SYSC 15A.6 Self-assessment and lessons learned exercise documentation

SYSC 15A.6.1R

1A firm must make, and keep up to date, a written record of its assessment of its compliance with the requirements in this chapter, including, but not limited to, a written record of:

  1. (1)

    important business services identified by the firm and the justification for the determination made;

  2. (2)

    the firm’s impact tolerances and the justification for the level at which they have been set by the firm;

  3. (3)

    the firm’s approach to mapping under SYSC 15A.4.1R, including how the firm has used mapping to:

    1. (a)

      identify the people, processes, technology, facilities and information necessary to deliver each of its important business services;

    2. (b)

      identify vulnerabilities; and

    3. (c)

      support scenario testing;

  4. (4)

    the firm’s testing plan and a justification for the plan adopted;

  5. (5)

    details of the scenario testing carried out as part of its obligations under SYSC 15A.5, including a description and justification of the assumptions made in relation to scenario design and any identified risks to the firm’s ability to meet its impact tolerances;

  6. (6)

    any lessons learned exercise conducted under SYSC 15A.5.8R;

  7. (7)

    an identification of the vulnerabilities that threaten the firm’s ability to deliver its important business services within the impact tolerances set, including the actions taken or planned and justifications for their completion time;

  8. (8)

    its communication strategy under SYSC 15A.8.1R and an explanation of how it will enable it to reduce the anticipated harm caused by operational disruptions; and

  9. (9)

    the methodologies used to undertake the above activities.

SYSC 15A.6.2R

1A firm must retain each version of the records referred to in SYSC 15A.6.1R for at least 6 years and, on request, provide these to the FCA.