← Frameworks / Regulatory

PRA SS1/21 & SS2/21 — Operational Resilience and Outsourcing

UK Prudential Regulation Authority requirements for operational resilience at PRA-regulated firms. PRA SS1/21 covers identification of important business services, impact tolerance setting, resource mapping, scenario testing, and self-assessment. PRA SS2/21 covers outsourcing governance, materiality assessment, due diligence, contractual requirements, sub-outsourcing chains, intra-group outsourcing, and exit strategies. Packaged under PRA Policy Statement PS6/21.

Clauses: 31
Avg Coverage: 48.5%
Publisher: Bank of England / PRA Version: 2021 (PS6/21)
PRA Operational Resilience → SP 800-53 SP 800-53 → PRA Operational Resilience Coverage Analysis
Clause Title SP 800-53 Controls
PS6/21-1.1 Transition period and compliance expectations
PM-01 PM-04 CA-05 PM-31
PS6/21-2.1 Proportionality and complexity
PM-09 PL-10 PL-11 RA-02
SS1/21-3.1 Identify important business services (IBS)
PM-11 PM-08 CP-02 CM-12 CM-13 RA-09
SS1/21-3.2 Board governance of operational resilience
PM-01 PM-02 PM-09 PM-29 PL-01
SS1/21-4.1 Set impact tolerances for each IBS
CP-02 PM-11 PM-09 RA-03
SS1/21-5.1 Map resources supporting each IBS — people
PM-11 PM-13 PS-01 PS-02 CP-02
SS1/21-5.2 Map resources supporting each IBS — technology and information
CM-08 CM-12 CM-13 PL-08 SA-09 RA-09
SS1/21-5.3 Map resources supporting each IBS — facilities and third parties
PE-01 PE-17 SA-09 SR-01 SR-02 CP-06 CP-07
SS1/21-6.1 Scenario testing — severe but plausible scenarios
CP-04 IR-03 PM-14 CA-08 RA-03
SS1/21-6.2 Scenario testing — lessons learned and remediation
IR-03 CA-05 PM-06 AT-06 CP-04
SS1/21-7.1 Self-assessment and ongoing monitoring
CA-02 CA-07 PM-06 PM-14 PM-31
SS1/21-8.1 Communication strategy during disruption
IR-01 IR-04 IR-06 IR-07 CP-02
SS1/21-9.1 Interconnections and dependencies between IBS
PM-11 PL-08 CM-13 SA-09 RA-09
SS1/21-10.1 Operational resilience and financial resilience linkage
PM-09 RA-03 CP-02
SS1/21-11.1 Change management impact on operational resilience
CM-03 CM-04 SA-10 PM-11
SS2/21-3.1 Outsourcing governance framework
SA-04 SA-09 SR-01 SR-02 PM-09 PM-01
SS2/21-4.1 Materiality assessment of outsourcing arrangements
RA-03 RA-09 PM-09 PM-11
SS2/21-5.1 Pre-outsourcing due diligence
SA-04 SA-09 SA-21 SR-06 RA-03 PS-07
SS2/21-6.1 Contractual requirements — service levels and security
SA-04 SA-09 SR-03 SR-06 PS-07
SS2/21-6.2 Contractual requirements — audit and access rights
CA-02 SA-09 SR-06 AU-01
SS2/21-7.1 Ongoing monitoring and oversight of outsourced providers
CA-07 SR-06 SA-09 PM-14 SI-04
SS2/21-8.1 Sub-outsourcing chains
SR-01 SR-02 SR-03 SA-09
SS2/21-9.1 Intra-group outsourcing
SA-09 CA-03 AC-20 PM-09
SS2/21-10.1 Business continuity for outsourced services
CP-01 CP-02 CP-04 CP-06 CP-07 SA-09
SS2/21-11.1 Data protection and information security for outsourced services
SC-08 SC-13 SC-28 SA-09 MP-04 MP-05 AC-04
SS2/21-12.1 Exit strategies and transition planning
CP-02 SA-09 SR-01 PM-09
SS2/21-13.1 Outsourcing register and record-keeping
CM-08 PM-05 SA-09 AU-11
SS2/21-14.1 Cloud outsourcing — specific considerations
SA-09 AC-20 SC-07 CM-12 SR-03
SS2/21-15.1 PRA notification and regulatory reporting
IR-06 PM-27 AU-06
SS2/21-16.1 Concentration risk across outsourcing portfolio
SR-01 SR-02 RA-03 SA-09 PM-30
SS2/21-17.1 Skills and resources for outsourcing oversight
PM-02 PM-13 PS-02 AT-03