Copyright © 2000
Restorepoint Ltd, all rights reserved
Gartner has defined Operational Resilience as initiatives that expand business continuity management programs to focus on the impacts, connected risk appetite and tolerance levels for disruption of product or service delivery to internal and external stakeholders (such as employees, customers, citizens and partners).
In different regions around the world, regulators are aiming to bring about change in how the finance industry manages the threat and impact of IT glitches, cyber attacks and other disruptions.
The specific issues regulators are concerned about include poor governance and oversight of outsourced functions and third-party service providers, insufficiently resilient legacy IT systems with poor cyber security, and a lack of contingency plans for business disruptions.
Globally, there are moves to regulate operational resilience for financial institutions. In March 2021, The Basel Committee on Banking Supervision (BCBS), the primary global standard setter for the prudential regulation of banks, set the tone by issuing their ‘Principles for Operational Resilience’ document, which aims to make banks better able to withstand, adapt to and recover from severe adverse events.
Regulators in different regions around the world are issuing similar guidance aimed at interpreting and implementing controls related to Operational Resilience.
In the EU, operational resilience requirements within the financial sector are covered within various pieces of legislation and guidelines, including the Capital Requirements Directive (CRD), the Markets in Financial Instruments Directive (MiFID II), Solvency II and the Payment Services Directive 2 (PSD2). Additionally, guidelines have been issued on various aspects of operational resilience by supervisory authorities including the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA).
The European Commission published a draft form version of its Digital Operational Resilience Act (DORA) in 2020, which focuses on ensuring that finance firms are able to maintain resilient operations through periods of disruption. The legislation proposed is the first step to creating a regulatory framework for financial services operational resilience in EU law.
DORA is expected to come into force in the first half of 2023.
In October 2020, the Federal bank regulatory agencies released their "Sound Practices to Strengthen Operational Resilience" paper which is designed to help large banks increase operational resilience, such as cyberattacks, natural disasters, and pandemics. The recommendations in the paper are drawn from existing regulations (such as NIST, provided by the US Department of Commerce), guidance, statements, and other common industry standards.
Additionally, The Division of Examinations recently issued observations related to operational resilience and cyber security. These highlight approaches taken in the areas of governance and risk management including access rights and controls, data loss prevention, incident response and resiliency.
In Ireland, the Central Bank of Ireland (CBI) published a consultation in April 2021 on its proposed Cross-Industry Guidance on Operational Resilience. This proposed guidance aims to assist industry on how to prepare for, respond to, recover and learn from an operational disruption that affects the delivery of critical or important business services.
In the United Kingdom, new regulations published by the Bank of England, Financial Conduct Authority (FCA), The Bank of England’s Prudential Regulation Authority (PRA) state that financial organisations have until March 2022 to be able to demonstrate operational resilience.
In association with the Financial Conduct Authority (FCA), The Bank of England’s Prudential Regulation Authority (PRA) established the rules for demonstrating operational resilience. The rules will come into force on March 31st, 2022.
The rules focus on four key areas; identifying important business services, setting an impact tolerance, testing resilience and communicating disruptions.
The services classed as important business services have a distinct and critical definition within the new operational resilience rules. The definition is that important business services are services that, if disrupted, could cause intolerable harm to the consumers of the organisation’s services or pose a risk to market integrity.
Companies need to identify their important business services before March 31st 2022. Going forward, there’s a requirement to review important business services at least once per year.
There’s also a requirement to review important business services when there’s a material change either to a business itself or the market in which it operates. Such material changes can include but aren’t limited to carrying out new business activities, ceasing a current activity, and outsourcing new or existing services.
The rules state that financial institutions need to clearly identify distinct services under this definition rather than collections of services. For example, accessing a mortgage account is a distinct service while providing mortgages is a collection of services.
The rules state that financial institutions must set an impact tolerance for each of their important business services. The impact tolerance is the first point in time at which disruption to an important business service would cause intolerable levels of harm to consumers or risk to market integrity.
Therefore, it’s mandatory to use time/duration as a metric for measuring impact tolerance.
It’s natural to wonder what is meant by ‘intolerable harm’. The rules don’t have a standard definition; it’s referred to as something that varies from company to company and across sectors. The factors to think about when defining this level of harm include the number and types of customers adversely affected, impacts on market or customer confidence, and the level of financial loss for customers.
Regulated firms must ensure they can remain within their established impact tolerance for every important business service in the event of severe operational disruptions.
The rules state that companies must conduct scenario testing to assess the ability to remain within their impact tolerance for each important business service. Scenario tests consider different plausible situations that can profoundly impact the ability of a firm to remain within its impact tolerance. Some example scenarios cited in the rules include:
Testing resilience when key facilities or people aren’t available
Testing resilience when any third party service that is critical to the delivery of important business services is unavailable.
Testing resilience if access to any technology underpinning the delivery of important business services is lost or reduced
Scenario testing is required on a regular basis, however, the frequency of testing isn’t defined.
Financial services companies must provide clear, timely and relevant communications to stakeholders in the event of operational disruptions. Furthermore, the FCA expects to be notified of any failure by a company to meet an impact tolerance.
The rules provide financial institutions with a three-year transitional period within which they need to demonstrate they can consistently stay within their impact tolerances. The period lasts from March 31st, 2022 to March 31st, 2025.
If a company cannot show an ability to remain within its impact tolerances by the hard deadline, the company will be in breach of the rules. It’s also worth noting that any company not making a reasonable effort to remain within its impact tolerances during the 3-year period would also be in breach of the rules.
Want to find out more? Read our recommendations for improving operational resilience in our blog post What the New Operational Resilience Rules Mean for Network Management.