Background
Operational resilience in the financial services sector is a key concern across the European regulatory landscape, with
In recent years, the
- Proportionality;
- International alignment;
- Governance and board ownership;
- Critical and important business services;
- Mapping of outsourced services providers;
- Impact tolerances; and
- Scenario testing.
Notwithstanding the extensive feedback received through the consultation process, the finalised Guidance remains largely unchanged from the draft Guidance issued in
The Guidance serves to delineate the expectations of the
- Identify and Prepare;
- Respond and Adapt;
- Recover and Learn.
Additionally, one of the key takeaways from the Guidance is that operational resilience cannot simply be treated as a routine exercise at board level. The Central Bank has made clear that it expects to see boards and senior management “adopt measures to strengthen and improve their operational resilience framework.”
The challenge now presented to financial institutions, their boards and senior management, is how to apply the Guidance effectively across day-to-day management as well as in respect of longer term planning and strategy. With this in mind,
Step One: Review the Guidance
Ultimate responsibility for the approval and oversight of a firm's operational resilience framework rests with the board. Therefore, it is vital that boards and senior management fully inform themselves around what's expected under the Guidance. From the outset, firms must ensure that the Guidance has been reviewed and that all board members and senior management are familiar with its content.
A firm must ensure that its existing governance frameworks and committee structure include responsibilities with respect to operational resilience. An Operational Resilience Framework should align with the Operational Risk and Business Continuity Frameworks of a firm, or alternatively one framework could be implemented encompassing all risk areas.
Step Three: Embed Resilience
Implementation of a suitable Operational Resilience Framework should be a holistic, cross-departmental exercise, in particular ensuring that the following areas are catered for:
- Operational risk;
- Cyber and information technology;
- Business continuity management;
- Incident management; and
- Communication plans.
Step Four: Identify Critical or Important Business Services
In order to effectively safeguard against operational disruption and risk, a firm must identify what services within their business are critical or important. To categorize these services correctly, a firm should consider whether there would be a material impact on the consumer in a disruption event affecting that service. By way of example, a firm should consider the following questions when evaluating whether a business service is critical or important:
- would a disruption cause material customer detriment or threaten policyholder protection;
- would it harm market integrity;
- impact on a firm's viability, safety and soundness; and/or
- impact negatively on the firm's overall financial stability.
Step Five: Identify Impact Tolerances
An impact tolerance represents the maximum level of disruption which can be tolerated by a critical or important business service before the disruption represents a risk to the firm or could cause detriment to the consumer.
It is important to differentiate between standard risk appetite and impact tolerance. Standard risk management and risk appetite processes are focussed on minimising risk to a firm, through controls that reduce the impact and probability of a disruption event arising. Operational resilience focuses on building a firm's capabilities to deal with risk events when they materialise, rather than purely focussing on building defences to prevent risks from occurring. By developing impact tolerances a firm can quantify the maximum level of disturbance a service can withstand, therefore allowing them to prioritize restoration of services appropriately following a disruption.
Step Six: Map the Processes to Deliver a Critical or Important Business Service
In order to ensure that critical or important business services do not exceed their impact tolerances, an analysis of the method and processes involved in the delivery of the service must be undertaken. Mapping how the service is delivered should include identifying the following:
- key members of staff involved in the delivery of the service;
- facilities and technology required; and
- any third parties or outsourced service providers involved in the provision of the service. By mapping interconnections and interdependencies, the firm can effectively identify any points of potential failure, dependencies or key vulnerabilities.
Step Seven: Implement ICT and Cyber Resilience Strategies
As technology is central to effective and efficient operation of most businesses, it needs to be treated as a vital component of the operational resilience of a firm. This means that a firm must ensure that not only is their technology suitable for their business needs but that all possible weaknesses and vulnerabilities have been identified where technology is relied upon to provide a critical or important business service.
Further, the
Step Eight: Perform Annual Review and Stress Testing
In order to ensure operational resilience, a firm must carry out stress testing exercises in respect of severe but plausible scenarios. Severe but plausible scenarios can be identified by clearly mapping the processes of and vulnerabilities affecting the critical or important business services identified.
Testing should be completed on an annual basis at a minimum.
Step Nine: Implement Business Continuity Management
Business continuity management should form part of the overall approach to operational resilience, including the implementation of a Business Continuity Plan. Further, internal and external crisis communication plans should be designed and form part of either the Operational Resilience Framework or the Business Continuity Plan.
Step Ten: Implement Lessons Learned
Following a disruption to a critical or important business service, the firm should reflect on lessons learned from the incident. The analysis of the lessons learned should include both successes and failures which occurred in the remediation process, as well as the instigating factors which led to the incident. By critically evaluating the approach taken in respect of a disruption, deficiencies can be identified and rectified and recovery processes can be improved allowing for better responses in the future.
Conclusion
From a timing perspective, there is a maximum 2 year timeframe for implementation of the Guidance. By
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Mr Joe Beashel
70 Sir
Tel: 1232 2101
Fax: 1232 3333
E-mail: Lisa.McLoughlin@matheson.com
URL: www.matheson.com/
© Mondaq Ltd, 2022 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source