Five key considerations in the new BCBS operational resilience paper

  • Subscribe to updates

  • Privacy
  • This field is for validation purposes and should be left unchanged.
The Basel Committee on Banking Supervision’s Principles for operational resilience outlines the vision that the global regulatory body has for this emerging discipline. There is quite a bit to digest in this paper, but there are five key considerations to be found within the document that firms should not overlook as they read it and prepare to implement – or upgrade – their own operational resilience programmes. These include:

  1. Operational risk is the home for operational resilience. According to the Principles for operational resilience paper, “The bank’s operational risk management function should work alongside other relevant functions to manage and address any risks that threaten the delivery of critical operations. Banks should coordinate their business continuity planning, third-party dependency management, recovery and resolution planning and other relevant risk management frameworks to strengthen operational resilience across the bank.” Regulators are once again underscoring the central role that operational risk management should play within financial services firms. Moreover, this text underscores the need for operational risk to have access to joined-up governance, risk and compliance (GRC) data from across the organisation to help coordinate the operational resilience efforts.

  2. Third party risk management is a growing focus. The role of third parties in operational resilience preparedness and response is underscored several times in the paper, highlighting the increasing attention that regulators around the globe are placing on third party relationships across a variety of regulatory topics. For example, the operational resilience paper says: “The board of directors should take an active role in establishing a broad understanding of the bank’s operational resilience approach, through clear communication of its objectives to all relevant parties, including bank personnel, third parties and intragroup entities.” Spelling out a board-level responsibility for operational resilience communication to third parties shows just how much regulators want accountability for third-party relationships situated at the highest levels within firms. For UK firms, this translates into allocated accountabilities under the Senior Managers & Certification Regime.

  3. Focus on the customer and capital. There has been much industry discussion about the cultural implications of the shift in focus that operational resilience makes towards customers and other external stakeholders. Risk management, it is said, is inward-looking while operational resilience is outwardly directly. It is a good thing for regulators to specifically call out the need for this external focus through the work on operational resilience – it is too often overlooked and should also be a much greater part of thinking around risk management. However, firms should be under no illusions – the ultimate goal of both risk management and resilience is the preservation of capital. After all, without capital, there is no way forward for firms, or their customers. Operational resilience is designed to boost confidence in individual firms and the financial system as a whole among customers and other stakeholders, potentially reducing systemic risk, and the need for firms to dip into their regulatory capital in the event of a mass cyberattack, for example.

  4. Embrace three levels of risk appetite. The operational resilience paper implies that regulators understand there to be three levels of risk appetite: expected (i.e. residual), unexpected (towards inherent but not necessarily at inherent) and stressed (now the resilience level). Firms should bake these three levels into their risk appetite-related processes, connecting risk and resilience together at a strategic level for the organisation. By doing this, the board and senior managers will be better able to understand the position of the firm vis-à-vis risk and resilience. This will translate into improved decision-making about investment in operational risk and operational resilience initiatives.

  5. Keep operational risk goals in mind. The interrelationship between operational risk and operational resilience needs to be woven into the organisation’s framework and processes for both. For example, in the operational resilience paper, it says that “The goal of incident management is to limit the disruption and restore critical operations in line with the bank’s risk tolerance for disruption.” However, this is just one goal – the operational resilience goal. The operational risk goal is to deliver a robust root cause analysis. Firms need to keep this in mind as they shape their incident management response processes. As well, firms need to be able to connect operational risk data and processes to operational resilience ones within the GRC software they use – the frameworks need to be closely aligned so that activities are mutually supportive and not duplicative.

Financial services firms around the globe can expect regulators in their jurisdictions to be publishing consultations and new guidance or rules for operational resilience soon. No doubt each regulator will have their own nuances on these five considerations. It’s important for firms to step back and not view operational resilience as “just a compliance project”. Rather, they should view it within the wider, strategic context of their overall approach to GRC and the organisation’s business objectives. To speak with us about your operational resilience framework, contact RiskLogix-Solutions

Related Posts

Effective business continuity & operational resilience are both outcomes of good risk management
There has been some debate whether Operational Resilience (OpRes) and Business Continuity Management (BCM) are the same discipline, different disciplines, or similar areas but with differing degrees of granularity. It is arguable that OpRes is customer centric in that it looks at the threats and vulnerabilities to the services provided to the customer, whereas BCM …

Effective business continuity & operational resilience are both outcomes of good risk management Read More »

Digitising Risk Management – Time to ditch the spreadsheet
It is a recognised issue in the industry that the most widely-used risk management software tool is actually provided by Microsoft – and it’s called Excel. And it’s only a partial solution – at best While tier one financial institutions have been early adopters of large, complex risk management software solutions, due to both sophistication …

Digitising Risk Management – Time to ditch the spreadsheet Read More »

Long term value from ESG – the Importance of embedding a true ESG culture in your organisation
ESG, Environment, Social, Governance reporting seems like a good thing!  Being associated with ESG practices has a positive effect on the brand, which helps organisations to sell more products and services. Meta-analysis of over 1,000 studies published between 2015 and 2020 conducted by NYU Stern and Rockefeller Asset Management found a strong correlation between ESG …

Long term value from ESG – the Importance of embedding a true ESG culture in your organisation Read More »