Principles for Operational Resilience

After completing this reading, you should be able to:

• Define and describe operational resilience and explain essential elements of operational resilience.
• Explain recommended principles that banks should follow to implement an effective operational resilience approach.

In the years following the Great Financial Crisis (GFC) of 2007-2009, Basel Committee reforms have enhanced banking system supervision globally to strengthen banks’ financial resilience. Banks have been able to absorb shocks much better due to higher levels of capital and liquidity. However, it is still necessary to strengthen the ability of banks to absorb operational risk-related events such as pandemics, cyber-attacks, and natural disasters. Increasing the banks’ resilience would provide additional protection to the financial system.

Even before the Covid-19 pandemic, the Basel Committee had anticipated that considerable operational disruptions would ultimately put to the test any improvements to the reliance of the financial system developed since the Great Financial Crisis. Banks have rapidly adapted their operational posture to deal with new risks or changes in existing ones. Still, the Committee noted that several potential risks could not be mitigated. Nonetheless, the Committee believes that a practice-based approach and flexible approach can enhance the banks’ ability to withstand, adapt, and recover from potential hazards, thereby potentially minimizing severe adverse impacts.

The Committee seeks to improve operational resilience by promoting a principles-based approach. Based on updates to the Committee’s Principles for Sound Management of Operational Risk (PSMOR), the approach also draws from previously released principles on corporate governance for banks and outsourcing and business continuity, as well as relevant risk management guidance.

In light of the efforts undertaken by several governments and standard-setting bodies (SSBs) to enhance operational resilience in the financial sector, the Committee is committed to strengthening operational resilience by promoting international collaboration and cooperation over this body of work.

An Evolving Operational Risk Landscape

The application of technology to the financial system has benefited both banks and their customers. However, the use of technology poses new risks. Banks’ most recent predominant operational risks were due to technological applications in the financial sector. Covid-19 increased these operational risks and heightened economic and business uncertainty.

Disruptions related to the Pandemic have impacted the information system, personnel, facilities, and relationships with third-party service providers and customers. Furthermore, working from home programs have contributed to increased cyber events, which have in turn increased the potential for operational risk events. 

Essential Elements of Operational Resilience

Effective management of operational risk leads to operational resilience. Operational disruptions can be minimized by activities such as identification and assessment of risk, risk monitoring, and risk mitigation. Operational resilience can also be promoted through the management focusing on the ability of the bank to respond to and to recover from disruptions if failures occur. An operationally resilient bank is less likely to incur untimely lapses and losses from disruptions. Even though avoiding certain operational risks is not possible, it is possible to improve the bank’s resilience to such events.

Factors such as business continuity, outsourcing of services to third parties, and technology should be considered in efforts to strengthen the bank’s operational resilience.

Banks should also ensure that risk management frameworks in place, business continuity plans, third-party dependency management are implemented consistently within the organization.

The principles in this reading have been largely derived and adapted from the guidelines in place provided by the Committee or national supervisors over the years.

Definition of Operational Resilience

According to the Committee, operational resilience is the ability of a bank to deliver critical operations through disruptions. This ability enables a bank to respond to, adapt to and recover and learn from disruptions. In this manner, the banks are able to minimize their effects on the delivery of critical operations through disruptions. It is necessary for a bank to assume that disruptions will occur and consider its overall risk appetite and tolerance for disruption. According to the Committee, tolerance for disruption is the level of disruption from any type of operational risk that a bank is willing to accept given a range of severe but plausible scenarios.

The term critical operations derives from the high-level 2006 principles for business continuity of the Joint Forum. It confines critical functions as defined by the Financial Stability Board (FSB), and it includes activities, services, processes, and their supporting assets.

The term respective functions refers to the appropriate functions within the bank’s three lines of defense as described by Committee’s Principles for Sound Management of Operational Risk (PSMOR). The three lines of defense include business unit management, independent operational risk management function, and independent assurance.

Operational Resilience Principles 

The Committee’s principles for operational resilience are presented under seven main categories, which include:

1. governance;
2. operational risk management;
3. business continuity planning and testing;
4. mapping of interconnections and interdependencies of critical operations;
5. third-party dependency management;
6. incident management; and
7. resilient information and communication technology (ICT), including cyber security.

Governance

Principle 1: Banks are required to use their governance structure to develop, oversee and implement an operational resilience approach that is effective, and that slows them to respond to,  adapt to, recover from, and learn from disruptive events and therefore minimize their impact on delivering critical operations through disruption.

The board of directors is required to review and approve the bank’s operational resilience approach by putting into consideration the bank’s risk appetite and tolerance for disruption to its critical operations. In determining the bank’s tolerance for disruption, the board of directors should consider a wide range of severe but plausible scenarios that might disrupt the bank’s critical operations.    

In cases where the bank’s capabilities are insufficient for it to meet its stated tolerance for disruption, the board of directors should ensure that comprehensive policies are in place to address such instances.

In order to promote the overall operational resilience approach of the bank, senior management should make sure that financial, technical, and other resources are appropriately allocated under the oversight of the board of directors. 

In support of the board’s oversight, senior management should provide timely reports on the ongoing operational resilience of the bank’s business units, especially when significant deficiencies might impair the bank’s critical operations. 

The board of directors should actively engage in establishing a clear understanding of the bank’s operational resilience approach by clearly communicating its objectives to all relevant parties, that is, bank personnel, intragroup, third parties.

Principle 2: Banks are required to use their operational risk management functions to identify both internally and externally originated threats, as well as potential failures in people, processes, and systems. Banks should also assess the vulnerabilities of critical operations in a timely manner and manage the resulting risks in line with their operational resilience approach.

The operational risk management function o the bank should work in conjunction with other relevant functions to manage and in order to address and manage any risks that pose a threat to critical operations. In order to strengthen operational resilience across the bank, banks should integrate their business continuity planning, recovery and resolution planning, third-party dependency management, and other relevant risk management frameworks. 

To prevent critical operations from being affected by threats and vulnerabilities, banks should have adequate controls and procedures in place to identify and assess threats in a timely manner. These functions should regularly evaluate the effectiveness of the implemented controls and procedures. Moreover, these assessments should be conducted after any changes are made to any of the underlying components of the critical operations, and after incidents, in order to incorporate lessons learned and potential threats and vulnerabilities that may have caused the incident. 

Under the overall management of operational risk, banks must leverage change management capabilities as a means for assessing potential effects on the delivery of critical operations and the interconnections and interdependencies among them.

Business continuity planning and testing

Principle 3: Banks should develop business continuity plans and carry out business continuity practices under scenarios that are severe but plausible to determine if they can maintain critical operations in the face of disruption.

When assessing the impact of potential disruptions, an effective business continuity plan should be forward-looking. It is important to conduct and validate business continuity exercises that incorporate a variety of severe but plausible scenarios. 

In order to assess the risks and potential impact of various disruption scenarios on critical operations, a business continuity plan should identify critical operations and key internal and external dependencies. The plans should include business impact analyses and recovery strategies, as well as programs for testing, training, and awareness, and programs for communication and crisis management.

The business continuity plan should include the development, implementation, and maintenance of regular business continuity exercises that cover critical operations, including those dependent on third parties and intragroup entities. As part of business continuity exercises, employees should be trained in operational resilience awareness so that they can respond effectively and adapt to incidents.

Detailed guidance for implementing the disaster recovery framework for the bank should be provided by the business continuity plan. These plans should develop the roles and responsibilities for managing operational disruptions and provide comprehensive guidance with respect to the succession of authority in the event of a disruption that impacts key personnel. Moreover, these plans should clearly establish the internal decision-making process and define the triggers for invoking the bank’s business continuity plan.

A bank’s business continuity plans for the delivery of critical operations and critical third-party services within their recovery and resolution plans should be aligned with their operational resilience approaches.

Mapping interconnections and interdependencies

Principle 4: Following the identification of its critical operations, the bank should map the internal and external interconnections and interdependencies necessary for the delivery of critical operations consistent with its approach to operational resilience.

In each of the respective functions, people, information, processes, facilities, and the interconnections and interdependencies among them should be mapped (i.e., identified and documented) as required to facilitate the critical operations of the bank, including those that depend on, but not limited to third parties or intragroup arrangements.

Banks may use their recovery and resolution plans to define critical operations and to analyze whether their operational resilience approaches are aligned with the organization mappings of critical operations and of critical third-party services contained in their recovery and resolution plans.

The approach and level of granularity of mapping should be sufficient for banks to identify vulnerabilities and to support testing of their ability to deliver critical operations through disruption, as described in Principle 3, considering the bank’s risk appetite and tolerance for disruption.

Third-party dependency management

Principle 5: Banks should manage their dependency on relationships, including those of third parties and intragroup entities, in order to deliver critical operations.

Prior to entering into arrangements with third parties and intragroup entities, banks are required to perform due diligence and a risk assessment in line with their operational risk management framework, their outsourcing/third-party risk management policy, and how they manage operational resilience.

Before entering into such an arrangement, the bank should assess whether the third party, including, if relevant, the intragroup entity to these arrangements, has at least an equivalent level of operational resilience to safeguard the critical operations of the bank’s normal circumstances as well as during disruptions.

Prior to entering into any arrangement, including those with third parties or intragroup entities, banks are expected to conduct a risk assessment and due diligence in accordance with the operational risk management framework of the bank, outsourcing/third-party risk management policy, and operational resilience approach. Before entering into such arrangements, a bank should assess whether the third party, including, if applicable, the intragroup entity involved, has at least an equivalent level of operational resilience to safeguard the critical operations of the bank in normal circumstances as well as during disruptions.

Banks are required to develop business continuity and contingency plans and exit strategies in case of a third-party failure or disruption affecting critical operations. 

Banks should evaluate the availability of substitutes for the services provided by third parties, as well as other suitable alternatives that could facilitate operational resilience in case of a third-party outage. These alternatives may include bringing the service back in-house.

Incident management

Principle 6: Banks are expected to develop and implement response and recovery plans to address incidents that may disrupt their critical operations in line with their tolerance for disruptions and risk appetite. Banks are required to consistently improve their incident response and recovery plans by taking into account the lessons learned from previous incidents.

In order to improve the bank’s response and recovery capability, banks are required to maintain an inventory of internal and third-party resources for incident response and recovery.

A comprehensive incident management program covers the life cycle of an incident, which usually includes, but is not limited to:

1. The classification of the severity of an incident in accordance with predefined criteria (e.g., the expected time for a return to normal business operations), which enables the allocation of resources to respond to an incident accordingly.
2. The incident response and recovery procedures, including their connection to the business continuity of the bank, disaster recovery, and other associated management plans and procedures.
3. Implementing communication plans to effectively communicate incidents to internal and external stakeholders (e.g., regulatory authorities), as well as analyzing the lessons learned following an incident.

The bank should review, test, and update incident response and recovery procedures. In addition, banks should identify and address the root causes of incidents to prevent or minimize serial recurrence. 

When updating the incident management program, lessons learned from previous incidents, including those experienced by others, should be considered. A bank’s incident management program should be able to manage all incidents affecting the bank, including those caused by third parties and intragroup entities.

ICT, including cyber security

Principle 7: Banks are required to ensure resilient ICT, including cyber security that requires regularly tested protection, detection, response, and recovery programs, incorporate appropriate situational awareness, and convey relevant, timely information for risk management and decision-making processes that fully comply with and support the delivery of critical operations of the bank.

Banks are required to have a documented ICT policy, including cyber security, which specifies governance and oversight requirements, risk ownership and accountability, ICT security measures, monitoring and assessing cyber security controls, incident response, and business continuity and disaster recovery plans.

Banks must identify their critical information assets and the infrastructure that they depend on. In addition, banks should prioritize their cyber security efforts based on their ICT risk assessment and on the importance of critical information assets to their critical operations while complying with all applicable legal and regulatory requirements relating to data security and confidentiality. To maintain the integrity of critical data in the event of a cyber event, banks should develop plans and implement controls, like secure storage and offline backup on immutable media. In order to ensure their resilience to ICT-related risks, banks should regularly evaluate the threat profile of their crucial information assets.