On March 31, 2021, the Basel Committee on Banking Supervision (the “BCBS”) published the Principles for Operational Resilience, aiming to promote a principle-based approach to improving the operational resilience of banks, making them better able to withstand, adapt to and recover from severe adverse events. Concurrently, BCBS also updated the Principles for the Sound Management of Operational Risk (PSMOR) reflecting the natural relationship between operational resilience, operational risk and Basel III reforms.
This publication follows from consultation on both documents back in August 2020. In recent years, and accelerated by COVID-19, the growth of technology-related risks is leading banks to increase their operational resilience. The two sets of principles are meant to complement each other to enable banks to better absorb shocks from operational risks and provide additional safeguards to the financial system as a whole.
Principles for Operational Resilience
The Committee established seven principles for operational resilience:
- Governance: Banks should adapt their governance structure to allow them to respond, adapt, recover and learn from disruptive events to minimize their impact on delivering critical operations. Examples include: properly allocating their financial, technical and other resources, providing timely reports on business units to the board and establishing clear communication of their approach to resilience and its objectives to all relevant parties;
- Operational risk management: Banks should leverage their management of operational risk to identify external and internal threats, including potential failures in people, processes and systems on an ongoing basis through assessing the vulnerabilities of critical operations and managing the resulting risks. Examples include: coordinating business continuity frameworks, third-party dependency management and recovery and resolution planning, implementing controls and procedures to identify threats and vulnerabilities in a timely manner and leveraging change management capabilities to assess the potential effect on critical operations and on their interconnections and interdependencies;
- Business continuity planning and testing: Banks should have a business continuity plan in place and stress test the plan under a range of severe but plausible scenarios to test their ability to deliver critical operations through disruption. The paper outlines essential considerations for a successful business continuity plan: the identification of critical operations, key internal and external dependencies, business impact analyses and recovery strategies. Business continuity plans and recovery and resolution plans should be consistent with a bank’s operational resilience approach;
- Mapping of interconnections and interdependencies of critical operations: Once banks identify their critical operations, they should map out the internal and external interconnections and interdependencies that are necessary or critical to operations. The mapping should include sufficient granularity for banks to identify vulnerabilities;
- Third party dependency management: Banks should manage their dependencies on relationships, including those of third parties or intragroup entities for the delivery of critical operations;
- Incident management: Banks should develop and implement response and recovery plans to manage incidents that could disrupt critical operations in line with their risk appetite and tolerance for disruption. Lessons learned should also form part of the continuous improvement of incident response and recovery plans; and
- Resilient information and communication technology (ICT), including cyber security: Banks should ensure ICT include protection, detection, response and recovery programs that are regularly tested, incorporate appropriate situational awareness and convey relevant timely information for risk management and decision-making processes to fully support and facilitate the delivery a bank’s critical operations.
Principles for the Sound Management of Operational Risk (PSMOR)
In 2014, BCBS conducted a review to assess the extent to which banks had implemented the PSMOR. The outcome of the review pointed to some implementation gaps related to:
- Risk identification and assessment tools, including risk and control self-assessments (RCSAs), key risk indicators, external loss data, business process mapping, comparative analysis and monitoring of action plans generated from various operational risk management tools;
- Change management programmes and processes;
- Implementation of the three lines of defence, especially by refining the assignment of roles and responsibilities;
- Board of directors and senior management oversight;
- Articulation of operational risk appetite and tolerance statements; and
- Risk disclosures.
In addition, recognizing that the previous version of the PSMOR did not adequately capture certain important sources of operational risk, the BCBS introduced a new principle which highlights the importance of effective ICT risk management programs and their contribution to the effectiveness of control environments. According to the BCBS, ICT risk management can reduce a bank’s operational risk exposure to direct losses, legal claims, reputational damage, ICT disruption and misuse of technology in alignment with a bank’s risk appetite and tolerance statement. It contends that boards of directors should regularly oversee the effectiveness of a bank’s ICT risk management program and that senior management should routinely evaluate its design, implementation and effectiveness and develop approaches to ICT risk for stressed scenarios caused by disruptive external events.
Given the recent pandemic environment, many banks have increased their technological reliance and their technological capabilities. With such pervasive changes, it may be prudent for banks to proactively reassess the strength of their overall operational resilience. The new guidance from BCBS serves as a great tool and checklist to start this self-assessment.
The new BCBS principles have made their way to Canada through the Office of the Superintendent of Financial Institutions (“OSFI”), which has outlined, as part of its 2021-22 priorities, improving the preparedness of financial institutions in identifying and developing resilience to non-financial risks before they negatively affect their financial condition. In connection with these priorities, see our blogpost on OSFI’s consultation, Developing financial sector resilience in a digital world: Selected themes in technology and related risks.