and the scenario analyses of its ability to remain within the impact tolerance for these important business services.
Footnotes
- 25. Operational Resilience 7, Insurance – Operational Resilience 7.
- 31/03/2022
7.2
While individual board members are not required to be technical experts on operational resilience, the PRA expects boards to ensure that they have the appropriate management information. Boards should also collectively possess adequate knowledge, skills, and experience to provide constructive challenge to senior management and inform decisions that have consequences for operational resilience.[26]
Footnotes
- 26. Rule 5.2 in the General Organisational Requirements Part of the PRA Rulebook (CRR firms), Rule 2.7 in the Conditions Governing Business Part of the PRA Rulebook (Solvency II firms).
- 31/03/2022
Management responsibilities
7.3
Firms should establish clear accountability and responsibility for the management of operational resilience, including implementation of the policy set out here. The PRA expects firms to structure their oversight of operational resilience in the most effective way for their business, using existing committees and roles or establishing new ones if necessary.
- 31/03/2022
7.4
Where it exists,[27] the Chief Operations Senior Management Function (SMF) 24 should hold overall responsibility for implementing operational resilience policies and reporting to the board. Consistent with paragraph 2.11G of SS28/15 ‘Strengthening individual accountability in banking’[28] and paragraph 2.22L of SS35/15 ‘Strengthening individual accountability in insurance’,[29] the SMF24 function may be shared or split among two or more individuals. This is on the basis that the split accurately reflects the firm’s organisational structure and that comprehensive responsibility for operations and technology is not undermined. However, firms that have a single senior individual with overall responsibility for internal operations and technology should only have that individual approved as the SMF24. Where the SMF24 function is split, the PRA does not expect it to be split among more than three individuals. Further information on the SMF24 function is contained in the aforementioned Supervisory Statements.
Footnotes
- 27. Rule 3.8 in the Senior Management Functions Part of the PRA Rulebook (CRR firms), Rule 3.7 in the Insurance – Senior Management Functions Part of the PRA Rulebook (Solvency II firms).
- 28. December 2020: https://www.bankofengland.co.uk/prudential-regulation/publication/2015/strengthening-individual-accountability-in-banking-ss.
- 29. February 2020: https://www.bankofengland.co.uk/prudential-regulation/publication/2015/strengthening-individual-accountability-in-insurance-ss.
- 31/03/2022
7.5
Where a firm does not have a board, senior management should take responsibility for the Operational Resilience Parts.[30]
Footnotes
- 30. Operational Resilience 7, Insurance – Operational Resilience 7.
- 31/03/2022