Five key considerations in the new BCBS operational resilience paper

  • Subscribe to updates

  • Privacy
  • This field is for validation purposes and should be left unchanged.
The Basel Committee on Banking Supervision’s Principles for operational resilience outlines the vision that the global regulatory body has for this emerging discipline. There is quite a bit to digest in this paper, but there are five key considerations to be found within the document that firms should not overlook as they read it and prepare to implement – or upgrade – their own operational resilience programmes. These include:

  1. Operational risk is the home for operational resilience. According to the Principles for operational resilience paper, “The bank’s operational risk management function should work alongside other relevant functions to manage and address any risks that threaten the delivery of critical operations. Banks should coordinate their business continuity planning, third-party dependency management, recovery and resolution planning and other relevant risk management frameworks to strengthen operational resilience across the bank.” Regulators are once again underscoring the central role that operational risk management should play within financial services firms. Moreover, this text underscores the need for operational risk to have access to joined-up governance, risk and compliance (GRC) data from across the organisation to help coordinate the operational resilience efforts.

  2. Third party risk management is a growing focus. The role of third parties in operational resilience preparedness and response is underscored several times in the paper, highlighting the increasing attention that regulators around the globe are placing on third party relationships across a variety of regulatory topics. For example, the operational resilience paper says: “The board of directors should take an active role in establishing a broad understanding of the bank’s operational resilience approach, through clear communication of its objectives to all relevant parties, including bank personnel, third parties and intragroup entities.” Spelling out a board-level responsibility for operational resilience communication to third parties shows just how much regulators want accountability for third-party relationships situated at the highest levels within firms. For UK firms, this translates into allocated accountabilities under the Senior Managers & Certification Regime.

  3. Focus on the customer and capital. There has been much industry discussion about the cultural implications of the shift in focus that operational resilience makes towards customers and other external stakeholders. Risk management, it is said, is inward-looking while operational resilience is outwardly directly. It is a good thing for regulators to specifically call out the need for this external focus through the work on operational resilience – it is too often overlooked and should also be a much greater part of thinking around risk management. However, firms should be under no illusions – the ultimate goal of both risk management and resilience is the preservation of capital. After all, without capital, there is no way forward for firms, or their customers. Operational resilience is designed to boost confidence in individual firms and the financial system as a whole among customers and other stakeholders, potentially reducing systemic risk, and the need for firms to dip into their regulatory capital in the event of a mass cyberattack, for example.

  4. Embrace three levels of risk appetite. The operational resilience paper implies that regulators understand there to be three levels of risk appetite: expected (i.e. residual), unexpected (towards inherent but not necessarily at inherent) and stressed (now the resilience level). Firms should bake these three levels into their risk appetite-related processes, connecting risk and resilience together at a strategic level for the organisation. By doing this, the board and senior managers will be better able to understand the position of the firm vis-à-vis risk and resilience. This will translate into improved decision-making about investment in operational risk and operational resilience initiatives.

  5. Keep operational risk goals in mind. The interrelationship between operational risk and operational resilience needs to be woven into the organisation’s framework and processes for both. For example, in the operational resilience paper, it says that “The goal of incident management is to limit the disruption and restore critical operations in line with the bank’s risk tolerance for disruption.” However, this is just one goal – the operational resilience goal. The operational risk goal is to deliver a robust root cause analysis. Firms need to keep this in mind as they shape their incident management response processes. As well, firms need to be able to connect operational risk data and processes to operational resilience ones within the GRC software they use – the frameworks need to be closely aligned so that activities are mutually supportive and not duplicative.

Financial services firms around the globe can expect regulators in their jurisdictions to be publishing consultations and new guidance or rules for operational resilience soon. No doubt each regulator will have their own nuances on these five considerations. It’s important for firms to step back and not view operational resilience as “just a compliance project”. Rather, they should view it within the wider, strategic context of their overall approach to GRC and the organisation’s business objectives. To speak with us about your operational resilience framework, contact RiskLogix-Solutions

Related Posts

Why you need independent assurance in the Risk Management function
In the second in our series of blogs about independent assurance in risk management Tony and John explain why you need it. Operational Risk Software can be key to supporting this discipline.    Taken from: Mastering Risk Management  Independence In order to fulfil its function, internal audit must be functionally independent from the activities it audits. …

Why you need independent assurance in the Risk Management function Read More »

How does Independent Assurance in Risk Management support 3LOD?
In our next series of blogs Tony and John talk about the need for Independent Assurance within the Risk Management process covering both internal and external assurance, audit and risk management oversight. Operational Risk Software can be key to supporting this discipline.    Taken from: Mastering Risk Management  Independent assurance is the critical third line of …

How does Independent Assurance in Risk Management support 3LOD? Read More »

How do you match risk report type to audience type
In this blog Tony and John discuss the various types of risk reports and their relative merits for certain audiences.  Operational Risk Software can be key to supporting this discipline.    Taken from: Mastering Risk Management  As we mentioned in our previous blog (What do all the numbers mean in risk reporting), different users have different …

How do you match risk report type to audience type Read More »