英国金融业运营韧性资料中文简译:审慎监管局政策声明(正文)
写在前面 :越来越多的人们开始关注运营韧性。事实上,虽然该领域还在快速的发展中,但已经凝聚了一些共识。金融行业是最为关注运营韧性的行业之一,近几年来,英美等国的金融监管机构以及巴塞尔银行监管委员陆续发布/修订了运营韧性(Operational Resilience)和业务连续性管理方面的正式文件。为让更多的专业人员者和爱好者了解国外运营韧性领域的进展,学习并实践运营韧性的良好实践,在2021年中期,我组织了一个公益翻译小组,对运营韧性相关资料进行翻译,并于去年发布了以下资料: 《运营韧性原则》中文简译 (2021年11月23日) 《操作风险稳健管理原则修订》中文简译 (2021年11月29日)
之后,我再次组织了一个公益翻译小组,对英国金融监管机构的运营韧性资料进行翻译,今年春节前后,翻译小组成员陆续将翻译文稿发送给我,经历了种种耽搁和拖延之后,我近日终于将这些资料审校完成,接下来会陆续在公众号发布出来。
以下是参与本系列资料的公益翻译小组成员 (排名不分前后,按姓氏拼音排序): 安晓冬(上海, anton_6@163.com ) 陈阳(中国银行欧洲信息中心, chenyang@bankofchina.com ) 马骏(大连埃森哲, patrick.ma2018@outlook.com ) 彭水娟(江阴长电先进, shuijuan2006@126.com ) 孙宁莉(韧安咨询, resil-safe@outlook.com ) 王舵(大连,BCM咨询Freelancer, prepkids@163.com ) 吴小林(苏州银行, 66886629@163.com ) 巫文湘(开泰银行(中国)有限公司, michael_woo_sz@hotmail.com ) 徐文静(DNV, wen.jing.xu@dnv.com ) 翟红波(北京, 25354646@qq.com ) 周可政(上海, wikikivv@gmail.com ) 王曙(新常安科技, kevinwang@vip.sina.com )
感谢公益翻译小组的各位专业人员在疫情期间抽出个人休息时间进行翻译工作。以下译文由我负责最终统一审校定稿,因为对英国金融业了解深度不够,如译文中有任何不准确或理解错误的地方,都是由于我的原因造成,与诸位翻译人员无关。如对译文有意见或修改建议,请给我留言。
王曙(kevinwang) 2022.11.25
下文是由审慎监管局(PRA)运营韧性政策声明(Policy Statement | PS6/21)正文,由英国审慎监管局于2021年3月29日发布,原文见: https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/policy-statement/2021/march/ps621.pdf
政策声明 | PS6/21 — 运营韧性:重要业务服务的影响容忍度 Policy Statement | PS6/21 — Operational resilience: Impact tolerances for important business services
1 综述(Overview)
1.1 本审慎监管局(Prudential Regulation Authority,简称PRA)政策声明(PS)提供了对征求意见稿(CP)29/19 运营韧性:重要业务服务的影响容忍度 [1] 回应的反馈意见。它还包含了PRA的最终政策,具体如下: • PRA规则手册中新的运营韧性部分(附录1); • 修订PRA规则手册中集团监管部分(附录1); • 新的监管声明(SS)1/21“运营韧性:重要业务服务的影响容忍度”(附录2);和 • 新的政策说明(SoP)“运营韧性”(附录3)。 1.1 This Prudential Regulation Authority (PRA) Policy Statement (PS) provides feedback to responses to Consultation Paper (CP) 29/19 Operational resilience: Impact tolerances for important business services.1 It also contains the PRA’s final policy, as follows: • new Operational Resilience Parts of the PRA Rulebook (Appendix 1); • amendments to the Group Supervision Part of the PRA Rulebook (Appendix 1); • a new Supervisory Statement (SS) 1/21 ‘Operational resilience: Impact tolerances for important business services’ (Appendix 2); and • a new Statement of Policy (SoP) ‘Operational resilience’ (Appendix 3).
1.2 本政策声明与下列方面相关: • 英国银行、建房互助会和PRA指定的投资机构(银行);和 • 英国偿付能力II机构、劳合社社团及其管理代理公司(保险公司)。 1.2 This PS is relevant to: • UK banks, building societies, and PRA-designated investment firms (banks); and • UK Solvency II firms, the Society of Lloyd’s and its managing agents (insurers).
1.3 银行和保险公司在本政策声明中统称为“机构”。 1.3 Banks and insurers are collectively referred to as ‘firms’ in this PS.
背景(Background)
1.4 在征求意见稿29/19中,PRA根据2018年讨论稿(DP)“建设英国金融部门的运营韧性” [2] 中的原则,阐明了运营韧性政策建议。这些建议旨在提高机构的运营韧性,保护更广泛的金融部门和英国经济免受运营扰断的影响。征求意见稿建议为机构设定要求和期望: • 通过认真考虑其提供业务服务的扰断如何影响PRA的目标,确定其重要业务服务; • 为每个重要业务服务设定扰断的影响容忍度;和 • 确保它们能够持续交付重要业务服务,并在严重但合理可信的情景期间保持在其影响容忍度范围内。 1.4 In CP29/19 the PRA set out its proposals for operational resilience policy, building on the principles in the 2018 Discussion Paper (DP) ‘Building the UK financial sector’s operational resilience’. The proposals are designed to improve the operational resilience of firms and protect the wider financial sector and UK economy from the impact of operational disruptions. The CP proposed to set requirements and expectations for firms to: identify their important business services by considering how disruption to the business services they provide can have an impact on PRA objectives; set an impact tolerance for disruption for each important business service; and ensure they can continue to deliver their important business services and are able to remain within their impact tolerances during severe but plausible scenarios.
回应概要(Summary of responses)
1.5 PRA收到48份对征求意见稿(CP)的回应。与对2018年讨论稿(DP)的反馈一致,普遍支持政策的主要部分。大体上,回应集中在实施、相称性、与金融行为监管局(FCA)的一致性、与国际原则的一致性以及对PRA期望更多细节的要求上。第2章相关政策章节详细介绍所有征求意见稿(CP)的回应。 1.5 The PRA received 48 responses to the CP. There was general support for the main components of the policy, consistent with feedback to the 2018 DP. Broadly, the responses focused on implementation, proportionality, alignment with the Financial Conduct Authority (FCA), alignment with international principles and requests for further detail on PRA expectations. More detail covering all CP responses is set out under the relevant policy sections in Chapter 2.
1.6 15位回应者强调,最终政策应当保持相称的做法。一位回应者评论说,小型机构会受益于相称原则如何适用于它们的详细解释,另一位回应者要求政策更具规定性。PRA认真考虑了政策各个方面的相称性选择,决定在许多领域,最合适的相称性方法是灵活性。在可能的情况下,PRA进一步澄清了政策变化。 1.6 Fifteen respondents highlighted that the final policy should retain a proportionate approach. One respondent commented that smaller firms would benefit from a detailed explanation of how proportionality will apply to them, and one respondent requested that the policy should be more prescriptive. The PRA has considered options for proportionality in all aspects of the policy and has decided that for many areas the most proportionate approach is flexibility. Where possible, the PRA has provided further clarity in the policy changes.
政策草案的变化(Changes to draft policy)
1.7 如果PRA认为最终规则与征求意见稿中的草案存在重大差异,则《2000年金融服务和市场法》(FSMA) [3] 要求PRA公布: (a) 差异细节以及成本效益分析;和 (b) 一份声明,阐明在PRA看来,最终规则对互助银行的影响是否显著不同于:规则草案对互助银行的影响;或最终规则对其它PRA授权机构的影响。 1.7 Where the final rules differ from the draft in the CP in a way which is, in the opinion of the PRA, significant, the Financial Services and Markets Act 2000 (FSMA)3 requires the PRA to publish: (a) details of the difference together with a cost benefit analysis; and (b) a statement setting out, in the PRA’s opinion, whether or not the impact of the final rule on mutuals is significantly different to: the impact that the draft rule would have had on mutuals; or the impact that the final rule will have on other PRA-authorised firms.
1.8 在认真考虑了对征求意见稿29/19的回应后,PRA修订了其政策草案的以下方面: • 修订运营韧性部分,进一步使定义和要求与FCA的定义和要求 [4] 保持一致; • 修订运营韧性部分,明确指出机构在设定其影响容忍度 [5] 时要考虑英国金融体系的稳定,修订监管声明以反映规则的修订; • 修订运营韧性部分,明确指出除了任何其它相关指标外,机构必须指定重要业务服务或重要集团业务服务扰断可以容忍的时间长度或时间点; [6] • 监管声明第2.8段,包括内部服务的示例,以及需要将它们纳入机构重要业务服务映射的情况; • 监管声明第2.10段,引入期望,机构每年至少审查其重要业务服务1次; • 监管声明第3.3段,引入期望,机构在为单个重要业务服务设定影响容忍度时,考虑其他相关重要业务服务故障的影响; • 监管声明第3.6、3.11和3.12段,澄清基于时间的指标在影响容忍度中的使用,以及如何将基于时间的指标与其他指标结合使用; • 监管声明第4.8至4.11段,为PRA-FCA双重监管机构如何保持在其两个影响容忍度范围内提供指导和示例; • 监管声明第4.12至4.16段,澄清机构实施全部政策的时间框架; • 监管声明第5.6、5.7和6.13段,澄清机构承担第三方保证工作的期望; • 监管声明第8.3段,引入期望,机构在记录其自评估的情景测试时,识别所有的经验教训; • 监管声明第9.2段,澄清并引入重要集团业务服务的示例;和 • 整个监管声明中的其他小修改,以提高可读性,提高PRA期望的整体清晰度,并使其与这些文件的最新格式保持一致。 1.8 After considering responses to CP29/19, the PRA has amended the following aspects of its draft policy: • Operational Resilience Parts have been amended to further align definitions and requirements with FCA definitions and requirements; • Operational Resilience Parts have been amended to specify the firms that are required to consider the stability of the UK financial system when setting their impact tolerances. The SS has been amended to reflect the amendments to the rules; • Operational Resilience Parts have been amended to specify that firms must specify the length of or point in time, in addition to any other relevant metrics, for which a disruption to an important business service or important group business service can be tolerated; • paragraph 2.8 of the SS, to include examples of internal services and the circumstances that would necessitate them to be included in a firm’s mapping of an important business service; • paragraph 2.10 of the SS, to introduce an expectation for firms to review their important business services annually at minimum; • paragraph 3.3 of the SS, to introduce an expectation for firms to consider the impact of the failure of other related important business services when setting impact tolerances for individual important business services; • paragraphs 3.6, 3.11 and 3.12 of the SS, to clarify the use of time-based metrics for impact tolerances and how time-based metrics may be used in conjunction with other metrics; • paragraphs 4.8 to 4.11 of the SS, to provide guidance and examples on how PRA-FCA dualregulated firms can act to remain within their two impact tolerances; • paragraphs 4.12 to 4.16 of the SS, to clarify the timeframes for firms to implement the full policy; • paragraphs 5.6, 5.7 and 6.13 of the SS, to clarify the expectations for firms to undertake assurance work on third parties; • paragraph 8.3 of the SS, to introduce an expectation for firms to identify any lessons learned when undertaking scenario testing in documenting their self-assessments; • paragraph 9.2 of the SS, to clarify and introduce an example of important group business services; and • other minor amendments throughout the SS to improve readability, increase the overall clarityof the PRA expectations, and bring them into line with the current format for these documents.
1.9 PRA认为,这些修改不会对机构产生重大影响,也不会对互助银行产生与其他机构不同的重大影响。因此,并未就这些修改更新成本效益分析。。 1.9 The PRA considers that these changes will not have a significant impact on firms, and will not have a significantly different impact on mutuals than for other firms. As a result, the cost benefit analysis has not been updated in respect of these changes.
实施(Implementation)
1.10 运营韧性部分将于2022年3月31日(星期四)生效。为了符合这些规定,机构应当联系其监管机构,就满足政策要求的计划达成一致。 1.10 The Operational Resilience Parts will be effective from Thursday 31 March 2022. To comply with the rules, firms should contact their supervisors to agree their plans for meeting the policy requirements.
1.11 监管声明1/21将于2022年3月31日(星期四)生效。 1.11 SS1/21 will be effective from Thursday 31 March 2022.
1.12本政策声明中阐明的最终政策是在英国脱离欧盟和过渡期结束的背景下制定的。除非另有说明,任何对欧盟或欧盟衍生立法的引用,均指该立法版本构成保留欧盟法律的一部分 [7] 。PRA将不断审查该政策,以评估是否会因英国监管框架的变化而需要进行任何修改。 1.12 The final policy set out in this PS has been designed in the context of the UK having left the European Union and the transition period having come to an end. Unless otherwise stated, any references to EU or EU derived legislation refer to the version of that legislation which forms part of retained EU law. The PRA will keep the policy under review to assess whether any changes would be required due to changes in the UK regulatory framework.
- 对回应反馈的介绍(Introduction to feedback to responses)
2.1在制定任何拟议规则之前,FSMA要求PRA认真考虑向其提交的任何陈述,并就这些陈述及其反馈发表一份概括性的说明。 [8] 2.1 Before making any proposed rules, the PRA is required by FSMA to have regard to any representations made to it, and to publish an account, in general terms, of those representations and its feedback to them.
2.2 PRA认真考虑了收到的征求意见稿的回应。以下各章阐明了PRA对这些回应的反馈及其最终决定。 2.2 The PRA has considered the responses received to the CP. The chapters below set out the PRA’s feedback to those responses, and its final decisions.
2.3以下各章的结构与征求意见稿各章大致相同,但有部分内容作了重新安排,以更好地回应有关问题。回复按以下分类: • 重要业务服务; • 影响容忍度; • 实施时间表和保持在影响容忍度范围内; • 映射; • 情景测试; • 治理; • 自评估; • 集团; • 国际一致性; • 与其他政策保持一致;以及 • 其他回应。 2.3 The chapters below have been structured broadly along the same lines as the chapters of the CP, with some areas rearranged to better respond to related issues. The responses have been grouped as follows: • important business services; • impact tolerances; • implementation timelines and remaining within impact tolerances; • mapping; • scenario testing; • governance; • self-assessment; • groups; • international alignment; • alignment with other policy areas; and • other responses.
3 重要业务服务(Important business services)
内部服务(Internal services)
3.1 PRA建议,机构需要确定那些一旦扰断会影响PRA目标,进而影响公众利益的服务,并排定优先顺序。这些被称为重要业务服务。这意味着从考虑单个系统和运营资源的韧性转向考虑机构向其最终用户提供服务的连续性的转变。 3.1 The PRA proposed that firms would be required to identify and prioritise the services that, if disrupted, would impact the PRA objectives and thereby the public interest. These were termed important business services. This represented a shift away from thinking about the resilience of individual systems and operational resources to considering the continuity of the services that firms provide to their end-users.
3.2 10位回应者要求明确内部服务是否包括在重要业务服务的定义中。4位回应者询问,结算、司库服务和财务报告等非面向客户的服务是否应归入重要业务服务的定义范围。回应者表示,人力资源或工资发放等内部服务如果中断,可能会对服务交付产生重大影响。 3.2 Ten respondents asked for clarity as to whether internal services were included within the definition of an important business service. Four respondents asked whether services that are not customer facing such as settlement, treasury services and financial reporting, should be in scope of the definition of an important business services. Respondents suggested that internal services such as human resources or payroll might have a significant impact on the delivery of services if they are disrupted.
3.1 PRA指出,政策的结果集中在对外部最终用户的服务交付。因此,PRA要求机构优先考虑建设这些服务的运营韧性的工作。虽然内部服务可能支持重要业务服务的交付,但它们并不独立地包括在重要业务服务的定义中。如果单将内部服务定义为重要业务服务,将扩大政策的覆盖面,并可能减少对最重要外部服务的关注。 3.1 The PRA notes that the outcome of the policy is focused on the delivery of services to external end users. The PRA is therefore requiring firms to prioritise the work to build the operational resilience of those services. While internal services may support the delivery of an important business service, they are not included within the definition of important business services on a standalone basis. If internal services alone were defined as important business services, this would expand the coverage of the policy, and could reduce focus on the most important external services.
3.2 PRA期望重要业务服务应当具有韧性,这要求支持的活动链具有韧性。为了详细说明监管声明第2.7段,PRA认为,只有当未能执行内部服务影响到对外业务服务交付,对PRA目标有直接影响时才会被考虑。因此,对于重要业务服务交付所需的任何内部服务都应当包括在机构的映射、情景测试和补救措施中,以确保机构在严重但合理可信的扰断中能够保持在影响容忍度范围内。为进一步澄清,监管声明第2.8段已更新,给出了一个内部服务的示例,以及将其确定为重要业务服务交付所必需的情况。 3.2 The PRA expects that important business services should be resilient, and this requires the supporting chain of activities to be resilient. To elaborate on paragraph 2.7 of the SS, the PRA expects that the failure to perform internal services need only be considered to the extent that they affect the delivery of external facing business services which have direct consequences for the PRA’s objectives. As such, any internal service that is necessary for the delivery of an important business service should be included in the firm’s mapping, scenario testing, and any remediation to ensure the firm could remain within impact tolerances in severe but plausible disruptions. To provide further clarity, paragraph 2.8 of the SS has been updated to set out an example of internal services and the circumstances that would determine them as necessary for the delivery of the important business service.
定义(Definitions)
3.3 5位回应者指出PRA和FCA对重要业务服务的定义的差异。这些回应表示,希望监管当局之间的定义能够保持一致。 3.3 Five respondents commented on the differences between the PRA and FCA definitions of important business services. The responses expressed a preference for alignment of the definitions between the supervisory authorities.
3.4 PRA和FCA认为各自的政策和定义是一致的。PRA期望,为满足一个监管机构的要求所做的工作应被用来满足另一个监管机构的要求。我们各自政策的设计和目标是相同的,同时尊重我们各自不同的目的和法律框架。PRA鼓励机构避免重复工作。 3.4 The PRA and FCA consider that the respective policies and definitions are aligned. The PRA expects that work done to meet the requirements of one regulator should be leveraged to meet those of the other. The design and goals of our respective policies are the same, while respecting our different objectives and legal frameworks. The PRA would encourage firms to avoid duplicative work.
3.5 根据回应者的意见,PRA和FCA审查了定义,以提高面向机构的一致性和清晰度。相应地,PRA的定义进行了调整,规定重要业务服务可以全部或部分由另一人提供。 3.5 Following comments from respondents, the PRA and FCA have reviewed the definitions to improve consistency and clarity for firms. Accordingly, the PRA definition has been adjusted to set out that an important business service could be delivered wholly or in part by another person.
3.6 仍存在的定义差异是由多种原因造成的,包括不同的目的、立法和监管框架。例如,PRA选择使用“人员”一词是为了与PRA规则手册中使用的语言保持一致,然而,FCA不受此限制。 3.6 Differences in the definitions which remain are driven by a number of reasons, including different objectives, legislation, and regulatory frameworks. For example, the PRA has chosen to use the word ‘person’ in order to align with the language used in the PRA Rulebook, however, the FCA is not subject to this constraint.
3.7 重要业务服务的更新定义详见下表。这对双重监管的机构尤为重要: 3.7 The updated definitions of important business services are detailed in the table below. This will be of particular interest to dual-regulated firms.
表1:PRA和FCA“重要业务服务”的定义(Table 1: PRA and FCA definitions of ‘important business service’) 术语 Term 审慎监管局 [9] PRA 金融行为监管局 FCA 重要业务服务 Important Business Service 机构或代表该机构的另一人向其它人提供的服务,一旦扰断,可能会对以下方面造成风险: (1)(机构是O-SII/机构是相关偿付能力II)英国金融系统的稳定;或 (2)机构的安全和稳健;或 (3)(对于偿付能力II机构)为投保人或可能成为投保人的人员提供适当程度的保护。 A service provided by a firm, or by another person on behalf of the firm, to another person which, if disrupted, could pose a risk to: (1) (where the firm is an O-SII/where the firm is a relevant Solvency II firm) the stability of the UK financial system; or (2) the firm’s safety and soundness; or (3) (for Solvency II firms) an appropriate degree of protection for those who are or may become the firm’s policyholders. 指机构或代表机构的另一人向该机构的一个或多个客户提供的服务,一旦扰断,可能: (1)对机构的任一或多个客户造成无法忍受的伤害;或 (2)对英国金融体系的稳健、稳定或韧性,或金融市场的有序运行构成风险 A service provided by a firm, or by another person on behalf of the firm, to one or more clients of the firm which, if disrupted, could: (1) cause intolerable levels of harm to any one or more of the firm’s clients; or (2) pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets.
3.8 9位回应者指出,重要业务服务的定义过于宽泛,他们要求更具体一些,以消除歧义,而不过分规定性或引入分类法。 3.8 Nine respondents stated that the definition of important business services is too broad and requested greater specificity to remove ambiguity without becoming overly prescriptive or introducing a taxonomy.
3.9 5位回应者欢迎PRA的建议,不为重要业务服务设置任何分类。回应者指出,这种方法允许机构以不同的方式确定重要业务服务。 3.9 Five respondents welcomed the PRA’s proposal not to set any taxonomies for important business services. The respondents stated that this approach would allow firms to identify important business services differently.
3.10 PRA要求机构在确定其重要业务服务时,考虑这些业务服务扰断是否会对机构的安全和稳健、金融稳定或投保人的适当程度保护(如适用)构成风险。在确定用于定义重要业务服务的颗粒度级别时,机构应当考虑其定义是否允许: • 适用于可测试的重要业务服务的影响容忍度;和 • 董事会和高级管理层制定优先级和投资决策。 3.10 The PRA requires firms to identify their own important business services having considered whether disruption to those business services could pose a risk to the firm’s safety and soundness, financial stability or the appropriate degree of policyholder protection (where applicable). When determining the level of granularity at which to define an important business service, firms should consider whether their definition will allow: • an impact tolerance to be applied to the important business service which can be tested; and • boards and senior management to make prioritisation and investment decisions.
3.11 认真考虑了回应后,PRA决定公布征求意见后的方法。PRA认为,最适当的方法是机构在确定其重要业务服务时具有灵活性。PRA鼓励企业利用这种灵活性,将其重要业务服务的确定与现有的运营韧性方法或相关的PRA政策(如处置中的运营连续性(OCIR)、外包和第三方风险管理)相结合。 3.11 Having considered the responses, the PRA has decided to publish the approach as consulted upon. The PRA considers that the most proportionate approach is for firms to have flexibility in identifying their important business services. The PRA encourages firms to use this flexibility to integrate their identification of important business services with existing approaches to operational resilience or related PRA policy such as operational continuity in resolution (OCIR) and Outsourcing and third party risk management.
3.12 两位回应者指出,拟议的定义和描述与质量管理和系统可靠性方面的研究和实践相抵触,因为这些建议未涵盖系统组成的性质和变化,侧重于部分(实际上是容易衡量的部分)而不是整个系统。PRA认为,重要业务服务的概念是一种转变,不再关注单个部分的运营韧性。 3.12 Two respondents stated that proposed definitions and descriptions run counter to research and practice in quality management and systems reliability, as the proposals do not embrace the nature of and variation in system composition and tend to focus on parts (in practice, the easily measured ones) rather than the whole system. The PRA considers that the concept of important business services is a shift away from focusing on the operational resilience of individual parts.
3.13 1位回应者表示,应当给予机构灵活性,以增加额外的标准来排定其业务服务的优先顺序。运营韧性部分规定,一个业务服务是重要业务服务,在于它可能对机构的安全和稳健或金融稳定构成风险,或者对保险公司而言,对投保人的适度保护构成风险。监管声明第2.5段规定了机构在确定重要业务服务时应当考虑的因素。PRA认为,机构不应当使用监管声明规定的额外标准,如果这些标准可能减少已确定的重要业务服务清单。但是,如果机构认为与满足运营韧性部分相关,则可以纳入额外的标准以确定其它的重要业务服务。 3.13 One respondent suggested that firms should be given the flexibility to add extra criteria to shape their prioritisation of business services. The Operational Resilience Parts set out that a business service is an important business service where it could pose a risk to the firm’s safety and soundness or financial stability, or in the case of insurers, the appropriate degree of policyholder protection. Paragraph 2.5 of the SS sets out the factors that firms are expected to consider when identifying important business services. The PRA considers that firms should not be using additional criteria to those set out in the SS if these could reduce the list of important business services identified. However firms could include additional criteria to identify additional important business services if they consider this relevant in meeting the Operational Resilience Parts.
确定对金融稳定性的影响(Determining impact on financial stability)
3.14 5位回应者认为,机构在确定其对金融稳定的影响时,面临实际问题,例如确定必要的指标。一位回应者请求解释对PRA机构考虑公共利益的要求,以及PRA打算如何评估和监督这一点。一位回应者请求从运营韧性定义中删除提及整个金融部门,以便更明确。一位回应评论说,保险公司不太可能以运营扰断影响金融稳定,意思是PRA应当专注于安全和稳健,除非该机构符合高标准,如大的市场份额。 3.14 Five respondents said that firms will struggle with practical issues in identifying their impact on financial stability, such as identifying the necessary metrics. One respondent requested an explanation of the requirement for PRA firms to take into account public interest and how the PRA intends to assess and supervise this. One respondent requested that the reference to the financial sector as a whole should be removed from the definition of operational resilience to provide greater clarity. One respondent commented that it would be unlikely for an insurer to impact financial stability through an operational disruption, suggesting that the PRA should focus on safety and soundness unless the firm meets a high criteria, such as large market share.
3.15 根据这些回应,PRA认为,在确定重要业务服务和设定影响容限时,将中小型机构排除在评估其对金融稳定的潜在影响的要求之外是适当的。PRA确实期望,大型和系统性机构应当具备能力和资源做出这些决定。在适当时,这些机构将这些问题视为其恢复和处置计划的一部分。因此,PRA修订了机构在确定重要业务服务和设定影响容忍度时考虑金融稳定的要求。这一要求将仅限于PRA认定为其他系统重要性机构(O-SII)的机构和毛保费超过150亿英镑或技术准备金超过750亿英镑的保险公司,两者均为3年滚动平均值。随着机构和监管机构对该机制有了更多的经验,PRA可能会审查这些阈值,以了解它们是否体现了适当的机构范围。 3.15 Following these responses, the PRA considers that it would be proportionate for small and medium firms to be excluded from the requirement to assess their potential impact on financial stability when identifying important business services and setting impact tolerances. The PRA does expect that larger and systemic firms should have the capabilities and resources to make these decisions. Such firms consider these issues as part of their recovery and resolution planning where appropriate. The PRA has therefore amended the requirement for firms to consider financial stability when identifying important business services and setting impact tolerances. This requirement will be limited to firms identified by the PRA as other systemically important institutions (O-SIIs) and insurers with gross written premiums exceeding £15 billion or technical provisions exceeding £75 billion, both on a three-year rolling average. As firms and supervisors gain more experience of the regime, the PRA may review these thresholds to understand if they are capturing an appropriate universe of firms.
可替代性(Substitutability)
3.16 有许多回应与机构活动的内部可替代性有关。一位回应者评论说, PRA设定影响容忍度的方法,已从讨论稿中的替代处理(即替代)转变为征求意见稿中更加以恢复为基础的方法。一位回应者指出,根据外部最终用户确定重要业务服务可能具有挑战性,因为机构可能有许多不同的渠道,例如提取存款。一位回应者评论说,不清楚在确定重要业务服务和设定影响容忍度时是否可以考虑机构活动的可替代性。 3.16 There were a number of responses in relation to the internal substitutability of firm’s activities. One respondent commented that the PRA’s approach to setting impact tolerances has shifted from alternative processing, ie substitution, in the DP to a more recovery based approach in the CP. One respondent stated that it could be challenging to identify important business services based on external end users, as the firm could have many different channels, ie access to savings. One respondent commented that it was unclear whether the substitutability of a firm’s activities can be considered in identifying important business services and setting impact tolerances.
3.17 该政策的目的是,在适当的情况下,机构能够在设定的影响容忍度范围内恢复其重要业务服务。在机构内部,运营资源和交付方法的可替代性往往是实现这一点的关键因素。同样,恢复业务资源可能比替代它更容易。因此,PRA在恢复和可替代性之间没有偏好。 3.17 The intention of the policy is that firms will be able to resume their important business services within set impact tolerances if it is appropriate to do so. Within a firm, substitutability of operational resources and methods of delivery is likely often to be a key enabler of this. Equally, it may be easier to recover an operational resource than to substitute it. As such, the PRA has no preference between recovery and substitutability.
3.18 在机构内部,可替代性可能是帮助机构为其重要业务服务决定正确颗粒度的一个因素。例如,如果一家机构已将ATMs确定为一项重要业务服务,但发现可以通过不同渠道提供现金,那么可能更合适的做法是将“提取现金”视为重要业务服务,而不是ATM。 3.18 Within a firm, substitutability could be one factor that helps firms in deciding the correct granularity for their important business services. For example, if a firm has identified ATMs as an important business service, but finds that cash provision could be achieved through a different channel, then it may be more appropriate to consider ‘access to cash’ to be the important business service, not ATM provision.
3.19 可替代性的概念也与其他机构的市场供应有关,而不是机构自身活动的可替代性。一般来说,在确定重要业务服务和设定影响容忍度时,机构不应当假定其他供应商会介入提供重要业务服务。PRA期望机构考虑扰断在缓解之前的影响。 3.19 The concept of substitutability is also relevant to market provision by other firms, as opposed to the substitutability of a firm’s own activities. Generally, firms should not assume that other providers will step in to provide an important business service when identifying important business services and setting impact tolerances. The PRA expects firms to consider the impacts of disruption before they are mitigated.
3.20 然而,对于在专业市场经营的保险提供商来说,确定缺乏其他市场供应商的可替代性是一个重要的考虑因素。监管声明第2.5段规定,对保险公司而言,机构应当考虑可用的替代产品是否会为投保人提供类似水平的保护。这是为了确保在专业市场提供重要业务服务,以确保投保人得到适当程度的保护。 3.20 However, identifying a lack of substitutability from other market providers is an important consideration for insurance providers operating in specialist markets. Paragraph 2.5 in the SS sets out that in the case of insurers, firms should consider if the availability of substitute products would offer a policyholder a similar level of protection. This is to ensure the delivery of important business services in specialist markets to ensure an appropriate degree of policyholder protection.
3.21 同样地,对于那些需要考虑金融稳定的机构,在确定重要业务服务和设定影响容忍度时,确定其他市场供应商可替代性的缺乏将是一个重要的考虑因素。 3.21 Similarly, identifying a lack of substitutability from other market providers will be an important consideration for those firms required to consider financial stability, when identifying important business services and setting impact tolerances.
重要业务服务,关键功能以及关键服务(Important business services, critical functions, and critical services)
3.22 14位回应者询问运营韧性,特别是重要业务服务,如何与OCIR、外包和第三方风险管理等现有政策相联系。一些回应者询问,他们满足这些相关政策的方法是否也可用于满足运营韧性要求。 3.22 Fourteen respondents queried how operational resilience, and in particular important business services, link with existing policies such as OCIR and Outsourcing and third party risk management. Some respondents queried if their approaches to meet such relevant policies could also be used to meet operational resilience requirements.
3.23 PRA承认,运营韧性和OCIR政策都与机构的运营服务有关,存在重叠的可能性。然而,PRA认为,重要业务服务和关键服务(OCIR政策中使用的术语)具有不同和使用的目的。 3.23 The PRA acknowledges that both Operational Resilience and OCIR policies concern firms’operational services and there is a potential for overlap. However, the PRA considers that important business services and critical services, a term used in OCIR policy, have distinct and useful purposes.
3.24 机构的重要业务服务是一个相对较短的面向外部的服务清单,机构选择这些服务建设高水平的运营韧性(冗余和备份计划),以应对运营扰断。因此,机构需要对支持这些服务的资源之间的联系有一个细粒度的、功能性的理解。该清单应当便于董事会和高级管理层制定优先排序和投资决策。机构对OCIR的关键服务可能是一套更全面的内部和外部服务,必须在从承压到处置后重组的处置过程中持续。由于OCIR需要更广泛的组织视角,OCIR的映射应当涵盖更广泛的活动,包括征求意见稿20/20《处置中的运营连续性:政策更新》中提出的支持机构核心业务线的服务。OCIR政策要求确定服务,以便履行合同,雇用员工,维护法律实体,并确保业务的关键部分能够访问运营资产。 3.24 A firm’s important business services will be a relatively short list of external-facing services for which the firm has chosen to build high levels of operational resilience (redundancy and back-up plans) in anticipation of operational disruption. As such, firms will require a granular, functional understanding of the linkages between the resources that support these services. The list should be manageable for boards and senior management to make prioritisation and investment decisions. A firm’s critical services for OCIR are likely to be a more comprehensive set of internal and external provided services that must continue during the process of resolution from stress to postresolution restructuring. Because OCIR requires a broader organisational view, mapping for OCIR purposes should cover a broader range of activities, including, potentially, services supporting a firm’s Core Business Lines as proposed in CP20/20 ‘Operational continuity in resolution: Updates to the policy’. OCIR policy requires services to be identified so that contracts will be honoured, staff employed, legal entities maintained, and for critical parts of the business to maintain access to operational assets.
3.25 将关键服务或拟议定义的基本服务用于运营韧性,很可能要求机构建设比满足政策目标所需更广泛的服务的运营韧性。将OCIR的范围设定为重要业务服务对于OCIR的目的过于狭窄,因为在处置期间不能确保机构的运营连续性。 3.25 Using critical services, or the proposed definition of essential services, for operational resilience would be likely to require firms to build the operational resilience of a much wider set of services than necessary to meet the policy’s objectives. Setting the scope of OCIR to important business services would be too narrow for OCIR purposes because operational continuity of the firm during resolution would not be ensured.
3.26 关于OCIR与外包以及第三方风险管理术语之间关系的更多详情,请参见政策声明7/21。 3.26 Further details regarding the interaction between OCIR and Outsourcing and third party risk management terminology may be found in PS7/21.
3.27 征求意见稿20/20提议,对功能、业务线和服务的相互连接关系的映射和理解一经完成,应当被用来满足OCIR和运营韧性政策的要求。鉴于业务韧性对重要业务服务的特别关注,PRA认为,业务韧性政策的最终完成无需视OCIR政策的最终完成而定。 3.27 CP20/20 proposed that work done to map and understand the interconnectivity of functions, business lines, and services should be leveraged to meet the requirements of both OCIR and operational resilience policies once finalised. Given the specific focus of the operational resilience policy on important business services, the PRA considers that finalisation of operational resilience policy need not be contingent on a finalised OCIR policy.
3.28 如果征求意见稿20/20中目前正在征求意见的政策在没有任何更改的情况下最终确定,则相关政策范围内的机构将需要确定关键服务、基本服务和重要业务服务 [10] 。PRA将对收到的关于OCIR术语的征求意见的回应作出回复,作为OCIR 征求意见流程的一部分。 3.28 If the policy currently being consulted upon in CP20/20 is finalised without changes, the firms in scope of the relevant policies would be required to identify critical services, essential services, and important business services.10 The PRA will respond to consultation responses received regarding OCIR terminology as part of the OCIR CP process.
关键功能、关键服务和重要业务服务的关系示例(Example of the interaction of critical functions, critical services and important business services)
3.29 以下示例说明了关键功能、关键服务和重要业务服务的概念在机构内的一种应用方式。OCIR政策没有提供关键服务清单,也没有规定需要在什么级别确定它们,因此在某些情况下,机构可能会在不同的颗粒度级别上确定其关键服务。 3.29 The example below sets out one way the concepts of critical functions, critical services, and important business services might apply within a firm. OCIR policy does not provide a list of critical services, nor does it prescribe at what level they need to be identified, so in some cases, a firm might identify its critical services at a different level of granularity.
3.30 在本例中,“零售往来账户”被认为是机构履行的一项功能,对英国经济或英国金融稳定至关重要,因此被确定为一项关键功能。该机构选择在“客户引导”、“交易”、“结算”和“对账”级别确定关键服务。 3.30 In this example, ‘retail current accounts’ is deemed to be a function the firm performs that is critical to the UK economy or UK financial stability, and so is identified as a critical function. This firm has chosen to identify critical services at the level of ‘Client onboarding’, ‘Transactions’, ‘Settlement’, and ‘Reconciliation’.
3.31 故障会导致关键功能崩溃或严重阻碍关键功能执行的所有服务均在OCIR范围内。 3.31 All services for which failure would lead to the collapse of, or present a serious impediment to, the performance of the critical function are in scope of OCIR.
3.32 在许多情况下,机构的重要业务服务也会支持机构的关键职能(在它有这些服务时)。与OCIR相反,这些服务将始终交付给外部最终用户,并根据发生运营扰断时对金融稳定、安全和稳健或投保人保护的最大影响进行确定。机构确定为重要业务服务的服务如下图1所示。 3.32 In many cases, a firm’s important business services will also support a firm’s critical functions (where it has them). In contrast to OCIR, these services will always be delivered to external end users and are identified according to which would have the greatest impact on financial stability, safety and soundness, or policyholder protection in the event of an operational disruption. The services the firm has identified as important business services are set out in Figure 1 below.
图1 关键功能,关键服务和重要业务服务(Figure 1: Critical Functions, critical services, and important business services)
重要业务服务示例(Examples of important business services)
3.33 9位回应者请求PRA提供更多重要业务服务的示例。4位回应者想要获得更多关于哪些业务服务被大多数机构来说是通用的以及不同类型机构的业务服务有何区别的指导。1位回应者要求根据机构的规模和复杂程度,就机构应当考虑的重要业务服务的类型和数量提供更多指导。 3.33 Nine respondents requested that the PRA provide more examples of important business services. Four respondents wanted more guidance on which business services would be considered common to a majority of firms and what differentiates business services for different types of firms. One respondent asked for more guidance on the types and number of important business services firms should consider, depending on their size and complexity.
3.34 上面的图1给出了一家同时拥有关键服务和关键功能的机构的重要业务服务的示例。并非本政策范围内的所有机构都拥有关键服务和关键功能,但图1旨在向所有机构提供信息,展示机构如何确定重要业务服务的方法。监管声明中还包括其他示例,例如双重监管机构的影响容忍度,以及将内部服务作为重要业务服务的一部分。 3.34 Figure 1 above sets out examples of important business services in the context of a firm that also has critical services and critical functions. Not all firms in scope of this policy will have critical services and critical functions, however Figure 1 is designed to be informative to all firms in demonstrating an approach for how a firm might identify important business services. Other examples have been included in the SS, for example in the context of impact tolerances for dual-regulated firms and the inclusion of internal services as part of an important business service.
3.35 PRA认为,机构在确定其重要业务服务时,能够采用基于结果的方法非常重要。一家机构的重要业务服务可能不适合另一家机构。由于客户群的性质和规模不同,机构可能会得出不同的结论。PRA认为,鼓励董事会和高级管理层在选择其重要业务服务时做出判断,将有助于机构在建设运营韧性时做出更好的决策。 3.35 The PRA considers it important that firms are able to take an outcomes-based approach when identifying their important business services. An important business service for one firm may not be appropriate for another. Firms may arrive at different conclusions due to the nature and scale of their client bases. The PRA considers that encouraging boards and senior management to make judgements in the selection of their important business services will facilitate better decision-making as firms build their operational resilience.
其它(Other)
3.36 1位回应者怀疑该政策是否应要求每家机构至少有1项重要业务服务。专注于重要业务服务的政策目标是确保机构为其运营韧性工作排定优先级,并专注于重要的服务。PRA认为,如果机构没有任何重要业务服务,这一目标就无法实现。因此,在认真思考了回应后,PRA坚持征求意见的方法,并要求所有机构至少有1项可能影响机构安全和稳健的重要业务服务。 3.36 One respondent questioned whether the policy should require that every firm has at least one important business service. The policy aim in focusing on important business services is to ensure that firms prioritise their operational resilience work, and focus on the services that matter. The PRA does not consider that this aim would be achieved if firms did not have any important business services. Therefore, having considered the responses, the PRA will maintain the approach as consulted upon, and require that all firms will have at least one important business service that may impact the firm’s safety and soundness.
3.37 运营韧性部分的草案提议要求机构董事会必须批准并定期审查机构的重要业务服务、影响容忍度和书面的自评估,但未规定机构应当多久审查一次。进一步,监管声明的草案提议,机构应当每年至少更新1次映射,或在发生重大变化后尽快更新映射。此外,FCA政策提议机构应当每年至少确定其重要业务服务1次。5位回应者表示,重要业务服务的审查频率低于拟议的年度预期,而1家机构指出,他们愿意更频繁地审查其重要业务服务。为了使政策与FCA的政策保持一致,PRA在监管声明第2.10段中规定,机构应当每年至少审查其重要业务服务1次,如果发生重大变化,则应尽早审查。PRA期望机构每年检查其现有的重要业务服务,不管是否需要确定新的重要业务服务。 3.37 The draft Operational Resilience Parts proposed to require that a firm’s board must approve and regularly review the firm’s important business services, impact tolerances and written self-assessment, but did not specify how frequently the firm should review these. Further, the draft SS proposed that firms should update their mapping annually at a minimum or following significant change if sooner. Additionally, the FCA policy proposed that firms should identify their important business services at least once a year. Five respondents suggested that important business services be reviewed less frequently than the proposed annual expectation, while one firm stated they would prefer to review their important business services more frequently. To align the policy with that of the FCA, the PRA has set out in paragraph 2.10 of the SS that firms should review their important business services annually at a minimum, or sooner if a significant change occurs. The PRA expects firms to undertake an annual check of their existing important business services and whether any new important business services need to be identified.
3.38一位回应者评论说,保险公司的运营扰断不会导致其生存能力的改变,并请求一般保险公司应当能考虑概率接近200年一遇的事件,作为其运营韧性情景测试活动的一部分。 3.38 One respondent commented that operational disruptions to insurers would not result in a change to their viability and requested that general insurers should be able to consider events with probabilities closer to 1 in 200 years as part of their scenario testing activities for operational resilience.
3.39 澄清一下,PRA的运营韧性政策假定会发生故障,并关注机构应对和从扰断中恢复的能力。政策旨在鼓励机构识别可能威胁PRA目标(包括机构生存能力)的严重但合理可信的事件。例如,一般保险公司不能免受网络攻击,PRA期望机构知道哪些重要的业务服务需要优先恢复,以及恢复的时间表。认真考虑了这一回应后,PRA公布了征求意见后的最终政策。 3.39 To clarify, the PRA’s operational resilience policy assumes that failures will occur and focuses on a firm’s ability to respond to and recover from disruptions. The policy is designed to encourage firms to identify the severe but plausible events that would threaten PRA objectives, including firm viability. General insurers are not immune to cyber-attack, for example, and the PRA expects firms to know which important business services would need to be resumed as a matter of priority and the timescales for doing so. Having considered this response, the PRA is publishing its final policy as consulted upon.
3.40 监管声明的草案第3.9段规定,影响容忍度应当适用于峰值时间和正常情况。一位回应者评论说,在确定重要业务服务在一年中的不同时间如何变化以及根据客户交易的“时间点”而变化时,将面临决策挑战。为了理解扰断变得无法容忍的临界点,并建设适当的运营韧性水平,应当考虑峰值时间制定影响容忍度。机构在确定其重要业务服务和设定影响容忍度时,可能希望考虑一天中的不同时间、一年中的不同时间或更广泛的因素。在认真考虑这一回应后,PRA公布了征求意见后的最终政策。 3.40 Paragraph 3.9 of the draft SS set out that impact tolerances should apply at peak times as well as in normal circumstances. One respondent commented that there would be decision-making challenges in identifying how the important business services could change during the different times of the year, and change depending on the ‘point in time’ of client deals. To understand the point at which disruption becomes intolerable and to build the appropriate level of operational resilience, impact tolerances should be formulated with peak times in mind. Firms may wish to consider different times of the day, different points in the year, or broader factors when identifying their important business services and setting impact tolerances. Having considered this response, the PRA is publishing its final policy as consulted upon.
3.41 两位回应者评论说,重要业务服务的定义是指“可能成为投保人”的人员,但建议机构应当优先保护现有投保人。PRA的主要保险目标是帮助投保人或可能成为投保人的人员获得适当程度的保护。因此,PRA认为需要保持更广泛的预期,并公布了征求意见后的最终政策。机构应当持续评估那些一旦扰断,会影响可能成为投保人的人员的机构是否有重要业务服务。 3.41 Two respondents commented that the definition of an important business service refers to individuals who ‘may become insurance policyholders’, but suggests firms should be prioritising the protection of existing policyholders. The PRA has a primary insurance objective of contributing to the securing of an appropriate degree of protection for those who are or may become insurance policyholders. Accordingly, the PRA considers it needs to retain the broader expectation and is publishing its final policy as consulted upon. Firms should continue to assess if they may have important business services that, if disrupted, could impact individuals who may become policyholders.
3.42 1位回应者评论说,非人寿保险公司时间要求严格的业务服务较少,因此,政策提议不适用于普通保险业务。PRA认为,当机构及其业务服务不同,基于相称性概念的运营韧性政策方法可能会有所不同。 3.42 One respondent commented that there would be less time-critical business services for nonlife insurers and suggested that the policy proposals are therefore disproportionate to general insurance business. The PRA considers that where firms and their business services vary, there may be differences in the approach to operational resilience policy based on the concept of proportionality.
3.43 1位回应者请求提供更多关于金融政策委员会(FPC)运营韧性方法的信息。这不在PRA政策的范围内。 3.43 One respondent requested more information on the Financial Policy Committee (FPC) approach to operational resilience. This is not in scope of the PRA policy.
3.44 1位回应者建议机构使用“外部最终用户配置文件”来构建监管对话。PRA认为,如果企业愿意,该政策方法给予了它们使用外部最终用户配置文件的灵活性。 3.44 One respondent suggested that firms use ‘external end-user profiles’ to frame their supervisory dialogues. The PRA considers that the policy approach gives firms the flexibility to use external end user profiles if they wish to.
4 影响容忍度(Impact tolerances)
双重监管机构(Dual-regulated firms)
4.1 PRA要求机构在设定影响容忍度时考虑PRA的目标。双重监管机构还必须为其重要业务服务确定单独的影响容忍度,其中重要业务服务也与FCA的目标相关。PRA和FCA在其征求意见稿所附的联合说明文件中规定,两个影响容忍度可能相同,也可能不同。 4.1 The PRA requires firms to consider PRA objectives when setting impact tolerances. Dual-regulated firms must also identify a separate impact tolerance for their important business service, where the important business service is also relevant to the FCA’s objectives. The PRA and FCA set out in the joint covering document accompanying their CPs that the two impact tolerances may be the same or they may differ.
4.2 25位回应者质疑双重监管机构两个影响容忍度的必要性,认为这对机构是不切实际和繁重的。一位回应者询问2个影响容忍度是否足够。另一位回应者建议PRA和FCA采取让双重监管机构定义一个“扰断区”的方法,机构据此确定影响容忍度的上限和下限参数,这表明PRA的影响容忍度始终是上限。回应者评论说,为保持在影响容忍度范围内而采取的措施应当是相同的,但机构违反影响容忍度的程度可能不同。回应者请求提供更多关于机构应当采取的预期行动的详细信息,以确保其能够保持在两个容忍度范围内。 4.2 Twenty-five respondents challenged the necessity for two impact tolerances for dual-regulated firms, suggesting this would be impractical for firms and burdensome. One respondent queried whether two tolerances would be sufficient. One other respondent suggested the PRA and FCA take an approach that lets dual-regulated firms define a ‘zone of disruption’ whereby firms identify the upper and lower impact tolerance parameters, suggesting that the PRA impact tolerance would always be the upper impact tolerance. Respondents commented that the action taken to remain within the impact tolerances should be the same, but the level at which the firm breaches the impact tolerances would differ. Respondents requested more detail on the expected action firms should take to ensure they can remain within both tolerances.
4.3 PRA强调,在适当情况下,机构可将其对特定重要业务服务的PRA影响容忍度设定为与其FCA影响容忍度相同的点。PRA预计,为满足一个监管机构要求所做的工作应当被用来满足另一个监管机构的要求,并鼓励机构避免重复工作。PRA和FCA认为其各自政策的设计和目标是相同的。 4.3 The PRA emphasises that, if appropriate, a firm may set its PRA impact tolerance for a given important business service at the same point as its FCA impact tolerance. The PRA expects that work done to meet the requirements of one regulator should be leveraged to meet those of the other, and would encourage firms to avoid duplicative work. The PRA and FCA view the design and goals of their respective policies as the same.
4.4 然而,PRA的确需要以这种推进自身法定目标的方式建构其政策。因此,政策方针没有改变。在重要业务服务的交付也与FCA的目标相关时,双重监管机构需要为其重要业务服务确定两个独立的影响容忍度。 4.4 However, the PRA does need to construct its policy in such a way as to advance its own statutory objectives. For this reason, the policy approach has not changed. Dual-regulated firms will need to have identified two separate impact tolerances for their important business services, where the delivery of the important business service is also relevant to the FCA’s objectives.
4.5 PRA期望双重监管机构解释可能导致机构超出其各自PRA和FCA影响容忍度的情景是否不同(无论这些影响容忍度是否一致),并采取行动确保其能够保持在PRA影响容忍度范围内。 4.5 The PRA expects dual-regulated firms to understand whether the scenarios that may cause firms to exceed their respective PRA and FCA impact tolerances would differ (whether or not those impact tolerances are aligned), and to take action to ensure they can remain within their PRA impact tolerance.
4.6 PRA理解,在实践中,机构可能会集中精力确保其能够保持在更严格的容忍度范围内。采取行动确保机构能够保持在更严格的容忍度范围内是是可以接受的,如果机构能够证明: • 在设定影响容忍度时,它们如何考虑PRA的目标; • 它们的恢复和响应安排如何也适用于更长的影响容忍度(恢复和响应安排必须在更短和更长的时间段内都可行);以及 • 进行情景测试时考虑到了较长的影响容忍度,因为较短的影响容忍度会限制机构可能考虑的严重但合理可信的事件范围。 4.6 The PRA understands that in practice firms may concentrate their efforts in ensuring they can remain within the more stringent tolerance. Taking action to ensure firms can remain within the more stringent tolerance will be acceptable if a firm can demonstrate: • how they have considered the PRA’s objectives when setting their impact tolerances; • how their recovery and response arrangements are also appropriate for the longer impact tolerance (recovery and response arrangements must be viable for both shorter and longer time periods); and • that scenario testing has been performed with the longer impact tolerance in mind as a shorter impact tolerance might constrain the universe of severe but plausible events that a firm might consider.
4.7 PRA澄清了双重监管机构应当如何解释监管声明第4.8至4.10段中的影响容忍度。除此澄清外,PRA还在监管声明第4.11段中添加了一个示例,以说明PRA和FCA之间影响容忍度的不同之处,以及机构如何证明他们拥有能让其在实践中同时保持在较短和较长影响容忍度范围内的恢复和响应安排。这个示例纯粹是为了说明这些具体的期望,机构需要考虑这些元素如何适用于他们的特别情况。 4.7 The PRA has clarified how dual-regulated firms should interpret impact tolerances in paragraphs 4.8 to 4.10 of the SS. Alongside this clarification, the PRA has added an example in paragraph 4.11 of the SS to illustrate where the impact tolerances between the PRA and FCA would differ, and how firms can demonstrate they have the recovery and response arrangements that would allow them to remain within both their shorter and longer impact tolerances in practice. The example is purely illustrative to provide clarity around these specific expectations, and firms will need to consider how the elements apply to their individual circumstances.
4.8 PRA澄清,它并没有强制双重监管机构必须为所有重要业务服务设定两个影响容忍度。例如,如果一个重要业务服务被确定为仅对FCA消费者伤害目标构成风险,则该重要业务服务不在PRA政策的范围内,并且不需要针对PRA目标的影响容忍度。 4.8 The PRA clarifies that it does not mandate that dual-regulated firms must set two impact tolerances for all important business services. For example, if an important business service is identified to pose a risk only to the FCA consumer harm objectives, that important business service would not be in scope of PRA policy and would not require an impact tolerance considering PRA objectives.
4.9 如果一家机构的重要业务服务确实有对每个监管机构的影响容忍度,PRA认为扰断对FAC的消费者伤害目标的影响和对PRA的安全和稳健目标的影响没有先后关系。 4.9 Where a firm’s important business service does have an impact tolerance for each authority, the PRA does not suggest that a disruption will always have an impact on the consumer harm objective of the FCA before the safety and soundness objective of the PRA.
多个重要业务服务的扰断(Disruption to multiple important business services)
4.10 征求意见稿提议机构应当为每个重要业务服务设定影响容忍度。7位回应者表示,PRA的目标更可能受到多个业务服务扰断的影响,而不是单个重要业务服务重大扰断的影响。回应者表示,这应当反映在PRA对影响容忍度的定义中。 4.10 The CP proposed that firms should set impact tolerances for each important business service. Seven respondents suggested that the PRA objectives are more likely to be impacted by a disruption to multiple business services rather than by significant disruptions to single important business services. Respondents suggested that this should be reflected in the PRA’s definition of impact tolerances.
4.11 PRA认识到,多个扰断可能会显著加剧扰断的影响,因此,在监管声明第3.3段中引入了一个新的预期,要求机构在为单个重要业务服务设定影响容忍度时,考虑其他相关重要业务服务故障的影响。这些可能是相关的,因为,例如它们共享支持重要业务服务交付的公共资源,或者同时扰断会对类似的外部最终用户产生复合影响。PRA期望机构在进行评估时采取相称的方法,并且只考虑对建设运营韧性方面有重大益处的额外复杂性。 4.11 The PRA recognises that multiple disruptions could significantly compound the impacts of disruptions, and has therefore introduced a new expectation in paragraph 3.3 of the SS for firms to take into account the impact of the failure of other related important business services when setting impact tolerances for individual important business services. These may be related because, for example, they share common resources which support the delivery of the important business services or where simultaneous disruption could have compounding impacts on similar external end users. The PRA expects firms to take a proportionate approach in making this assessment, and only to consider extra layers of complexity where there are significant benefits in terms of building operational resilience.
度量和保持在影响容忍度范围内(Measuring and remaining within impact tolerances)
4.12 运营韧性部分的草案提议要求机构至少指定可接受的重要业务服务扰断的时间长度(即对所有影响容忍度使用“基于时间”的指标)。征求意见稿还提议,机构应当确保他们在严重但合理可信的情景中能够保持在影响容忍度范围内。 4.12 The draft Operational Resilience Parts proposed to require firms to, at minimum, specify the length of time for which a disruption to that important business service can be accepted (i.e. use a ‘time-based’ metric for all impact tolerances). The CP also proposed that firms should ensure they could remain within impact tolerances during severe but plausible scenarios.
4.13 11位回应者认同应当强制使用基于时间的指标,但鼓励PRA允许机构在如何满足这一要求时采用不同的方法。两位回应者还评论说,所有对影响容忍度基于时间的度量会将设定影响容忍度转变为机构的合规性活动,在这种情况下,基于时间的指标不能最好地度量重要业务服务的扰断。两位回应者进一步评论说,关注基于时间的指标可能会导致过度关注技术决策,而不是鼓励针对不同情况的灵活性。 4.13 Eleven respondents agreed that the use of time-based metrics should be mandatory but encouraged the PRA to allow for different approaches in how firms meet this requirement. Two respondents also commented that a time-based metric for all impact tolerances could transform setting impact tolerances into a compliance exercise for firms, in which a time-based metric does not best measure disruption to the important business service. Two respondents additionally commented that a focus on time-based metrics may lead to undue focus on technical decisions rather than encouraging flexibility for different situations.
4.14 PRA认为,有必要使用基于时间的指标,以确保机构围绕重要业务服务的连续性进行规划,并确保制定应急计划以限制扰断程度。这种对所有影响容忍度的通用方法也将实现最低程度的一致性—这一想法得到了回应者意见的支持。然而,PRA也理解根据所涉及的重要业务服务的类型考虑其他指标的重要性。 4.14 The PRA considers that the use of time-based metrics is necessary to ensure that firms plan around the continuity of important business services, and ensure that there are contingency plans in place to limit the extent of disruption. This common approach to all impact tolerances would also enable a minimum level of consistency - an idea that was supported by the respondent’s comments. However, the PRA also understands the importance of considering other metrics depending on the type of important business service in question.
4.15 PRA澄清,基于时间的指标可以用不同的方式定义,并且在适当的情况下,应当与其他度量结合使用。因此,PRA认为,使用基于时间的指标不会将设定影响容忍度转化为机构的合规活动。影响容忍度必须详细说明,特定重要业务服务扰断不应超过某个时间段或时间点。例如,这可以是数小时/天或某个时间点(如1天结束时),再结合一定量的中断交易。这一澄清已反映在监管声明的第3.11至3.12段中。 4.15 The PRA clarifies that a time-based metric can be defined in different ways and, where appropriate, should be used in conjunction with other metrics. For this reason, the PRA considers the use of a time-based metric would not transform setting impact tolerances into a compliance exercise for firms. The impact tolerance must specify that a particular important business service should not be disrupted beyond a certain period or point in time. As an example, this could be a number of hours/days or a point in time, such as the end of the day, in conjunction with, for example, a certain volume of interrupted transactions. This clarification has been reflected in paragraph 3.11 to 3.12 of the SS.
4.16 7位受访者评论说,PRA对机构能够在超出机构控制的事件期间保持在影响容忍度范围内的要求和期望不够明确或适当。回应者的解释是,PRA会对在不可控事件如复杂网络攻击期间未能保持在其影响容忍度范围内的机构采取监管行动。 4.16 Seven respondents commented that the PRA was not being clear or proportionate in its requirements and expectations for firms to be able to remain within impact tolerances during events beyond firms’ control. Respondents interpreted that the PRA would take regulatory action against firms for failing to remain within their impact tolerances during uncontrollable events such as sophisticated cyber-attacks.
4.17 PRA澄清,政策的目的是确保机构提前准备好恢复和响应安排,以确保其具有运营韧性,从而能够在严重但合理可信的情景中满足其影响容忍度。然而,在扰断期间,PRA期望机构考虑最新情况,采取明智的恢复和响应行动,他们可以决定不在规定的影响容忍度范围内恢复提供重要业务服务。如监管声明第3.16段所述,PRA基本规则将继续适用于运营扰断的决策。在设定影响容忍度时,PRA期望机构考虑可能决定不恢复提供重要业务服务的情况。 4.17 The PRA clarifies that the aim of the policy is to ensure firms prepare their recovery and response arrangements in advance to ensure they are operationally resilient and hence able to meet their impact tolerances in severe but plausible scenarios. However, during disruption, the PRA expects firms to consider the current circumstances to make informed recovery and response actions, in which they may decide to not resume the provision of their important business services within the specified impact tolerance. As set out in paragraph 3.16 of the SS, the PRA Fundamental Rules will remain relevant to decision making in operational disruptions. When setting impact tolerances, the PRA expects firms to consider the circumstances in which they may decide to not resume the provision of their important business service.
请求提供样例和更多细节(Requests for worked examples and more detail)
4.18 三位回应者请求PRA提供设定和测试机构保持在影响容忍度范围内能力的示例。1位回应者请求提供应当如何在服务生命周期的其他相关阶段使用影响容忍度的指导。 4.18 Three respondents requested that the PRA provide examples for setting and testing a firm’s ability to remain within impact tolerances. One respondent requested guidance on how impact tolerances should be used in relation to other stages in the lifecycle of a service.
4.19 征求意见稿29/19给出了设定影响容忍度的示例,PRA认为这些示例与解释最终政策有关。监管声明在为双重监管机构设定影响容忍度的背景下,提供了另一个示例。然而,运营韧性政策是一个涵盖许多不同机构的框架,示例不可能覆盖PRA监管的众多机构类型。PRA认为,坚持基于结果的方法有好处。一家机构的重要业务服务可能不适合另一家。由于客户群的性质和规模不同,机构可能会对类似的业务服务得出不同的影响容忍度。当局认为,鼓励董事会和高级管理层在设定影响容忍度时做出判断,将有助于在机构建设运营韧性时做出更好的决策。但是,如果合适的话,机构可以与其监管机构讨论自己的具体情况。 4.19 CP29/19 set out examples on setting impact tolerances, which the PRA considers are still relevant to explain the final policy. The SS provides an additional example in the context of setting an impact tolerance for a dual-regulated firm. However, the operational resilience policy is a framework covering many different firms and it is not possible to provide examples across the wide variety of firms that the PRA regulates. The PRA considers that there are benefits in maintaining an outcomes-based approach. An important business service for one firm may not be appropriate for another. Firms may arrive at different impact tolerances for similar business services due to differences in the nature and scale of their client bases. The authorities consider that encouraging boards and senior management to make judgements in the setting of impact tolerances will facilitate better decision-making as firms build their operational resilience. However, firms may consult with their supervisors to discuss their own specific situations if appropriate.
定义(Definitions)
4.20 征求意见稿提议将影响容忍度定义为“重要业务服务的最大可接受扰断水平”。 4.20 The CP proposed defining an impact tolerance as the ‘maximum acceptable level of disruption for an important business service’.
4.21 7位回应者评论了PRA和FCA在影响容忍度定义上的不同。回应者请求加强监管当局定义的一致性。 4.21 Seven respondents commented on differences between the definitions of impact tolerance between the PRA and the FCA. The respondents requested greater alignment of the definitions between the supervisory authorities.
4.22 PRA与FCA合作设计了这些概念,并认为各自的政策和定义是一致的。根据回应者的意见,PRA和FCA审查了定义,以提高对机构的一致性和清晰度。 4.22 The PRA has designed these concepts in collaboration with the FCA and considers that the respective policies and definitions are aligned. Following comments from respondents, the PRA and FCA have reviewed the definitions to improve consistency and clarity for firms.
4.23 定义中仍然存在的差异是由多种原因造成的,包括不同的目标、立法和监管框架。 4.23 Differences in the definitions which remain are driven by a number of reasons, including different objectives, legislation, and regulatory frameworks.
4.24 影响容忍度更新的定义,在下表2中概述,并反映在最终规则中。这对双重监管的机构尤其重要。 4.24 The updated definitions for impact tolerance are outlined in Table 2 below and are reflected in the final rules. This will be of particular interest to dual-regulated firms.
表2 PRA和FCA的“影响容忍度”定义(Table 2: PRA and FCA definitions of ‘impact tolerance’) 术语 Term 审慎监管局 PRA 金融行为监管局 FCA 影响容忍度 Impact Tolerance 对重要业务服务或重要集团业务服务的最大 可接受 的容忍水平,除其它相关指标外,以时间长度来度量。 The maximum acceptable tolerable level of disruption for to an important business service or an important group business service as measured by a length of time in addition to any other relevant metrics. 指对重要业务服务的最大可容忍扰断水平,以时间长度和任何其它相关指标来度量,反映了重要业务服务的任何进一步扰断可能对机构的一个或多个客户,或对机构的稳健、稳定,或英国金融体系的韧性或金融市场的有序运行,造成无法忍受的伤害的风险。 The maximum tolerable level of disruption to an important business service, as measured by a length of time and any other relevant metrics, reflecting the point at which any further disruption to the important business service could pose intolerable harm to any one or more of the firm’s clients or risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets.
过程(Process)
4.25 一位回应者评论说,机构已经建立了能够解决与影响容忍度相关问题的系统。另一位回应者表示,应当给予机构将影响容忍度纳入现有方法的灵活性。在认真考虑了这一回应后,PRA澄清,它鼓励机构在适合于满足政策要求和期望的情况下,将影响容忍度纳入现有方法。 4.25 One respondent commented that firms have already built systems which can fix issues relating to impact tolerances. Another respondent suggested that firms should be given the flexibility to integrate impact tolerances into existing approaches. Having considered this response, the PRA clarifies that it encourages firms to integrate impact tolerances into their existing approaches where they are suitable for meeting the requirements and expectations of the policy.
4.26 一位回应者表示,业务影响分析(BIA)可能是确定影响容忍度的有用工具。在认真考虑了这一回应后,PRA认为,拟议的方法为机构提供了识别和设定其自身影响容忍度的灵活性。因此,机构可以寻求BIA等流程来实现这一目标。 4.26 One respondent suggested that a Business Impact Analysis (BIA) may be a useful tool in determining impact tolerances. Having considered this response, the PRA considers that the approach as proposed provides firms with the flexibility to identify and set their own impact tolerances. Therefore, firms may look to processes such as a BIA in order to do so.
迭代确立影响容忍度(Iterative establishing of impact tolerances)
4.27 一位回应者评论说,由于数据匮乏,最初设定影响容忍度将具有挑战性。认真考虑了这一回应后,PRA澄清,机构可以使用定性和定量因素来设定其影响容忍度。PRA理解,征求意见稿中提出的参考金融稳定设定影响容忍度的要求,相对于安全和稳健或投保人保护,在获得必要数据方面带来更多挑战。这支持本政策声明第3.14至3.15段中给出的决定,即在确定重要业务服务和设定影响容忍度时,限制需要考虑的机构范围。 4.27 One respondent commented that setting impact tolerances would be challenging initially due to data scarcity. Having considered this response, the PRA clarifies that firms could use qualitative and quantitative factors to set their impact tolerances. The PRA understands that the requirement proposed in the CP to set impact tolerances with reference to financial stability could pose more challenges in obtaining necessary data as opposed to safety and soundness or policyholder protection. This supports the decision set out above in paragraphs 3.14 to 3.15 of this PS, to limit the scope of firms which are required to make this consideration when identifying important business services and setting impact tolerances.
4.28 一位回应者认为,该政策过于关注“大影响和大应对”,并建议采取更细致的方法设定影响容忍度。PRA澄清,该政策旨在让机构制定并采取行动,在严重但合理可信的情景期间满足运营韧性标准,但这并不能减轻机构在正常运营条件下建立韧性的需要。在认真考虑了回应后,PRA决定公布征求意见后的最终政策。 4.28 One respondent said that the policy was too focused on ‘big impact and big responses’ and suggested a more nuanced approach to setting impact tolerances. The PRA clarifies that the policy is intended for firms to set, and take actions to meet, standards of operational resilience during severe but plausible scenarios, however this does not alleviate the need for firms to build resilience under normal operating conditions. Having considered the response, the PRA has decided to publish the final policy as consulted on.
对齐风险容忍度/偏好(Alignment with risk tolerance/appetite)
4.29 一位回应者评论说,政策应当更加注重预防扰断。一位回应者指出,确定影响容忍度应当鼓励机构将投资导向积极(降低风险)和适应性(应对和恢复)措施,政策措辞应当调整以反映这一点。三位回应者评论说,政策总体上应当采取更基于风险的方法。 4.29 One respondent commented that the policy should focus more on preventing disruption. One respondent stated that identifying impact tolerances should encourage firms to direct investment to both proactive (risk reduction) and adaptive (response and recovery) measures, and that the wording of the policy should be adapted to reflect this. Three respondents commented that the policy should take a more risk-based approach overall.
4.30 PRA认为预防扰断是运营韧性的一个组成部分。现有的运营韧性方法往往侧重于预防,这应该继续作为优先事项。确定重要业务服务和政策的其他方面,如映射,应当使机构能够集中精力开展预防工作。然而,引入重要业务服务的影响容忍度也是为了提高金融部门的运营韧性,将更多的注意力放在中断会发生的假设上。 4.30 The PRA considers preventing disruption to be a component of operational resilience. Existing approaches to operational resilience have often focused on prevention, and this should continue to be a priority. The identification of important business services and other aspects of the policy such as mapping should allow firms to focus their prevention work. However, the introduction of impact tolerances for important business services is also designed to improve operational resilience in the financial sector by putting more focus on the assumption that disruptions will occur.
4.31 在认真考虑了这些回应后,PRA澄清政策的采用并不是以牺牲预防工作为代价。政策旨在确保重要业务服务的连续性,并引入了一个框架,以确保机构制定明确的标准并确保他们能够满足这些标准。PRA指出,有许多方面,如风险管理,支持整体运营韧性,PRA鼓励在这些方面采取行动。 4.31 Having considered these responses, the PRA clarifies that the adoption of the policy is not designed to be at the expense of prevention work. The policy has been designed to ensure the continuity of important business services and introduces a framework to ensure firms set clear standards and ensure they can meet them. The PRA notes that there are many aspects, such as risk management, that support overall operational resilience, and the PRA encourages action in these areas.
4.32 两位回应者请求PRA局澄清在影响容忍度范围内风险承担和管理扰断之间的相互依存关系。政策说明(SoP)第3节阐述了运营韧性和操作风险政策之间的关系。 4.32 Two respondents requested that the PRA clarify the interdependencies between risk taking and managing disruptions within impact tolerances. Section 3 of the SoP sets out the relationship between operational resilience and operational risk policy.
系统级容忍度(System wide tolerances)
4.33 三位回应者请求澄清可能需要跨行业方法的影响容忍度。其中一位回应者评论说,机构仅根据内部指标设定影响容忍度是不够的,并建议PRA采取跨行业的方法。 4.33 Three respondents requested clarity regarding impact tolerances which may need a cross-industry approach. One of these respondents commented that it would be insufficient for firms to set impact tolerances based on internal metrics alone and suggested that the PRA instead take a cross-industry approach.
4.34 在认真考虑了这些回应后,PRA决定公布其提议的最终政策。PRA强烈支持在确定影响容忍度时的行业合作,并承认标准可能会随着时间推移而出现,但这不是当前政策要求和期望的特点。如果存在危害单个机构满足自身容忍度的能力的跨行业问题,PRA将对此感兴趣,并可能考虑是否需要采取进一步的政策行动。不管怎样,PRA期望机构对自己的业务负责。 4.34 Having considered these responses, the PRA has decided to publish its final policy as proposed. The PRA strongly supports industry collaboration when identifying impact tolerances, and acknowledges that standards may emerge over time, but this is not a feature of the current policy requirements and expectations. To the extent that there are cross-industry issues that undermine individual firms’ ability to meet their own tolerances, the PRA will be interested in those, and may consider whether further policy action is warranted. However, the PRA expects firms to take responsibility for their own business.
其它影响容忍度回应(Other impact tolerances responses)
4.35 一位回应者评论说,机构可能会将重点放在设定考虑最坏情景的影响容忍度,而不是更可能发生的情景,由于事件越可能发生,造成伤害的可能性越高。在认真考虑这一回应后,PRA希望澄清,机构的重点不应该是最坏的情景,而是提议的“严重但合理可信”的情景。这是从关注可能性的操作风险方法向关注机构建设其运营韧性结果的方法的转变。 4.35 One respondent commented that firms may focus on setting impact tolerances to account for worst case scenarios rather than more likely scenarios, where the likelihood of harm is higher due to the event being more likely to happen. Having considered this response, the PRA would like to clarify that the focus of firms should not be on worst case scenarios but on ‘severe, but plausible’ scenarios as proposed. This is a shift away from the operational risk approach which focuses on likelihood and towards an outcomes-based approach that focuses on firms building their operational resilience.
4.36 一位回应者询问,PRA是否只向被确定为重要服务至关重要的贡献者的机构选征求意见。PRA澄清,征求意见对任何一方的意见都是开放的,运营韧性部分适用于CRR和偿付能力II机构。 4.36 One respondent asked if the PRA is only consulting with firms identified as important contributors to vital services. The PRA clarifies that consultations are open to responses from any party and that the Operational Resilience Parts will apply to CRR and Solvency II firms.
4.37 两位回应者请求进一步澄清,影响容忍度是否会在危机管理和恢复阶段之间进行调整,这可能如何改变事件持续时间,以及如何区分紧急程度和严重程度。 4.37 Two respondents requested further clarity on whether impact tolerances would adjust between the crisis management and recovery phases, how this may change given the duration of an event, and how firms delineate between urgency and severity.
4.38 认真考虑了回应后,PRA澄清,机构可以采取量身定做的方法定义其影响容忍度,并规划其恢复和响应安排如何使其保持在其影响容忍度范围内。监管声明第3.9段规定,影响容忍度应当是扰断的最大可容忍量,并应当适用于峰值时间和正常情况。机构可能希望考虑一天的不同时间、一年中的不同时间或更广泛的因素。PRA认为,扰断不可容忍的时间点不会根据扰断的响应阶段而改变。如果机构认为局部补救足以避免超过影响容忍度,则应当使用影响容忍度指标,明确规定哪些是可以接受的,哪些是不可以接受的。 4.38 Having considered the responses, the PRA clarifies that firms could take a tailored approach in defining their impact tolerances and planning how their recovery and response arrangements allow them to remain within their impact tolerances. Paragraph 3.9 of the SS sets out that impact tolerances should be the maximum tolerable amount of disruption and should apply at peak times as well as in normal circumstances. Firms may wish to consider different times of the day, different points in the year, or broader factors. The PRA considers that the point at which disruption is intolerable would not change based on the phase of response to a disruption. If a firm considers that partial remediation would be sufficient to avoid exceeding an impact tolerance, it should use impact tolerance metrics that clearly set out what would or would not be acceptable.
5 实施时间表和保持在影响容忍度范围内(Implementation timelines and remaining within impact tolerances)
5.1 征求意见稿提议,PRA规则手册的运营韧性部分生效前有一年实施期。在征求意见时,拟议的实施日期为2021下半年。随后,为应对Covid-19大流行,征求意见期延长了6个月。征求意见稿提议,机构必须确保在合理时间内,但不迟于运营弹性部分生效后三年内,在发生严重但合理可信的扰断时,它们每个重要业务服务能够保持其影响容忍度范围内。在最终政策中,运营弹性部分生效后的三年(2025年)将是讨论稿发布后的六年多,以及监管机构对英国HM财政部委员会第二份报告“金融服务部门的IT失败”回应的五年后。 [11] 5.1 The CP proposed a one year implementation period before the Operational Resilience Parts of the PRA Rulebook enter into force. At the time of consultation, the proposed implementation date for the proposals was the second half of 2021. The consultation period was subsequently extended by six months in response to the Covid-19 pandemic. The CP proposed that firms must ensure they can remain within their impact tolerance for each important business service in the event of a severe but plausible disruption within reasonable time, but no later than three years after the Operational Resilience Parts enter into force. In the final policy, three years from the Operational Resilience Parts coming into force (2025) would be over six years after the publication of the Discussion Paper, and five years after the supervisory authorities’ response to the HM Treasury Committee’s Second Report: ‘IT failures in the Financial Services Sector’.
5.2 28位回应者表示担心,在征求意见稿给出的时间表中,进行分析以了解其运营韧性,然后开展后续补救活动将具有挑战性。一些回应提醒说,由于受到监管制裁的威胁,该时间表可能会促使机构完成碎片化的运营韧性框架。 5.2 Twenty-eight respondents expressed concern that performing the analysis to understand their operational resilience and then undertaking the subsequent remediation activities will be challenging in the timeline set out in consultation. Some respondents cautioned that the timelines may rush firms into completing a fragmented operational resilience framework due to the threat of regulatory sanction.
5.3 政策的目的是在进一步推迟实施的风险与使机构有足够时间采用适当的方法实施新机制之间取得平衡。 5.3 The policy is designed to balance the risk of further delays to implementation against a proportionate approach that allows firms sufficient time to implement a new regime.
映射和情景测试实施(Mapping and scenario testing implementation)
5.4 征求意见稿提议,机构将有一年时间实施PRA规则手册中的运营韧性部分。PRA认可机构对实施时间表的担忧,但认为这些担忧必须与运营韧性的重要性相平衡。作为对征求意见反馈的回应,PRA在监管声明中增加了新的政策实施部分(第4.12至4.16段),该部分规定了机构应当如何在该时间表内实现政策成果。 5.4 The CP proposed that firms would have one year to implement the Operational Resilience Parts of the PRA Rulebook. The PRA acknowledges firms’ concerns with this implementation timeline, but considers that these must be balanced against the importance of operational resilience. In response to the CP feedback, the PRA has added a new Policy implementation section in the SS (paragraphs 4.12 to 4.16) which sets out how firms should approach meeting the policy outcomes within this timeline.
5.5 监管政策中的新的政策实施部分规定,机构必须在2022年3月31日(星期四)之前确定其重要业务服务并设定影响容忍度。为了实现这一目标,并发现其运营韧性中的任何漏洞,机构应当映射其重要业务服务并开始情景测试计划。预计到2022年3月31日(星期四),机构不会完成所有复杂的映射和场景测试。映射和情景测试都是持续进行的过程,预计机构将随着时间推移以不同的复杂程度进行。PRA期望,机构的映射和情景测试方法应当随着时间推移而发展。 5.5 The new Policy implementation section in the SS sets out that firms must have identified their important business services and set impact tolerances by Thursday 31 March 2022. In order to achieve this, and to identify any vulnerabilities in their operational resilience, firms should have mapped their important business services and commenced a programme of scenario testing. Firms are not expected to have performed mapping and scenario testing to the full extent of sophistication by Thursday 31 March 2022. Both mapping and scenario testing are ongoing processes, and firms are expected to perform them at varying levels of sophistication over time. The PRA expects that firms’approach to both mapping and scenario testing should evolve over time.
5.6 监管声明中的政策实施部分引入了对机构的期望,即制定一个优先计划,阐明如何遵守运营韧性要求。为了使该计划有效,计划应当在2022年3月31日(星期四)之前生效,高级管理层应当负责交付政策成果。作为监管声明第4.14段所述规划的一部分,机构应当优先进行映射和情景测试,以便机构能够有充足的时间发现漏洞,从而采取措施补救漏洞。机构,尤其是规模更大、更复杂的机构,需要以交付政策成果为最终目标做出选择,并排定优先顺序。 5.6 The Policy implementation section in the SS introduces an expectation for firms to have a prioritised plan which sets out how they will comply with the Operational Resilience requirements. In order for the plan to be effective, the plan should be put into effect before Thursday 31 March 2022, and senior management are expected to take responsibility for delivering the policy outcomes. As part of the planning described in paragraph 4.14 of the SS, firms should prioritise their efforts on mapping and scenario testing so that firms will be able to identify vulnerabilities in sufficient time so that measures can be taken to remediate them. Firms, particularly larger more complex ones, will need to make choices and prioritise with the ultimate goal of delivering the outcomes of the policy.
确保机构能够在3年内保持在影响容忍度范围(Ensuring firms can remain within impact tolerances within three years)
5.7 PRA认为,在运营韧性方面取得进展至关重要。运营韧性部分的草案提议要求机构首先确定其重要业务服务,设定影响容忍度,然后进行投资以达到足以实现PRA目标的运营韧性水平。征求意见稿提议,机构将有合理的时间确保其能够保持在影响容忍度范围内。这需要与监管机构达成一致,与扰断可能造成的潜在影响相称,并不得迟于运行韧性部分生效后三年。 5.7 The PRA considers that it is critical that progress is made on operational resilience. The draft Operational Resilience Parts proposed to require firms to first identify their important business services, set impact tolerances, and then invest to achieve a level of operational resilience sufficient for the PRA objectives. The CP proposed that firms would have reasonable time to ensure they can remain within impact tolerances. This would be agreed with supervisors, would be commensurate with the potential impact that a disruption would cause, and would be no later than three years after entry into force of the Operational Resilience Parts.
5.8 认真考虑了对拟议实施时间表的回应后,PRA决定保留征求意见的提议—机构必须确保在合理时间且不迟于政策生效后三年内,能够保持在影响容忍度范围内。因此,相应日期为2025年3月31日(星期四)。PRA认为,机构迫切需要尽快建立并优先考虑其运营韧性。PRA进一步认为,要求机构与其监管机构就遵守规定的“合理时间”达成一致,以确保其能保持在影响容忍度范围内,是适当和灵活的。 5.8 Having carefully considered the responses regarding the proposed implementation timeline, the PRA has decided to retain the consultation proposal – firms must ensure they can remain within impact tolerances within a reasonable time and by no later than three years of the policy coming into force. The relevant date is therefore Thursday 31 March 2025. The PRA considers that there is urgency for firms to build and prioritise their operational resilience as soon as reasonably possible. The PRA further considers that it is being proportionate and flexible in its requirement for firms to agree with their supervisors what a ‘reasonable time’ is for them to comply with the requirement to ensure they can remain within impact tolerances.
5.9 监管声明的政策执行部分澄清了PRA的预期,即在2025年3月31日(星期一)之后,保持运营韧性将是一项动态活动。机构应当拥有稳健、有效和全面的策略、流程和系统,使其能够应对风险,在发生严重但合理可信的扰断时,保持在每个重要业务服务的影响容忍度范围内。 5.9 The Policy implementation section in the SS clarifies the PRA expectation that, after Monday 31 March 2025, maintaining operational resilience will be a dynamic activity. Firms should have sound, effective and comprehensive strategies, processes and systems that enable them to address risks to their ability to remain within their impact tolerance for each important business service in the event of a severe but plausible disruption.
5.10 鉴于跨监管机构决定将征求意见的截止日期推迟至2020年10月1日(星期四),PRA将规则2.6中给出的年份修订为2025年。根据本政策声明的最终发布日期,最终规则文书规定最后期限为2025年3月31日(星期一)。 5.10 In light of the cross-authority decision to postpone the consultation close date to Thursday 1 October 2020, the PRA is amending the year set out in Rule 2.6 to 2025. Based on the final publication date for this Policy Statement, the final Rule instrument sets out that this deadline is Monday 31 March 2025.
6 映射(Mapping)
6.1 征求意见稿提议,机构需要确定并记录交付其每项重要业务服务所需的人员、流程、技术和信息。特别地,映射应当使机构能够: • 发现在影响容忍度范围内交付重要业务服务中的漏洞;和 • 测试其保持在影响容忍度范围内的能力。 6.1 The CP proposed that a firm would be required to identify and document the necessary people, processes, technology and information required to deliver each of its important business services. In particular, mapping should enable firms to: • identify vulnerabilities in the delivery of important business services within an impact tolerance; and • test their ability to remain within impact tolerances.
6.2 13位回应者请求在映射的期望上更大的清晰度和更细的颗粒度。一些回应者询问是否应当映射所有资源,一些回应者建议PRA规定最低期望。回应者表示担心,不明确的预期会在行业内造成不一致,并导致一些机构超出要求,这可能导致资源的低效使用。一位回应者评论说,映射需要大量的资源和时间才能达到足够的程度。 6.2 Thirteen respondents requested greater clarity and granularity on the mapping expectations. Some respondents queried whether all resources should be mapped and some suggested that the PRA prescribes minimum expectations. Respondents expressed concern that unclear expectations would create inconsistency in the industry and result in some firms going beyond what is required, which could lead to spending resources inefficiently. One respondent commented that mapping requires significant resource and time to be done to a sufficient degree.
6.3 PRA认为,重要业务服务之间和机构之间映射的方法会有所不同。这取决于机构满足监管声明第5.2段规定结果所需的不同要求。PRA强调,应映射的资源是那些被认为是交付重要业务服务必需的资源。PRA认识到,建设运营韧性是一项细致的活动,因此,期望机构将重点放在一定数量的重要业务服务上。 6.3 The PRA considers that the approach to mapping will vary between important business services and between firms. This will depend on the different requirements necessary for a firm to meet the outcomes set out in paragraph 5.2 of the SS. The PRA emphasises that the resources that should be mapped are those considered necessary for delivering the important business service. The PRA recognises that building operational resilience is a detailed activity, and for this reason expects firms to focus on a proportionate number of important business services.
6.4 PRA认为,适当的方法应当是由机构承担判断的责任和主动权,而不是规定详细的标准。PRA还认为,规定映射的最低标准会要求各机构在如何处理映射方面有一定的共性,因此可能会限制其有用性。 6.4 The PRA considers that the proportionate approach should be for firms to take responsibility and ownership of this judgement as opposed to prescribing detailed standards. The PRA also considers that prescribing minimum standards for mapping would require some commonality across how firms could approach mapping and so could limit its usefulness.
6.5 三位回应者评论说,很难经常更新映射。另一位回应者建议映射应当每三年完成一次,一位回应者询问什么可能决定需要更新映射的重大变化。为了达到监管声明第5.2段中规定的结果,应当使用和更新映射。重大变化是指会对机构使用其映射以实现这些结果的能力产生负面影响的变化。PRA认识到,交付重要业务服务的资源经常变化,因此这些资源的映射也必须经常更新才能使用。PRA认为,在确定重大变化时给予机构灵活性是适当的,但期望映射每年至少更新一次,以确保合理的最低相关性水平。 6.5 Three respondents commented that it would be difficult to update mapping frequently. One other respondent suggested that mapping should be completed every three years, and one respondent queried what might determine a material change that warrants an update to mapping. To meet the outcomes set out in paragraph 5.2 of the SS, mapping should be usable and thereby upto-date. A material change would be a change that would negatively affect the firm’s ability to use its mapping in order to meet these outcomes. The PRA recognises that the resources which deliver important business services change frequently and so mapping for these must also update frequently to be usable. The PRA considers it is proportionate to give firms flexibility in determining material changes but expects mapping to be updated at least once a year to ensure a reasonable minimum level of relevance.
6.6 一位回应者支持映射要求,但补充说,确定必要的资源应当参考资源的风险状况。征求意见稿中阐明的运营韧性方法是,机构应当假设失败,并确保发生严重但合理可信的中断时,能够保持在影响容忍度范围内。PRA要求机构映射交付重要业务服务所需的资源,该映射的范围应当使机构能够满足监管声明第5.2段规定的结果。这可能会吸引机构注意那些一旦扰断,会影响重要业务服务交付的资源,但PRA并没有引入可能性和风险状况的概念。 6.6 One respondent supported mapping requirements but added that determining the necessary resources should be with reference to the risk profiles of the resources. The approach to operational resilience set out in the CP is that firms should assume failure and ensure they can remain within impact tolerances in the event of severe but plausible disruptions. The PRA will require firms to map the resources necessary to deliver the important business service and the extent of this mapping should enable the firms to meet the outcomes set out in paragraph 5.2 of the SS. This may draw firms’ attention to resources that, if disrupted, would impact the delivery of the important business service, but the PRA does not introduce the concept of likelihood, and thereby risk profiles.
6.7 一位回应者评论说,映射对于识别资源是有用的,但与情景测试相比,更详细的映射在发现漏洞方面的益处有限。PRA认为两者相互关联,监管声明第5.2段直接在映射所需的细节和促进情景测试的结果之间建立了联系。 6.7 One respondent commented that mapping is useful to identify resources but more detailed mapping would provide limited benefits in identifying vulnerabilities compared with scenario testing. The PRA considers that the two are inter-related and paragraph 5.2 of the SS directly creates a link between the detail required for mapping and the outcome of facilitating scenario testing.
6.8 一位回应者询问,如果一项服务是由英国境外的另一个集团实体提供的,机构应当如何处理映射。回应者表示,同等深度的映射与保持与该实体独立交易的安排不一致。对于外包和第三方安排,机构需要确保此类安排不会在满足机构的影响容忍度方面造成漏洞。 6.8 One respondent queried how a firm should treat mapping where a service is provided by another group entity outside of the UK perimeter. The respondent suggested that an equivalent depth of mapping would not be consistent with keeping an arm’s-length arrangement with the entity. For outsourcing and third party arrangements, firms are required to gain assurance that such arrangements would not create a vulnerability in meeting the firm’s impact tolerances.
6.9 一位回应者评论说,不应要求董事会确信机构满足映射要求。回应者表示,这种详细程度可能会破坏对运营韧性更集中的监督。在认真考虑了这一回应后,PRA决定坚持这一拟议的要求。监管声明第8.3段规定,自评估应当详细说明机构的映射方法。这应当包括机构如何使用映射来发现漏洞和支持测试活动的描述。当董事会对自评估的这一部分进行评估时,他们可能会质疑机构的映射方法是否足以满足机构的规模、范围和复杂程度,以及是否向其提供做出此决定所需的管理信息。 6.9 One respondent commented that boards should not be required to satisfy themselves that the firm is meeting the requirements for mapping. The respondent suggested that this level of detail could undermine a more focused oversight of operational resilience. Having considered this response, the PRA has decided to maintain this requirement as proposed. Paragraph 8.3 of the SS sets out that a self-assessment should detail the firm’s approach to mapping. This should include a description of how the firm has used mapping to identify vulnerabilities and to support testing activity. When a board assesses this part of the self-assessment, they may challenge if the firm’s approach to mapping is sufficient for a firm of the size, scale, and complexity, and should be provided with the management information necessary to make this decision.
6.10 5位回应者请求澄清通过映射将分包依赖关系包括在内。PRA并未规定这一级别的映射,但PRA认识到这可能是获得保证和进行风险评估的适当方法。监管声明2/21第9.5-9.6段规定,机构应当评估分包是否重要,并确保服务提供商有能力和容量根据机构的相关政策持续适当监督任何重要的分包。 6.10 Five respondents requested clarity on including sub-outsourcing dependencies through mapping. The PRA is not prescribing this level of mapping, however, the PRA recognises that this could be an appropriate approach to gaining assurance and performing risk assessments. Paragraph 9.5-9.6 of SS2/21 sets out that firms should assess whether sub-outsourcing is material and ensure that the service provider has the ability and capacity on an ongoing basis to appropriately oversee any material sub-outsourcing in line with the firm’s relevant policy or policies.
6.11 两位回应者询问PRA是否帮助识别整个行业的共同第三方以及任何相应的集中风险。另一位回应者询问,是否应根据要求向监管机构提供映射文件,一位回应者要求确保PRA将安全地保存敏感的映射信息。PRA澄清,映射不是审慎监管局的数据收集工作,而是机构了解构成其重要业务服务的资源并发现其中的漏洞的方法。PRA不会利用这项工作来识别公共第三方和其他集中风险,但监管人员需要能够评估机构是否符合映射要求。 6.11 Two respondents asked if the PRA would help to identify common third parties across the industry and any corresponding concentration risk. One other respondent queried whether the documentation of mapping should be made available to supervisors upon request and one respondent sought assurances that the PRA would hold sensitive mapping information securely. The PRA clarifies that mapping is not a data collection exercise for the PRA, but a method for firms to understand the resources that comprise their important business services and identify vulnerabilities within them. The PRA will not use this work to identify common third parties and other concentration risks, but supervisors will need to be able to assess whether firms are meeting the mapping requirements.
6.12 一位回应者表示,端到端映射的要求应限于重要业务服务。明确地说,PRA要求机构映射交付重要业务服务所需的资源。机构不需要映射他们整个组织。 6.12 One respondent suggested that the requirement for end-to-end mapping should be limited to important business services. To clarify, the PRA requires firms to map resources necessary to deliver the important business service. Firms are not required to map their whole organisation.
7 情景测试(Scenario testing)
“严重但合理可信”的情景(‘Severe but plausible’ scenarios)
7.1 征求意见稿提议,机构应当明确说明确切的最大扰断程度,包括在严重但合理可信的扰断后,机构能够恢复交付重要业务服务的时限。它还提议,机构需要采取行动,确保在严重但合理可信的情景中,保持在影响容忍度范围内。 7.1 The CP proposed that firms should articulate specific maximum levels of disruption, including time limits within which they will be able to resume the delivery of important business services following severe but plausible disruptions. It also proposed that firms would be required to take action to ensure they remain within impact tolerances in severe but plausible scenarios.
7.2 17位回应者寻求进一步澄清什么是“严重但合理可信”的的情景。回应者表示,“严重但合理可信”的情景的定义或示例会在实施中创造一致性。6位回应者还表示,PRA应当阐明行业级情景,以便PRA解释“严重但合理可信”的行业级情景对市场的系统性影响。两位回应者表示,过窄的情景可能会给机构提供虚假的保证。一位回应者表示,测试方法应当随着时间推移而成熟。一位回应者请求澄清,诸如Covid-19大流行等“百年一遇”事件是否算是严重但合理可信的事件。另一位回应者指出,在2020年之前,就合理可信度而言,Covid-19大流行等事件会与战争和大规模恐怖袭击等事件一并考虑。 7.2 Seventeen respondents sought further clarity on what a ‘severe but plausible’ scenario entailed. Respondents suggested that a definition or examples for ‘severe but plausible’ scenarios would create consistency in implementation. Six respondents also suggested that the PRA should set out industry-wide scenarios that could allow the PRA to understand the systemic impact a ‘severe but plausible’ industry-wide scenario has on the market. Two respondent suggested that scenarios that are too narrow would risk providing a false assurance to the firm. One respondent suggested approaches to testing should mature over time. One respondent requested clarity as to whether ‘1 in 100 year’ events, such as the Covid-19 pandemic, would count as a severe but plausible event. Another respondent stated that events such as the Covid-19 pandemic would have been considered alongside events such as war and large-scale terrorist attacks in terms of plausibility prior to 2020.
7.3 征求意见稿提议,机构需要测试其在严重但合理可信的扰断情景中保持在影响容忍度范围内的能力。监管声明第6.2段规定,在设定情景时,机构可以考虑组织内部、整个金融部门以及其他部门和司法管辖区的先前事件或未遂事件。测试计划应当包括现实的假设,并随着机构从先前的测试中学习而发展。 7.3 The CP proposed that firms would be required to test their ability to remain within impact tolerances in severe but plausible disruption scenarios. Paragraph 6.2 in the SS sets out that when setting scenarios, firms could consider previous incidents or near misses within the organisation, across the financial sector and in other sectors and jurisdictions. A testing plan should include realistic assumptions and evolve as firms learn from previous testing.
7.4 PRA认为,这是机构和PRA利益一致的领域。如果机构用不够严重的情景测试自己,那么董事会和高级管理层会在其业务管理中承担不适当的风险。适合机构使用的情景的性质和严重程度根据规模、复杂性和机构对金融体系的重要性而变化。提供一个规定性的定义或列表可能会限制机构测试自己的情景范围。 7.4 The PRA considers this an area where the interest of both firms and the PRA should be aligned. If a firm tests itself to scenarios that are insufficiently severe, then boards and senior management would be taking inappropriate risks with the management of their businesses. The nature and severity of scenarios appropriate for firms to use will vary according to size, complexity, and a firms’ importance to the financial system. Providing a prescriptive definition or lists may limit the range of scenarios firms test themselves against.
7.5 在认真考虑了回应后,PRA决定不提供严重但合理可信的情景的详细定义或列表。PRA预计,这将成为监管讨论的共同领域。监管机构将询问机构如何选择他们的情景以及为什么。随着行业和监管当局通过这些对话了解到更多信息,PRA预计,良好实践会随着时间推移而出现。 7.5 Having considered the responses, the PRA has decided not to provide a detailed definition or lists of severe but plausible scenarios. The PRA expects that this will be a common area for supervisory discussion. Supervisors will ask how firms have selected their scenarios and why. As the industry and supervisory authorities learn more through these conversations, the PRA anticipates that good practice will emerge over time.
外包和第三方(Outsourcing and third parties)
7.6 征求意见稿提议,机构应当确保第三方供应商不会限制机构保持在影响容忍度范围内的能力。情景测试是实现的一种方法。一位回应评论说,这项提议对单个机构来说是重复的。回应者建议为供应商建立一项独立的认证程序,以确认它们在具有与预先商定影响容忍度相符的运营韧性。三位回应者建议,PRA和FCA应当与大型第三方供应商联系,以确保采取协调一致的方法,另一位回应者鼓励PRA考虑监管机构如何采取行动,弥补第三方出现的漏洞。 7.6 The CP proposed that firms should assure themselves that third party providers would not limit a firm’s ability to remain within impact tolerances. Scenario testing is one approach to this. One respondent commented that this proposal is duplicative for individual firms. The respondent suggested an independent certification process for suppliers to confirm they are operationally resilient with reference to pre-agreed impact tolerances. Three respondents suggested that the PRA and FCA should liaise with large third party providers to ensure a coordinated approach, and another respondent encouraged the PRA to consider how regulators might themselves take action to remediate vulnerabilities occurring in third parties.
7.7 PRA坚持政策要求,即单个机构应当确保自己对第三方的运营韧性,但如果机构对第三方(如认证或第三方可向机构提供的其他“现成”保证)的保证工作有协同效应,则应鼓励行业解决方案。监管声明2/21第8.6至8.8段规定,机构应当行使其在重大外包安排方面的访问权、审计权和知情权,以评估服务提供商是否有效地提供相关服务,并遵守机构的运营韧性义务。机构可以使用一系列审计和其他信息收集方法,包括场外审计,如服务提供商提供的证书和其他独立报告,以及单独或与其他机构联合进行的现场审计(合并审计)。政策声明7/21第12章规定了PRA对回应者建议与第三方供应商直接接触的立场。 7.7 The PRA maintains the policy requirement that individual firms should assure themselves about the operational resilience of third parties but would encourage an industry solution if synergies across the assurance work from firms on third parties such as certifications or other ‘off the shelf’ assurances that third parties could provide to firms. Paragraphs 8.6 to 8.8 of SS2/21 set out that firms should exercise their access, audit and information rights in respect of material outsourcing arrangements to assess whether the service provider is providing the relevant service effectively and in compliance with firms’ operational resilience obligations. Firms may use a range of audit and other information gathering methods, including offsite audits, such as certificates and other independent reports supplied by service providers and onsite audits, either individually or in conjunction with other firms (pooled audits). Chapter 12 of PS7/21 sets out the PRA position on respondents suggesting direct engagement with third party providers.
7.8 5位回应者评论说,第三方供应商可能不愿意或迟迟不采取必要行动,让机构符合政策,尤其是在机构与大型供应商相比谈判能力较低的情况下。征求意见稿并未提议第三方供应商必须向所有机构披露所有(有时是敏感的)信息,但机构需要与其第三方供货商合作,以确保其能够保持在影响容忍度范围内。在监督这些期望时,PRA将采取适当的方法。对于测试,机构确信第三方进行了测试的证据可能就足够了。将业务连续性和退出计划(如监管声明2/21所述)与影响容忍度相联系,将使机构能够向自己和监管机构保证,第三方安排不会在其运营韧性中造成漏洞。此外,PRA认为,澄清机构对供应商的期望有助于供应商理解其在商定合同条款时所面临的限制,从而改善机构的谈判。 7.8 Five respondents commented that third party suppliers may be reluctant or slow to take the necessary actions for firms to comply with the policy, particularly where firms have low negotiating power in relation to large suppliers. The CP did not propose that third party suppliers must disclose all (and sometimes sensitive) information to all firms, but firms will need to cooperate with their third party suppliers to assure themselves that they can remain within impact tolerances. In supervising these expectations, the PRA will take a proportionate approach. For testing, evidence that a firm has satisfied itself that a third party has undertaken testing may be sufficient. Linking business continuity and exit planning (as set out in SS2/21) to impact tolerances will enable firms to assure themselves and supervisors that third party arrangements will not create a vulnerability in their operational resilience. Moreover, the PRA considers that this clarification of firms’ expectations from suppliers will help suppliers understand the constraints they are operating under when agreeing contract terms, and thus improve the negotiations for firms.
7.9 监管声明已修订,包括第6.13段,规定对第三方的担保工作应当是相称的。对一些机构来说,这可能意味着对大型第三方供应商进行复杂的测试并不总是合适的。如果这样的话,机构应当寻求其他方式来确保其运营韧性,比如桌面测试。 7.9 The SS has been amended to include paragraph 6.13, setting out that assurance work on third parties should be proportionate. For some firms, this might mean it will not always be appropriate to carry out sophisticated testing on large third party providers. If this is the case, firms should seek alternative ways to gain assurance of their operational resilience such as desktop testing.
7.10 一位回应者询问,在分包的情况下,第三方供应商是否需要测试提供分包的服务供应商。监管声明2/21第9章定义了分包,并陈述了PRA对分包的期望。监管声明2/21第9.6段规定,机构应当确保服务提供商有能力和容量根据机构的外包政策持续适当监督任何重大分包。这包括确定服务提供商对其分包进行了健全的测试、监视和控制。 7.10 One respondent queried if, in the context of sub-outsourcing, the third party providers are required to test the service provider providing the sub-outsourcing. Chapter 9 in SS2/21 defines sub-outsourcing and sets out the PRA expectations on sub-outsourcing. Paragraph 9.6 of SS2/21 sets out that firms should ensure that the service provider has the ability and capacity on an ongoing basis to appropriately oversee any material sub-outsourcing in line with the firm’s outsourcing policy. This includes establishing that the service provider has in place robust testing, monitoring and control over its sub-outsourcing.
7.11 一位回应者询问,是否要求不受监管的第三方供应商确保其董事会和高级管理层批准重要业务服务和影响容忍度。这些机构不在政策范围内。 7.11 One respondent queried if unregulated third party suppliers are required to ensure their own board and senior management approve important business services and impact tolerances. These firms are out of scope of the policy.
测试方法(Approaches to testing)
7.12 征求意见搞提议,机构应当根据扰断可能造成的潜在影响制定适当的测试计划。9位回应者要求提供更多关于情景测试的指导。其中三位受访者怀疑何时使用工作系统测试是合适的,表示这会增加重要业务服务扰断的风险。监管声明已修订,在第6.7段中规定,基本规则将继续与决策相关,机构应当确保工作系统测试不会有造成扰断的重大风险。机构应当采用量身定做的方法制定测试计划。监管声明第6.6段规定了机构在制定测试计划时应当考虑的因素,并指出,处理这些因素的方法应当与扰断可能造成的潜在影响相称。关于什么是相称的具体决定因素在重要业务服务之间和机构之间是不同的。 7.12 The CP proposed that firms should develop a testing plan proportionate to the potential impact that disruption might cause. Nine respondents asked for more guidance on scenario testing. Three of these respondents questioned when it might be appropriate to use live-systems testing, suggesting that this can increase the risk of disruption to important business services. The SS has been amended to set out in paragraph 6.7 that Fundamental Rules will remain relevant to decision making and firms should ensure that live-systems testing does not materially risk causing a disruption. Firms should be taking a tailored approach in developing testing plans. Paragraph 6.6 in the SS sets out the factors that firms should consider when developing testing plans and states that the approach to these should be proportionate to the potential impact that disruption could cause. Specific determinants on what is proportionate will differ between important business services and between firms.
7.13 5位回应者寻求PRA对运营韧性情景测试如何与现有测试方法相联系的意见。这包括参考ICT和安全风险管理、业务连续性管理、操作风险测试、资本拨备和OCIR压力测试的指南。 7.13 Five respondents sought the PRA’s view on how Operational Resilience scenario testing might link with existing approaches to testing. This includes reference to the Guidelines on ICT and Security Risk Management, business continuity management, operational risk testing, capital provisioning and stress testing for OCIR.
7.14 PRA鼓励机构尽可能利用现有的测试安排,无论测试是由其它政策领域所要求还是为商业利益驱动。 7.14 The PRA encourages that where possible firms should leverage existing testing arrangements irrespective of whether the testing is being required by other policy areas or driven by commercial interests.
7.15 一位回应者询问,如果在未来某一天认为有必要,PRA是否会征求机构测试时使用的情景。PRA的政策没有规定其在为机构设置测试情景方面的角色。然而,如果PRA打算在未来为机构设定情景,它会考虑其征询义务。 7.15 One respondent asked whether the PRA would consult if at a future date it considered it necessary to set scenarios for firms to use when testing. The PRA’s policy does not specify a role for it to set scenarios for firms to test. However, if the PRA were to contemplate setting scenarios for firms in future, it would consider its consultation obligations.
情景测试的频度(Frequency of scenario testing)
7.16 征求意见稿提议,机构应当定期测试其保持在影响容忍度范围内的能力,并应当制定测试计划,详细说明机构测试的性质和频率。4家机构询问它们应该如何解释“定期”情景测试,询问是否应当每年测试每个影响容忍度,以及是否应该每年对每种资源类型(人员、流程、技术、设施和信息)进行测试,因为每种资源都会被不同的情景涉及。PRA澄清,征求意见稿提议的定期情景测试并未规定年度测试。监管声明第6.6段规定,频繁实施运营变更的机构应当进行更频繁的情景测试。 7.16 The CP proposed that firms should regularly test their ability to remain within impact tolerances and should develop a testing plan detailing the nature and frequency of a firm’s testing. Four firms questioned how they should interpret ‘regular’ scenario testing, asking if every impact tolerance should be tested annually and if each resource type (people, processes, technology, facilities and information) should be tested annually since each would be captured by different scenarios. The PRA clarifies that regular scenario testing, as proposed in the CP, does not prescribe annual testing. Paragraph 6.6 in the SS sets out that firms which implement changes to their operations more frequently should undertake more frequent scenario testing.
情景测试的成本(Cost of scenario testing)
7.17 一位回应者概述说,测试需要大量投资,而且本身可能造成运营韧性事件。一家机构表示,很难分析对最终用户的二级和三级影响。另一位回应者声称,定期测试可能过于繁重,并请求审查这一要求。 7.17 One respondent outlined that testing will incur significant investment and may potentially create an operational resilience incident itself. One firm suggested that it would be difficult for firms to analyse second and third order effects on end users. Another respondent asserted that regular testing can be too burdensome and requested a review of the requirement.
7.18 PRA认为,定期情景测试是机构识别和应对其运营韧性风险的关键方法,因此并未修改拟议的政策。PRA澄清,监督这一要求是适当和务实的。 7.18 The PRA considers that regular scenario testing is a key way for firms to identify and address any risks to their operational resilience, and has therefore not changed the policy as proposed. The PRA clarifies that supervising this requirement will be proportionate and pragmatic.
事件数据(Incident data)
7.19 6位回应者表示,PRA应当创建一个匿名的“事件库”,其中包含运营扰断的真实事件,机构可以用来评估其自身场景的合理性,并为其自身测试获得进一步指导。 7.19 Six respondents suggested that the PRA should create an anonymised ‘incident library’containing real occurrences of operational disruptions that firms could use to assess the plausibility of their own scenarios and obtain further guidance for their own testing.
7.20 PRA正在广泛地研究事件报告,并将在未来工作中考虑这一点,但未对征求意见后的政策进行修改。 7.20 The PRA is looking at incident reporting more generally and will take this into consideration for future work, but has made no changes to the policy as consulted upon.
8 治理(Governance)
8.1 征求意见稿提议要求董事会和高级管理层批准为其机构确定的重要业务服务和设定的影响容忍度。确定重要业务服务的方法应当使董事会能够批准影响容忍度设定,并做出优先安排和投资决策。运营韧性部分的草案提议要求机构董事会必须批准并定期审查机构的重要业务服务、影响容忍度和书面自评估。董事会应当确保其拥有适当的管理信息、足够的知识、技能和经验,向高级管理层提出建设性质疑,并告知影响运营韧性的决策。 8.1 The CP proposed to require boards and senior management to approve the important business services identified for their firm and the impact tolerances set. The approach to identifying important business services should enable the board to approve the impact tolerances set and make prioritisation and investment decisions. The draft Operational Resilience Parts proposed to require that a firm’s board must approve and regularly review the firm’s important business services, impact tolerances and written self-assessment. Boards are expected to ensure they have the appropriate management information, adequate knowledge, skills and experience to provide constructive challenge to senior management and inform decisions that have consequences for operational resilience.
8.2 征求意见稿还提议,机构应当为运营韧性管理建立明确的问责制。PRA提议机构以对业务最有效的方式构建运营韧性监督,利用现有委员会和角色,或在必要时建立新的委员会和角色。 8.2 The CP also proposed that firms should establish clear accountability for the management of operational resilience. The PRA proposed that firms structure their operational resilience oversight in the most effective way for their business, using existing committees and roles or establishing new ones if necessary.
8.3 9位回应者对董事会和高级管理职能部门24(SMF 24)的运营韧性监督职责的适当性提出了意见。一些机构表示,董事会的作用是质疑而不是制定机构的运营韧性策略。一些机构还表示,鉴于强调集体责任,管理责任不应当局限于SMF24,并为机构分配适合其独特结构的SMF提供灵活性。 8.3 Nine respondents raised comments on the appropriateness of the operational resilience oversight responsibilities of the Board and the Senior Management Function (SMF) 24. A number of firms indicated that the role of the board is to challenge rather than set the firm’s operational resilience strategy. Some firms also suggested that management responsibilities should not be restricted to the SMF24, given the emphasis on collective responsibility, and to provide flexibility for firms to allocate the SMF appropriate for their individual structures.
8.4 PRA认真考虑了回应者的意见,并决定保持关于机构董事会和SMF24责任的拟议政策。PRA认为,机构运营韧性战略的最终签署是足以分配给董事会的重大责任。PRA还认为,将责任分配给SMF24是建立运营韧性责任的适当方法,而不是引入新的职能或采取其他方法来确保追责。如果运营韧性的责任分散到不同的机构和SMF,机构内部的问责可能会变得不明确。 8.4 The PRA has considered respondents’ comments and has decided to maintain the policy as proposed on the responsibilities of a firm’s board and SMF24. The PRA considers that the final signoff on a firm’s operational resilience strategy is a responsibility material enough to allocate to the board. The PRA additionally considers that assigning responsibility to the SMF24 is the proportionate method to create responsibility for operational resilience rather than introducing a new function or taking an alternative approach to ensure accountability. If the responsibility over operational resilience is spread out over different bodies and SMFs, accountability may become unclear within the firm.
8.5 一位回应者询问“管理团队”一词是否包括董事会和高级管理层,并要求为董事会和高层管理层提供指导。根据PRA规则手册词汇表部分的定义,管理团队是指根据国家法律任命的一个或多个机构团队,有权制定机构的战略、目标和总体方向,监督和监控管理决策,包括有效指导机构业务的人员。对于有董事会的机构来说,这是他们的管理团队。在认真考虑这一回应后,PRA决定公布其征求意见后的最终政策。如果需要进一步指导,鼓励机构与其监管机构沟通。 8.5 One respondent asked whether the term ‘management body’ was inclusive of the board and senior management, and requested guidance for both boards and senior management. According to the definition in the Glossary Part of the PRA Rulebook, a management body means a firm’s body or bodies, which are appointed in accordance with national law, which are empowered to set the firm’s strategy, objectives and overall direction, and which oversee and monitor management decision making, and include the persons who effectively direct the business of the firm. For firms with a board, this is their management body. Having considered this response, the PRA has decided to publish its final policy as consulted upon. Firms are encouraged to communicate with their supervisors should they need further guidance.
8.6 一位回应者表示PRA采取更基于原则的治理方法,要求更大的灵活性,如允许董事会对自由裁量机构的运营韧性框架。认真考虑这一回应后,PRA公布了征求意见的方法。它认为,政策应当给予机构和董事会必要的灵活性,以决定自己的决策过程。 8.6 One respondent suggested the PRA take a more principles-based approach to governance, requesting more flexibility such as permitting board discretion over a firm’s operational resilience framework. Having considered this response, the PRA is publishing its approach as consulted upon. It considers that the policy should give firms and boards the necessary flexibility to determine their own decision making process.
9 自评估(Self-assessment)
9.1 征求意见稿提议,期望机构:总结其在交付重要业务服务方面发现的漏洞;并概述所开展的情景测试和测试结果。机构需要说明计划采取哪些行动来提高其保持在影响容忍度范围内的能力,并证明采取这些行动的时机是合理的,以及与机构重要业务服务的系统重要性相称。PRA将该文件定义为自评估。 9.1 The CP proposed an expectation for firms to: summarise the vulnerabilities they have identified to the delivery of their important business services; and outline the scenario testing performed and the findings from the tests. Firms would need to indicate what actions are planned to improve their ability to remain within impact tolerances and demonstrate that the timing for these is reasonable and in proportion to the systemic importance of the firm’s important business service. The PRA defined this documentation as self-assessment.
9.2 PRA收到10份回应,请求发布进一步的指导或自评估模板,以确保跨部门的一致性和机构间的可比性。另有4位回应者表示,双重监管机构的自我评估文件应当相互一致,以避免重复。 9.2 The PRA received ten responses requesting that further guidance or a self-assessment template should be released to ensure cross-sector consistency and ease of comparability between firms. Four more respondents suggested that the self-assessment document for dual-regulated firms should be aligned with one another to prevent duplication.
9.3 征求意见稿提议要求机构记录其符合运营韧性部分的自评估,以及开展这些活动的方法。监管声明草案第8.3段概述了PRA期望机构的自评估文件应当涵盖的内容。 9.3 The CP proposed to require firms to document a self-assessment of their compliance with the Operational Resilience Parts alongside the methodologies used to undertake these activities. Paragraph 8.3 of the draft SS outlined what the PRA would expect a firm’s self-assessment document should cover.
9.4 在认真在考虑了回应后,PRA认为机构在制定自评估文件时应当采取量身定做的方法,而鉴于单个机构结构的差异,制定确切的最低标准不适当。自评估文件应当是定制的,机构应当决定在自评估中具体包括什么,以保持灵活性。然而,如果机构需要进一步的指导,鼓励机构与其监管机构沟通。 9.4 Having considered the responses, the PRA considers firms should take a tailored approach in creating a self-assessment document, and setting exact minimum standards would not be proportionate given the differences in the structures of individual firms. Self-assessment documents should be bespoke, and firms should decide what they would specifically include in their self assessment to retain flexibility. However, firms are encouraged to communicate with their supervisors should they need further guidance.
9.5 一位回应者强调,FCA的自评估文件引入了一个额外的概念,即解决PRA提案中未明确提出的情景测试的“经验教训”,并鼓励使用一致的术语。 9.5 One respondent highlighted that the FCA’s self-assessment document introduced an additional concept of addressing ‘lessons learned’ from scenario testing that was not specifically drawn out in the PRA proposals and would encourage consistent terminology to be used.
9.6 在认真考虑了回应后,PRA增加了一项期望,即在监管声明第8.3段的自评估文件中纳入“经验教训”,明确这与FCA一致。 9.6 Having considered the responses, the PRA has added an expectation to include ‘lessons learned’ in their self-assessment documents in paragraph 8.3 of the SS to make it clear that this is aligned with the FCA.
9.7 PRA认为,机构不一定需要编制两份自评估文件。至于对双重监管机构影响容忍度的监管,机构必须确保其运营韧性方法能够满足两个监管机构的要求。如果一家机构能够提供一份符合PRA和FCA自评估要求的文件,并明确哪些方面适用于哪个监管机构,那么一份自评估文件是可以接受的。 9.7 The PRA considers that firms would not necessarily need to produce two self-assessment documents. As for the supervision of impact tolerances for dual-regulated firms, firms must ensure that their approach to operational resilience can meet the requirements of both supervisory authorities. If a firm can produce one document which meets the self-assessment requirements of the PRA and FCA in a way that makes clear which aspects apply to which supervisory authority, one self-assessment document would be acceptable.
9.8 一位回应者评论说,不同的自评估时间表不切实际。征求意见稿中没有提出这种情况。PRA和FCA均提议董事会应当定期审查我评估。认真考虑了这一回应后,PRA决定公布其征求意见后的最终政策。 9.8 One respondent commented that different timescales for self-assessments are impractical. This is not the case set out in the consultations. The PRA and FCA have both proposed that self assessments should be reviewed by the board regularly. Having considered this response, the PRA has decided to publish its final policy as consulted upon.
自评估方法和应用(Use and approach to the self-assessment)
9.9 两位回应者建议对自评估文件应当采用迭代方法,一位回应者建议将自评估文件分成两份文件,分别涵盖方法和结果,以避免文件过大。另一位回应者表示,应当利用自评估来证明即将开展的旨在建设韧性的活动。另一位受访者建议,自评估应优先考虑定性而非定量报告。 9.9 Two respondents suggested that there should be an iterative approach to the self-assessment documents, and one respondent suggested splitting the self-assessment document into two documents, covering the methodology and the results respectively, to avoid the document becoming too large. One other respondent suggested that the self-assessment should be used to evidence upcoming activities aimed at building resilience. A further respondent suggested that the self-assessment should prioritise qualitative over quantitative reporting.
9.10 认真考虑了这些回应后,PRA决定公布其征求意见后的最终政策。自评估应当作为机构的一种工具,以确保他们了解自己为证明其运营韧性所做的工作,以及弥补不足的计划。由各机构决定如何构建文件以及创建文件的方法。 9.10 Having considered these responses, the PRA has decided to publish its final policy as consulted upon. The self-assessment should be used as a tool for firms to ensure they understand the work they have done to demonstrate their operational resilience alongside their plans to remediate shortfalls. It is up to the individual firm to decide how the document should be structured and the approach to creating it.
9.11 一位回应者寻求明确自评估在董事会签字前需要达到的保证水平。 9.11 One respondent sought clarity on the level of assurance the self-assessment needs to undergo before board sign-off.
9.12 PRA未规定董事会批准前自评估所需保证的最低标准。然而,机构应当对它们为证明其运营韧性所进行的工作有一个合理的理解,并应当在其自评估文件中适当反映这一点。 9.12 The PRA is not prescribing a minimum standard on the assurance needed on the self assessment ahead of board approval. However, firms should have a reasonable understanding of the work they have undertaken to demonstrate their operational resilience and this should be reflected appropriately in their self-assessment document.
9.13 一位回应者请求澄清PRA何时需要该文件。 9.13 One respondent requested clarification regarding when the document would be required by the PRA.
9.14 PRA期望,一旦规则生效(即2022年3月31日,星期四),机构能够应要求向其监管机构提交自评估。到这一日期,董事会将批准重要业务服务,并设定影响容忍度,这些应当反映在自评估中。 9.14 The PRA expects firms to be able to present the self-assessment to their supervisor on request once the rules come into effect (ie Thursday 31 March 2022). By this date, boards would have approved important business services and set impact tolerances which should be reflected in the self-assessment.
10 集团(Groups)
10.1 征求意见稿提议要求机构确定重要集团业务服务和各自的影响容忍度。这将包括由英国集团的一个国际实体提供的服务,如果该服务(i)交付给集团外部的外部最终用户;以及(ii)一旦扰断,可能会导致整个集团失败,从而影响英国(PRA监管的)实体的安全和稳健。 10.1 The CP proposed to require firms to identify important group business services and respective impact tolerances. This would include a service provided by an international entity of a UK group if it was (i) delivered to an external end user outside of the group; and (ii) if disrupted it could impact the safety and soundness of the UK (PRA-regulated) entity by causing failure of the whole group.
10.2 一位回应者评论说,将不同实体的影响容忍度聚合是一项挑战。PRA澄清,聚合影响容忍度的过程不是政策要求。PRA要求机构确定由英国集团实体提供的单个重要集团业务服务,并为其设定适当的影响容忍度。 10.2 One respondent commented that aggregating impact tolerances across different entities would be a challenge. The PRA clarifies that the process of aggregating impact tolerances is not the policy requirement. The PRA requires firms to identify individual important group business services delivered by entities of the UK group and to set an appropriate impact tolerance for them.
10.3 4位回应者请求进一步解释重要集团业务服务。PRA在监管声明第9.2段中纳入了一个示例。 10.3 Four respondents requested further explanation of important group business services. The PRA has included an example in paragraph 9.2 in the SS.
10.4 两位回应者怀疑运营韧性政策是否适用于控股公司层面。PRA正在监视《金融服务法案》以及将PRA运营韧性规划应用于控股公司的可能性。PRA将在适当的时候审查运营韧性政策的应用。 10.4 Two respondents questioned if Operational Resilience policy applies at holding company level. The PRA is monitoring the Financial Services Bill and the potential for applying PRA Operational Resilience rules to holding companies. The PRA will review the application of Operational Resilience policy in due course.
10.5 一位回应者怀疑,是否会要求机构优先恢复重要集团业务服务,或者监管机构是否会进行仲裁。政策旨在确保机构做好扰断计划。因此,机构应当假设重要集团业务服务扰断,并了解它们是否能够保持在规定的影响容忍度范围内。修补任何漏洞的工作应当优先作为机构建立运营韧性总体计划的一部分。没有要求将重要集团业务服务优先于重要业务服务。政策的成功实施意味着,如果一项重要集团业务服务中断,它可以在无需监管干预的情况下恢复。 10.5 One respondent questioned if firms would be required to prioritise the recovery of important group business services or if regulators would intercede. The policy is designed to ensure firms plan for disruption. As such, firms should assume the disruption of an important group business service and understand whether they would be able to remain within the stated impact tolerance. Work done to remediate any vulnerabilities should be prioritised as part of a firm’s overall programme to build operational resilience. There is no requirement to prioritise an important group business service over an important business service. A successful implementation of the policy would mean that if an important group business service is disrupted, it could be resumed without the need for regulatory intervention.
10.6 一位回应者评论说,运营韧性监管框架应当允许在全企业范围内确定重要业务服务,并对资源分配进行基于风险的全局优先排序。回应者进一步评论说,对重要业务服务的任何司法管辖考虑都应当是这些全企业范围内确定的重要业务服务中的一个子集或部分。一位回应者评论说,将英国的机制应用于全球企业具有挑战性。PRA承认,全企业范围内的运营韧性管理会带来好处。尽管如此,PRA的目标与英国机构的安全和稳健、英国投保人保护以及英国的金融稳定有关。因此,政策的重点是PRA监管的机构和集团的风险。 10.6 One respondent commented that the regulatory framework for operational resilience should allow enterprise-wide determination of important business services, and global risk-based prioritisation of resource allocation. The respondent further commented that any jurisdictional consideration of important business services should be a sub-set or section of these enterprise-wide determined important business services. One respondent commented that applying the UK regime to global enterprises would be challenging. The PRA acknowledges that enterprise-wide management of operational resilience could yield benefits. Nonetheless, the PRA’s objectives relate to the safety and soundness of UK firms, UK policyholder protection and the financial stability of the UK. The policy therefore focuses on risks to the firms and groups that the PRA regulates.
10.7 一位回应者请求澄清围栏原则与运营韧性之间的关系。PRA检查了这种关系,认为政策是兼容的。如果机构认为这两项政策存在矛盾或有任何顾虑,他们应当与其监管机构讨论。 10.7 One respondent requested clarity on the relationship between ring-fencing and operational resilience. The PRA has examined the relationship and considers the policies to be compatible. In the event that a firm believes there is a contradiction or has any concerns in relation to the two policies, they should discuss this with their supervisors.
11 国际一致性(International alignment)
11.1 2020年8月,巴塞尔银行监管委员会(BCBS)发布了一份关于运营韧性原则的征求意求稿。 [12] 11.1 In August 2020 the Basel Committee on Banking Supervision (BCBS) published a consultation on principles for operational resilience.
11.2 征求意见稿29/19的19位回应者评论了英国提议与国际方法的不同之处。7位回应者请求PRA澄清重要业务服务是否等同于关键运营。 11.2 Nineteen respondents to CP29/19 commented on how the UK’s proposals differ from international approaches. Seven respondents requested that the PRA clarify if important business services are considered equivalent to critical operations.
11.3 PRA认为,BCBS征求意见稿中提出的关键运营概念与回应者提到的重要业务服务不同,但PRA认为这些术语是一致的。BCBS对关键业务的定义(见其征求意见稿)包括金融稳定委员会定义的“关键职能”,并扩展到包括活动、流程、服务及其相关支持资产,其扰断将对银行的持续运营或其在金融系统中的作用产生重大影响。这与PRA政策中提到的安全和稳健以及金融稳定一致。 11.3 The PRA considers that the concept of critical operations set out in the BCBS consultation is not identical to important business services, as suggested by respondents, but the PRA considers that the terms are aligned. The BCBS definition (as consulted upon) of critical operations encompasses ‘critical functions’ as defined by the Financial Stability Board and is expanded to include activities, processes, services and their relevant supporting assets the disruption of which would be material to the continued operation of the bank or its role in the financial system’. This is consistent with the reference to both safety and soundness and financial stability in PRA policy.
11.4 拟议的BCBS原则还使用了术语“风险容忍度”,重点在银行的“风险偏好、风险能力和风险状况”。PRA还认为影响容忍度与该术语一致。 11.4 The proposed BCBS principles also use the term ‘risk tolerance’ which is focused on a bank’s ‘risk appetite, risk capacity and risk profile’. The PRA also considers that impact tolerances are aligned with this term.
11.5 将PRA政策与BCBS征求意见稿比较,尽管在术语上存在一些差异,但PRA认为核心原则是一致的: • 区分操作风险和运营韧性; • 运营韧性作为一种结果,机构需要不断努力实现; • 运营韧性对金融稳定以及机构安全和稳健的重要性; • 风险或影响容忍度的概念,定义了不假设零故障的可接受范围;以及 • 使用情景测试来确保韧性。 11.5 Comparing the PRA policy with the BCBS consultation, despite some differences in terminology, the PRA considers that there is alignment on the core principles: • a distinction between operational risk and operational resilience; • operational resilience as an outcome that firms continually need to work towards; • the importance of operational resilience for both financial stability and the safety and soundness of firms; • the concept of a risk or impact tolerance to define what might be acceptable that does not assume zero failure; and • the use of scenario testing to assure resilience.
11.6 PRA将继续参与国际政策制定过程。假设在执行方面存在地方差异是现实的,不同的司法管辖区对他们认为关键或重要的问题会有不同的看法,这是合理的。但只要原则一致,PRA认为,机构及其监管机构应当能够有效地跨国界工作。 11.6 The PRA will continue to engage with international policy development processes. It is realistic to assume that there will be local differences in implementation, and it is reasonable that different jurisdictions will have different views on what they consider critical or important. As long as the principles are aligned, the PRA considers that firms and their supervisors should be able to work effectively across borders.
12 其它回应(Other responses)
2019新冠肺炎(Covid-19)
12.1 PRA认识到,Covid-19大流行对机构产生了重大影响。Covid-19造成的扰断表明了为什么企业了解其提供的服务并投资于其韧性以保护自己、消费者和市场免受扰断至关重要。 12.1 The PRA recognises that the Covid-19 pandemic has had a significant impact on firms. The disruption caused by Covid-19 has shown why it is critically important for firms to understand the services they provide and invest in their resilience to protect themselves, their consumers and the market from disruption.
12.2 13位回应者指出,由于Covid-19大流行,运营韧性受到了关注,并要求监管当局分享从疫情中吸取的教训。7位回应者指出,他们能够在疫情大流行的情况下展示自己的韧性,两位回应者评论说,最不利的影响出现在较小的机构。 12.2 Thirteen respondents have indicated that operational resilience has been put in focus as a result of Covid-19, and asks the supervisory authorities to share any lessons learned from the pandemic. Seven respondents indicated that they were able to showcase their resilience in light of the pandemic and two respondents commented that the most adverse impacts were shown in smaller firms.
12.3 PRA、FCA和英格兰银行在本政策声明的联合说明文件《运营韧性:重要业务服务的影响容忍度》中对Covid-19发表了协调意见。 12.3 The PRA, FCA, and Bank of England have issued coordinated comments on Covid-19 in the covering document to this PS: ‘Operational resilience: Impact tolerances for important business services’’.
行业合作(Industry collaboration)
12.4 7位回应者评论说,应当鼓励行业与其他机构和监管机构合作,解决诸如行业对市场级情景的准备、重要业务服务的设置和管理方法以及英国金融部门的整体韧性等问题。 12.4 Seven respondents commented that industry should be encouraged to collaborate with other institutions and with the supervisory authorities in addressing issues such as the preparedness of industry for market-wide scenarios, approaches to setting and managing important business services, and overall resilience of the UK financial sector.
12.5 PRA同意,合作有助于建立运营韧性的良好实践,并自讨论稿以来一直强调这一点。 12.5 The PRA agrees that collaboration would be beneficial in establishing good practice for operational resilience and has emphasised this since the DP.
12.6 7位回应者鼓励监管当局和行业之间随时间推移公开对话。这可能包括实施期间的检查点和跨部门基准。随着新政策的实施,PRA支持与行业公开对话,并预计这将主要由监管和行业参与推动,而非其他政策变化。 12.6 Seven respondents encouraged open dialogue between the supervisory authorities and industry over time. This could include checkpoints during the implementation and cross-sector benchmarking. The PRA supports open dialogue with industry as the new policy is implemented, and anticipates that this will be primarily be driven by supervision and industry engagement, rather than by additional policy changes.
财务韧性(Financial resilience)
12.7 一位回应者表示,监管当局在评估运营韧性时,应当认可机构的财务韧性努力,如恢复选项和清盘计划。PRA认为,聚焦重要业务服务将重点放在机构中那些一旦扰断将比其它事物更可能影响其安全和稳健的方面。机构可以灵活地将其重要业务服务与现有框架保持一致,因此,PRA认为机构可以着眼于恢复规划。 12.7 One respondent suggested that the supervisory authorities should recognise the firm’s financial resilience efforts, such as recovery options and wind-down plans, when assessing operational resilience. The PRA considers that the focus on important business services puts emphasis on the areas of a firm that, among other things, would impact its safety and soundness if disrupted. Firms have the flexibility to align their important business services with existing frameworks, and so the PRA considers firms may look to areas identified in recovery planning.
12.8 一位回应者指出,征求意见稿29/19并未重复讨论稿中陈述的“运营弹性至少与财务韧性同等重要”的句子。PRA仍灰认为,运营韧性与财务韧性同等重要。 12.8 One respondent noted that CP29/19 did not repeat the phrase set out in the DP that ’operational resilience is at least as important as financial resilience’. The PRA retains the view that operational resilience is at least as important as financial resilience.
监管报告(Regulatory reporting)
12.9 5位回应者请求提供有关监管报告要求以及PRA打算如何评估机构进展的信息。一家机构询问PRA是否会发布对运营韧性有用的进一步指标。 12.9 Five respondents have requested information on regulatory reporting requirements and how the PRA intends to assess a firm’s progress. One firm asked if the PRA would be publishing further metrics that would be useful for operational resilience.
12.10 PRA同意,运营韧性的监管报告是未来要考虑的事情,但这超出了当前政策声明的范围。 12.10 The PRA agrees that regulatory reporting for operational resilience is something to consider in the future, but this is out of scope of the current PS.
沟通计划(Communication plans)
12.11 三位回应者表示,应当加强现有的沟通安排,而不是制定特有的沟通计划。应当制定一致的对外沟通方法,包括与监管机构、第三方供应商和行业层面的同行沟通。 12.11 Three respondents suggested that communication enhancements should be made to existing arrangements rather than creating unique communication plans. A consistent method for communicating externally should be made to include communicating with supervisors, third party providers and peers at an industry level.
12.12 监管声明草案第4.8段规定,机构应当制定沟通策略,提前准备如何将扰断的影响降至最低。认真考虑了回应后,PRA决定公布监管声明对拟议沟通计划的预期,但将鼓励机构与其监管机构讨论其方法。 12.12 Paragraph 4.8 of the draft SS set out that firms should develop communication strategies to prepare in advance how they can minimise the impact of disruptions. Having considered the responses, the PRA has decided to publish the SS expectations for communication plans as proposed, but would encourage firms to discuss their approach with their supervisors.
操作风险资本要求(Operational risk capital requirements)
12.13 三位回应者对操作风险发布了意见。其中一位表示,如果实施得当,机构可能有理由降低操作风险资本要求。PRA坚持不将机构保持在影响容忍度范围内的能力与其资本要求之间建立联系的决定。政策说明(SoP)第3章阐述了运营韧性和操作风险政策之间的关系。 12.13 Three respondents commented on operational risk. One suggested that if adequately implemented, firms may be able to justify a decrease in operational risk capital requirements. The PRA is maintaining the decision not to create a link between a firm’s ability to remain within impact tolerances and its capital requirements. Chapter 3 of the SoP sets out the relationship between operational resilience and operational risk policy.
成本效益分析(Cost benefit analysis)
12.14 13位回应者对成本效益分析发表了意见,一些表示运营韧性的成本被低估了。两位回应者强调,考虑到是新概念,目前不太可能知道成本。两位回应者评论说,该分析很难解释,一位回应者表示政策可能增加消费者的成本。 12.14 Thirteen respondents commented on the cost benefit analysis, and some suggested that the costs of operational resilience are underestimated. Two respondents highlighted that costs are unlikely to be known at the present time given the new concepts. Two respondents commented that the analysis was difficult to interpret and one respondent suggested that the policy could increase costs for consumers.
12.15 成本效益分析是使用FCA收集的调查数据进行的,向机构提供了即将提出的提议的背景,并要求其提供成本估算。PRA承认这些估计有局限性,但坚持认为分析表明考虑了成本。PRA认为成本与收益相称。 12.15 The cost benefit analysis was produced using survey data collected by the FCA, in which firms were provided context for the forthcoming proposals and asked to provide cost estimates for this. The PRA acknowledges that these estimates come with limitations but maintains that the analysis demonstrated a consideration of the costs. The PRA considers that the costs are proportionate to the benefits.
12.16 PRA认为,征求意见后对规则和监管声明的修改并不显著,不会对征求意见稿29/19中的成本效益分析产生重大影响。 12.16 The PRA considers that the changes to the rules and SS following consultation are not significant and will not materially alter the cost benefit analysis presented in CP29/19.
附录(Appendices)
1 PRA规则手册:CRR机构,偿付能力II机构:运营韧性文书2021,请参见以下链接: 1 PRA RULEBOOK: CRR FIRMS, SOLVENCY II FIRMS: OPERATIONAL RESILIENCE INSTRUMENT 2021, available at: https://www.bankofengland.co.uk/-/media/boe/files/prudentialregulation/policy-statement/2021/march/ps621app1.pdf .
2 监管声明1/21 “运营韧性:重要业务服务的影响容忍度”,请参见以下链接: 2 SS1/21 ‘Operational Resilience: Impact tolerances for important business services’,available at: https://www.bankofengland.co.uk/prudentialregulation/publication/2021/march/operational-resilience-impact-tolerances-forimportant business-services-ss .
3 政策说明 “运营韧性”,请参见以下链接: 3 Statement of Policy ‘Operational Resilience’, available at: https://www.bankofengland.co.uk/prudentialregulation/publication/2021/march/operational-resilience-sop .
December 2019: https://www.bankofengland.co.uk/prudential-regulation/publication/2018/building-the-uk-financial-sectorsoperational-resilience-discussion-paper . ↑ July 2018: https://www.bankofengland.co.uk/prudential-regulation/publication/2018/building-the-uk-financial-sectors-operationalresilience-discussion-paper . ↑ 第138J(5)节和第138K(4)节。英文原文:Section 138J(5) and 138K(4). ↑ 资本要求条例1.2,2.4;偿付能力II 2.4和集团监管1.2。英文原文:1.2, 2.4 CRR; 1.2, 2.4 Solvency II and 1.2 Group Supervision. ↑ 2.3 资本要求条例2.3和偿付能力II 2.3。英文原文:2.3CRR and 2.3 Solvency II. ↑ 2.4 资本要求条例2.4和偿付能力II 2.3。英文原文:2.4 CRR and 2.4 Solvency II. ↑ For further information, please see https://www.bankofengland.co.uk/eu-withdrawal/transitioning-to-post-exit-rules-and-standards . ↑ FSMA的第138J(3)节和第138J(4)节。英文原文:Section 138J(3) and 138J(4) of FSMA. ↑ 此表总结了在运营韧性部分中列出的CRR和偿付能力II机构的重要业务服务定义。请参阅规则文本。 This table summarises the important business services definitions for CRR and Solvency II firms set out in the Operational Resilience Parts. Please refer to the text of the rule. ↑ October 2020: https://www.bankofengland.co.uk/prudential-regulation/publication/2020/operational-continuity-in-resolution. ↑ https://publications.parliament.uk/pa/cm5801/cmselect/cmtreasy/114/11402.htm. ↑ https://www.bis.org/bcbs/d509.htm. ↑
本公众号(ID: bcmplus)专注于业务连续性和运营韧性知识的传播和普及,关注业务连续性、应急和危机管理的朋友可关注本公众号。
由于公众号注册时腾讯已调整政策,未能开通留言功能,希望交流和讨论业务连续性管理问题,或获取相关资料的朋友,可长按以下二维码加入知识星球留言和讨论(公众号1月只能发4次文章,也会有一些观点直接在知识星球而不在公众号发布)。
原文发表于公众号”业务连续性+” | 原文链接