In January the Prudential Regulation Authority (PRA) released its supervision priorities for UK deposit takers for 2025 through a Dear CEO letter[1]. Firms will need to sharpen their focus on key areas including data and management, funding and liquidity, and operational resilience. In this blog we will cover:
- A summary of the key themes
- The importance of data management
- Focus areas for operational resilience
Download Protecht's Enterprise Risk Management eBook today to get a comprehensive view of what true enterprise Risk management is and how it addresses the problems in the traditional, siloed approach:
The key themes
The letter is broken out into five headings:
- Risk management, governance and controls
- Data risk
- Funding and liquidity
- Operational resilience
- Basel 3.1 delay and Strong and Simple
There are some overlapping themes or content. To punctuate this, the PRA note in the first section on risk management their observation that firms have varying ability to manage emerging risks, particularly interaction between risks.
While relegated to a single sentence, risk culture gets a call out. It is worth noting that the letter calls for boards – not just the C-suite – to pay attention to risk culture. While explicit controls will exist to address specific risks, a poor risk culture can undermine the broader control environment. Boards should be comfortable that risk is an integral part of decision making and isn’t seen as a check-the-box exercise.
The importance of data management
The letter calls out poor data as being a root cause that has required remediation within firms. It also notes that aggregation of data needs to be effective to enable effective risk management and support decision making. Having robust governance over data, including its integrity, authenticity and provenance is a must.
It is probably no surprise that artificial intelligence (AI) doesn’t avoid the spotlight. The use of AI across the organisation is acknowledged, with a focus on quality and accuracy of data. A third of all use cases of AI are third-party implementations[2]. This begs the question – what assurance do those firms have on the quality of data used to train those models?
This aligns with commentary about more traditional models. In particular, the PRA call out credit models that may not be keeping up with the times – older models built in one context, but have not evolved with changes in market conditions or practice. The letter reinforces the requirement for solid model risk management in accordance with their supervisory statement.
Circling back to data management, organisations need a good handle on governance of the models themselves, the data and assumptions that inform them, and embedded review cycles. This should include models designed, implemented or licensed from third parties, whether they are based on traditional methods, machine learning, or incorporate generative AI.
Operational resilience
We are approaching the March 2025 deadline for demonstrating ability to meet impact tolerances through disruption. The letter highlights expectations about ongoing management of operational resilience programmes and some specific scenarios.
Now that operational resilience programmes are in place, the PRA expects that major organisational changes will consider their effect on operational resilience by default. If it wasn’t baked in when developing your operational resilience capability, now is the time to review risk in change processes. Major changes should trigger reviews to determine if lists of important business services, impact tolerances, and response capabilities need to be updated or revised.
While the operational resilience rules cover all types of disruption, the PRA show their hand on which scenarios affecting regulated firms are keeping them up at night – cyber threats, vulnerabilities from legacy tech, and disruptions originating from third parties. Firms may want to shuffle their scenario exercising program if these aren’t on the near term, and shore up any weaknesses in these areas.
The PRA also note their intent towards the end of the year to consult on policy regarding ICT and cyber risks. While these can be viewed as two distinct risks (tech disruption versus intrusion), it circles back to PRA’s comments about the interconnectivity of risk. The consultation will also consider risks related to tech transformation, with memories still fresh of TSB Bank’s digital transformation incident from 2018.
Conclusions and next steps for your organisation
Here are some key steps you can take to align with the PRA’s supervisory priorities:
- Ensure practices and tools for capturing and managing risk data across the enterprise are robust
- Ensure your risk culture supports effective risk management, with sufficient board oversight
- Review your library of models; if it doesn’t exist today, adopt a centralised approach to model risk management practices and enhance governance and processes where appropriate
- Validate that risk in change processes are integrated into operational resilience capabilities
- Focus near-term operational resilience efforts on technology, cyber, and third party scenarios
The PRA’s 2025 priorities underscore the growing complexity and interconnectivity of risks in financial services. Protecht ERM equips you with the tools to manage these challenges in one place.
- Enterprise risk management: Aggregate and centralise risk data across the organisation to ensure governance, visibility, and informed decision-making
- Operational resilience: Map critical business services, monitor impact tolerances, and integrate risk-in-change processes to maintain resilience through disruption
- Vendor risk management: Gain oversight of third-party risks, ensuring compliance and resilience in outsourced models and AI-driven decision-making
- IT and cyber risk: Align IT and cyber risk management with regulatory expectations by embedding continuous monitoring, testing, and controls assurance
- Risk culture and training: Protecht offers on-demand training covering a broad spectrum of enterprise risk topics, including ERM, operational resilience and VRM. Find out more at Protecht Academy, including subscription options designed for organisations and risk teams
Request a demo today to see how Protecht ERM can help you meet regulatory expectations while strengthening your risk management strategy:
References
[1] Bank of England, UK Deposit Takers Supervision: 2025 Priorities CEO letter
[2] Bank of England, Artificial Intelligence in UK Financial Services report