Estimated reading time: 1.5 minutes
The UK’s Investment Association, a trade body that represents investment managers, has published guidance for members on operational resilience and managing third party risk.
The report provides an overview of the regulatory framework in which investment managers must operate, highlighting the significance of the EU’s Digital Operational Resilience Act (DORA) among recent regulatory initiatives. The report then goes on to outline a regulatory framework for third-party risk management in the context of operational resilience and identifies six key steps firms should take:
- Identify: Identify and determine the criticality of third party providers.
-
Assess: Methodologically assess identified critical third parties.
-
Analyse and prioritise: Test and map the risks of third parties and prioritise.
-
Control: Introduce resilience controls over third parties, which aim to provide reasonable assurance that the third parties the firm relies on are able to remain resilient to the extent that intolerable harm will not occur to the firm’s clients, end consumers, the broader market or the firm itself. These controls fall into three categories:
-
Preventative controls
-
Detective controls
-
Remediation controls
-
-
Monitor: Provide oversight regarding the achievement of objectives and resilience of third party providers.
-
Report: Reporting on the achievement of objectives and resilience status of third party providers.
Full details available here.
[Image Source: The Investment Association]
Related Articles:
IMF discusses fintech regulation: New rules should be “part of the mainstream”
FCA launches operational resilience survey
