This blog summarises the latest document from the Basel Committee on Banking Supervision (BCBS), Principles for Operational Resilience, which outlines seven key principles for banks.
Operational resilience is a hot topic right now. The Prudential Regulation Authority, the Financial Conduct Authority, the Office of the Comptroller of the Currency, the Federal Reserve Board and the Federal Deposit Insurance Corporation have all recently released joint policy statements or guidance on the topic.
This blog summarises the latest document from the Basel Committee on Banking Supervision (BCBS), Principles for operational resilience, which outlines the following seven key operational resilience principles for banks to focus on:
- Operational risk management
- Business continuity planning and testing
- Mapping interconnections and interdependencies
- Third-party dependency management
- Incident management
- ICT including cyber security
The principles should be implemented “on a consolidated basis to banks consistent with the scope of the Basel Framework,” says the guidance.
According to the BCBS, the board of directors should be responsible for reviewing and approving the bank’s approach to operational resilience, taking into consideration its risk appetite and tolerance for disruption. The board should also ensure that its operational resilience approach is widely understood, “through clear communication of its objectives to all relevant parties, including bank personnel, third parties and intragroup entities.”
Senior management should implement the bank’s approach, oversee allocation of relevant resources and should be responsible for providing reports on the operational resilience of the bank’s business units.
Operational risk management
The operational risk function should work with other functions within the bank to manage any potential risks to critical operations. Risk management frameworks for areas such as business continuity planning, third-party dependency management, and recovery and resolution planning should all be coordinated.
Controls and procedures should be in place to identify threats to critical operations and should be assessed regularly – especially in the event of any changes made to the individual components of critical operations, or after an incident has occurred.
Business continuity planning and testing
To ensure operational resilience, business continuity planning should:
- include “severe but plausible” scenarios which incorporate disruptive events
- identify critical operations, and key internal and external dependencies to assess the risks to critical operations
- maintain a regular business continuity exercise incorporating critical operations and anything linked to these
- support operational resilience awareness
- provide detailed guidance for implementing the bank’s disaster recovery framework.
Mapping interconnections and interdependencies
Once critical operations have been identified, banks should then map any interconnections and interdependencies that these critical operations rely upon to function, including all relevant people, technology, processes, information and facilities.
Third-party dependency management
Banks should carry out a risk assessment before entering into a third-party agreement and should verify whether the third party has “at least equivalent level of operational resilience to safeguard the bank’s critical operations in both normal circumstances and in the event of disruption.” The guidance also recommends looking at other viable alternatives to third-party arrangements should a disruption occur, such as bringing those operations back in-house.
An inventory of incident response and recovery resources should be maintained, including both third-party and internal resources. Incident management should include the entire life cycle of incidents, including severity classification, response and recovery procedures, communication plans for reporting incidents to all stakeholders and lessons learned.
Incident management procedures should be reviewed, tested and updated regularly and root causes should be identified to help avoid recurrence.
ICT including cyber security
A bank’s ICT policy should be fully documented and include governance and oversight responsibilities, risk ownership and any ICT security measures currently in place. Cyber security controls, incident response and business continuity and disaster recovery plans should be reviewed and monitored periodically.
Critical ICT assets must be identified and their security measures tailored to protect those assets which are most significant to the bank’s critical operations, including plans to safeguard critical data in the case of a cyber security risk event.
More from RiskBusiness on operational resilience: