The Nexus of Harm: The need for an integrated approach to Consumer Duty and Operational Resilience

Two of the biggest areas of focus for regulators in the UK over recent years have been operational resilience and consumer duty.

Operational resilience is the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions. Firms must assume that disruption is inevitable and they must implement an approach (including 'Plan Bs') which allow them to continue providing critical operations/ important business services despite disruption so as to avoid intolerable harm to consumers or risk the safety and soundless of the firm. Firms must meet the new regulatory requirements by end March 2025.

Consumer Duty introduces a new Principle, 4 Outcomes and 3 Cross Cutting rules designed to prevent firms causing foreseeable harm to consumers. Firms must ensure they have appropriate systems and controls in place to ensure customers receive fair value in pricing, receive good quality customer support, get products and services that are designed to meet their needs, and that consumers are given the information needed to understand the products or services they're buying. The Consumer Duty went live at the end of July.

Whilst in most firms these two critical areas of regulatory focus have been considered in isolation (one often by compliance and another by operations), it's important, especially as we move into the embedding phase for resilience, that the linkages between the two are considered and that a more integrated approach is adopted.

Harm is a key concept and focus for the Financial Conduct Authority and is closely linked to another key area of focus on 'vulnerability'. The FCA's focus on harm will only increase as economic headwinds continue to worsen.

The 'Nexus of Harm' is illustrated in the graphic below. The graphic illustrates the relationship between foreseeable harm and intolerable harm and the interaction with Risk Appetite, Risk Tolerance (as a tolerable buffer beyond appetite) and Impact Tolerance/ Tolerance for Disruption. You can see that even where a disruption does not cause intolerable harm (the firm is able to stay within impact tolerance) it may still breach risk appetite by causing foreseeable harm to the consumer - leading to difficult conversations with regulators!

A more integrated approach to harm, through both the lens of operational resilience and consumer duty is key, not least to ensure an efficient approach to compliance.

There are 4 key reasons why an integrated approach makes sense:

1. Breaking the silos - operational risk management has become increasingly fragmented especially in the last decade with new topic areas such as cyber, conduct, climate and financial crime attracting significant attention, including from regulators, and in some firms being addressed through new silos. By considering both foreseeable harm and intolerable harm through an integrated approach, firms can break down the silos and encourage a more holistic approach across two important aspects of risk and compliance management.
2. Efficiency and cost saving - by adopting a more integrated approach, firms can ensure they minimize duplication and maximize the leveraging of existing effort. This can be achieved by embedding the key regulatory concepts of 'foreseeable harm' and 'intolerable harm' across the various risk and compliance activities, including stress and scenario testing and in key tools of operational risk management including RCSA.
3. Increasing the value of scenario testing - firms are now undertaking scenario testing for operational resilience which tests the ability of firms to stay within impact tolerance in the event of severe but plausible disruption. But considering foreseeable harm at the same time, firms may identify plausible scenarios of disruption which whilst not causing intolerable harm cause foreseeable harm. Firms can then take proactive actions to ensure such harm is mitigated.
4. Regulatory compliance - an integrated and holistic approach to harm will also reduce the risk of breaching these key regulatory requirements. The concepts of foreseeable harm and intolerable harm should be embedded in the DNA of the organization and considered across the range of risk and compliance activities. By reducing the risk of regulatory breach, firms can mitigate the risk of fines, S166 reviews and supervisory visits.

By adopting a more integrated approach across the continuum of harm, firms can improve efficiency, cut costs, and most importantly reduce the risk of breaching these key new regulatory requirements thereby avoiding difficult and costly conversations with your regulators!

JADEtc. have assisted many of our banking clients on both operational resilience and consumer duty and can help you to develop an integrated approach to 'harm'. Contact us today for a free consultation on how we can help.