UK PRA Guidelines: New Strategies for Operational Resiliency and Supplier Risk Management

3 minute read

September 2021

It goes without saying that operational resiliency and supplier risk management go hand in hand. Organizations need to adapt, respond to, and recover from disruptions that occur both internally and externally in order to be successful. In recent years, financial regulators globally have been putting a stronger emphasis on operational resiliency and business continuity, leading to an influx of new guidelines for managing third-party risk. 

In the UK, rapid technological advancements, changing consumer behaviors, and increasing cybersecurity concerns have led regulators to consider new strategies to address economic stability through outsourcing and third parties. Operational resilience has become a leading focus for the UK Prudential Regulation Authority (PRA). The PRA has published a supervisory statement on third-party risk management that aims to improve operational resiliency. Outsourcing arrangements entered on or after 31 March 2022 will need to comply with these expectations in the coming months.  

PRA Establishes Framework for Outsourcing Practices

The supervisory statement from the PRA seeks to improve the readiness of financial service firms to absorb inevitable disruptions, in turn, mitigating any damage to the greater economic stability. The PRA has outlined its approach to operational resilience by targeting third parties. The PRA encourages organizations to identify “important business services” for which a significant disruption would threaten market integrity or financial stability.  

Additionally, firms are to establish impact tolerances for key services and conduct testing to ensure that tolerances can be met. This will allow for a proper understanding of the impact of a disruption and provide valuable metrics to facilitate process improvement and resource allocation.  

The guidelines reinforce the idea that business disruptions will inevitably occur, and systems should be designed to bend but not break. It is important that tolerances and testing are designed with customer experience in mind, as the goal is to allow customers to continue to use and access financial services despite interruptions. 

A key factor in this strategy is the importance of board-level support for the firm’s third-party risk management program. This ensures that operational resiliency is built into business functions from the top down. 

Where Operational Resiliency and Supplier Risk Management Intersect

UK legislators propose that all third-party arrangements go through extensive risk assessment before integration. Additionally, third parties must provide a continued demonstration of appropriate operational resilience standards in line with the organization’s policies.  

Organizations will need to create a written outsourcing policy and keep a register of outsourcing arrangements. This means that organizations will need a centralized processes for identifying and managing their supplier base. Firms providing outsourced services will need to address their practices along with any third-party arrangements they may have, as these relationships pose a fourth-party risk. These steps are particularly important for critical business services where sensitive data is accessible to a third party.

The regulatory framework from the Prudential Regulation Authority and UK Financial Conduct Authority presents a new approach to existing practices around operational resiliency. Organizations can align their supplier risk management and operational resiliency practices to avoid significant impact on the larger economy, creating a more stable economic environment overall. 

The guidance provided by the PRA emphasizes that organizations coordinate with third parties to understand potential risks. It is necessary for organizations to obtain enough information and data on the third party while onboarding to ensure that they can operate within the organization’s impact tolerances. 

How ProcessUnity Vendor Risk Management Can Help Your Organization Prepare for Changes Ahead

Organizations are required to comply with the new UK PRA guidelines on outsourcing and third-party risk management on 31 March 2022. Organizations can take the necessary steps to bolster their supplier risk management programs prior to the deadline by automating the vendor lifecycle. ProcessUnity Vendor Risk Management provides organizations with the tools to manage third-party risk effectively, allowing your organization to remain resilient throughout disruptions. To learn more, visit  

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit