Skip to main content
Marsh logo

Article

Aligning risk management and insurance with operational resilience requirements: key steps for UK financial institutions

Learn key steps for UK financial institutions to align insurance with operational resilience, ensuring compliance with PRA's new requirements and risk management.

27/02/2025 · 4 minute read

The increasing regulatory focus on operational resilience, as evidenced by the Prudential Regulation Authority’s (PRA) recent consultation paper (CP17/24), presents a timely opportunity for financial institutions (FIs) to comprehensively review and strategically align their insurance coverage with emerging operational risks and regulatory expectations.

The PRA's CP17/24 proposes significant new requirements for operational incident reporting and third-party risk management. To prepare for these changes, organisations in the financial services sector should conduct a structured review of their risk management and reporting frameworks. This presents an opportunity to assess and optimise their insurance as part of a broader risk strategy, focusing on the following:

  1. Alignment of insurance with the PRA's definition of "operational incidents"
  2. Assessment of coverage adequacy for third-party risks
  3. Integration of incident reporting processes with insurance notification requirements
  4. Mapping of insurance policies to operational resilience scenarios

By leveraging the PRA initiative, financial institutions can structure and map their insurance policies to effectively support incident response and mitigate wider risks. Furthermore, integrating the regulatory reporting process with insurance mapping in the UK financial sector creates a cohesive framework supporting compliance and robust risk management in today’s dynamic operational landscape.

Key regulatory developments

The PRA’s consultation paper builds on the foundation established by its policy statement, (PS)6/21 – Operational Resilience: Impact tolerances for important business services, and supervisory statement, SS2/21 – Outsourcing and third-party risk management. The paper proposes new reporting requirements that will significantly impact how firms approach incident reporting and operational resilience. The key elements include:

1.   An enhanced operational incident reporting framework, including:

  • Mandatory reporting using standardised PRA-defined thresholds and templates
  • Implementation of a unified reporting solution across supervisory authorities
  • Clear timeline requirements for initial, intermediate, and final incident reports

2.    Comprehensive third-party risk management:

  • Systematic documentation of third-party dependencies through the Outsourcing and Third-Party (OATP) register

Financial institutions must understand and prepare for detailed reporting requirements for an "operational incident," which is defined as a single event or series of linked events that:

  • Disrupts the delivery of a service to an external end user
  • Impacts the availability, authenticity, integrity, or confidentiality of information or data relating to that end user

How to prepare for the PRA’s proposed changes

Our insurance policy assessment and mapping service helps organisations achieve operational resilience by:

  • Policy coverage analysis: Existing insurance policies are evaluated against PRA-defined operational risks. Coverage gaps for critical operational incidents are identified and policy response to third-party failures and cyber events, including cyberattacks, are assessed.
  • Regulatory alignment: Insurance coverage is mapped to PRA reporting requirements, integrating incident notification procedures with regulatory timelines. Clear protocols are established for material third-party arrangements.
  • Resilience testing: This includes scenario-based insurance response testing, coverage adequacy assessment for important business services, and evaluation of insurance provider resilience.

The imperative to align insurance with regulatory expectations

The alignment between risk management and insurance coverage becomes paramount, as financial market infrastructures face an increasingly complex risk landscape characterised by technological interdependencies, third-party relationships, and systemic vulnerabilities. The PRA's new operational resilience framework highlights how operational incidents can rapidly cascade through interconnected financial systems, making traditional siloed approaches to insurance coverage insufficient.

Financial institutions and financial services firms must adopt a holistic view that considers direct losses and the broader implications of operational disruption on their important business service.

Effective insurance alignment requires regular review and adjustment to keep pace with emerging risks, regulatory expectations, and organisational changes. This is particularly crucial as the financial system continues to digitalise operations, expand third-party relationships, and face sophisticated cyber threats. By maintaining a strong alignment between risk management strategies and insurance coverage, financial institutions can better protect their operational resilience capabilities while demonstrating regulatory compliance and maintaining stakeholder confidence in an increasingly interconnected financial ecosystem.

Our people

Erica White

Erica White

Chief Client Officer -- Financial Institutions, Marsh Specialty UK

  • United Kingdom

Shiva Keihaninejad

Shiva Keihaninejad

Senior Vice President – Risk Capital Analytics, Marsh Advisory

  • United Kingdom

Related insights

young family on a road trip

Article

Transforming fleet risk management

26/02/2025
User typing instruction on laptop for AI

Article

AI in business: Four considerations for risk managers

10/01/2025
Placeholder Image

Article

EU Digital strategy

07/01/2025
Business person analyzing financial statistics displayed on the tablet screen.

Article

Managing emerging NFRs and embedding operational resilience strategy

19/12/2024
View more