Operational Resilience Takes Regulatory Center Stage. Are You Prepared?
- Operational Resilience
- 25 April 24
Introduction
Operational resilience is no longer a buzzword. It has become a top priority today for financial institutions and regulatory authorities worldwide with new regulations coming into effect in a matter of months. The regulatory guardrails are important to ensure that financial services organizations have the necessary measures in place to withstand, respond to, and recover from operational disruptions.
The Basel Committee on Banking Supervision (BCBS) published the Principles for Operational Resilience (POR) in 2021, which aims to strengthen the ability of banks to “withstand operational risk-related events that could cause significant operational failures or wide-scale disruptions in financial markets.”
The regulations that are coming into force now have been many years in the making. The efforts from regulatory authorities around the world including the Australian Prudential Regulation Authority, the European Commission, the Financial Conduct Authority, the Hong Kong Monetary Authority, the Monetary Authority of Singapore, and others, began even before the COVID-19 pandemic, which tested the resilience of global financial institutions.
Let’s look at some of the prominent regulatory initiatives on operational resilience around the world.
United Kingdom
In the UK, the Bank of England (BoE), the Financial Conduct Authority (FCA), and the Prudential Regulation Authority (PRA) published the final policies on operational resilience, FCA policy statement (PS21/3) and PRA policy statement (PS6/21) in 2021.
Organizations have until 31 March 2025 to set up the measures and processes required to be compliant with the new rules. The Policy Statements 21/3 and 6/21, Building Operational Resilience and Operational Resilience: Impact tolerances for important business services respectively, require organizations to:
- Identify important business services
- Set impact tolerances for important business service
- Perform mapping and testing to ensure they remain within impact tolerances for each important business service
- Mapping dependencies and resources to important business services
- Scenario testing
- Governance
- Self-assessment to test the ability to deliver important business services
PS21/3 applies to banks, building societies, insurers, PRA-designated investment firms, Recognized Investment Exchanges (RIEs), organizations within the enhanced scope of the Senior Managers and Certification Regime (SMCR), and authorized and registered entities under the Electronic Money Regulations 2011 or Payment Services Regulations 2017. PS6/21 applies to UK banks, building societies, and PRA-designated investment firms; and UK Solvency II firms, the Society of Lloyd’s and its managing agents.
The supervisory authorities are also working on new requirements aimed at ensuring the operational resilience of the UK financial services firms when dealing with critical third parties (CTPs).
European Union
Regulators in the EU have enforced a new regulation aimed at strengthening the “digital operational resilience” of the region’s financial sector. The entire EU financial services industry is required to be compliant with the Digital Operational Resilience Act (DORA) by 17 January 2025.
Primarily focused on preventing and mitigating cyber threats, the new regulation lays out the requirements for strengthening the security of network and information systems of financial sector organizations in the region as well as critical third parties that provide Information Communication Technologies (ICT)-related services. DORA requirements are categorized under five key pillars:
- ICT Risk Management Framework
- ICT Incident Management, Classification, and Reporting
- Digital Operational Resilience Testing
- Third-Party Provider Risk Management
- Information Sharing
For a deeper dive into DORA, its key pillars and requirements, and key measures to ensure compliance, download our eBook, Demystifying DORA - Understanding and Preparing for the EU’s Digital Operational Resilience Act.
United States
Operational resilience is also a top area of focus for financial regulatory authorities in the U.S. In 2020, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) published an interagency paper that provided guidance to financial institutions on ‘Sound Practices to Strengthen Operational Resilience’.
“Robust operational risk and business continuity management anchor the sound practices, which are informed by rigorous scenario analyses and consider third-party risks. Secure and resilient information systems underpin the approach to operational resilience, which is supported by thorough surveillance and reporting,” the paper reads.
In December 2023, the Commodity Futures Trading Commission (CFTC) approved a rule proposal that requires futures commission merchants, swap dealers, and major swap participants to establish, document, implement, and maintain an Operational Resilience Framework. The commission said that the framework should be “reasonably designed” for the identification, monitoring, management, and assessment of risks relating to information and technology security, third parties, and emergencies or other significant disruptions to normal business operations.
Asia Pacific
Regulatory authorities across countries, including Australia, Hong Kong, and Singapore are also focused on strengthening the operational resilience of organizations:
- Australia: The Australian Prudential Regulation Authority (APRA) released the final cross-industry Prudential Standard CPS 230 Operational Risk Management in 2023. The standard aims to fortify the management of operational risks of all regulated entities and improve their ability to respond to business disruptions and manage the risks from the use of service providers.
- Hong Kong: In 2022, the Hong Kong Monetary Authority (HKMA) released the new Supervisory Policy Manual (SPM) module OR-2 on Operational Resilience and a revised version of the SPM module TM-G-2 on “Business Continuity Planning” with the objective of implementing the BCBS’s Principles for Operational Resilience (POR) issued in 2021. All authorized institutions were required to develop their operational resilience framework along with the timeline to become operationally resilient by May 2023. By 31 May 2026, these organizations need to be compliant with the new requirements and become operationally resilient.
- Singapore: The Monetary Authority of Singapore (MAS) built upon its Guidelines on Business Continuity Management, published in June 2003, to introduce principles and practices to strengthen the operational resilience of financial institutions. The revised guidelines were published in June 2022. Regulated entities were required to meet the new guidelines and develop a BCM audit plan by June 23 with the first audit to be conducted by June 2024.
As the risk landscape continues to evolve with growing uncertainties, the regulatory focus on operational resilience will only intensify and expand beyond financial organizations to other sectors. Organizations, however, should not view operational resilience as a mere “tick the box” compliance exercise. When done right, a strong operational resilience program can enable organizations to thrive in challenging business conditions and drive business growth and profitability.
To learn how MetricStream Operational Resilience can help you strengthen your operational resilience program, request a personalized demo today!
