What is Operational Resilience as per the Bank for International Settlements (BIS)?

Operational Resilience: A Vital Imperative in Banking

In the intricate web of global finance, banks stand as the central pillars, supporting the intricate transactions that fuel economies worldwide. However, in the face of evolving threats and disruptions, ensuring the smooth functioning of these institutions becomes paramount. Recognizing this, the Bank for International Settlements (BIS) emphasizes the significance of operational resilience, which means being able to handle problems and keep things going even when faced with disruptions.

The Challenges Banks Face

Banks deal with a lot of factors that contribute to the evolving risk landscape, like:

• Technology Infrastructure: The rapid integration of technology into banking operations has led to increased dependency on complex infrastructure.

• Third-party Service Providers: Banks increasingly rely on external service providers for critical functions, heightening vulnerability to disruptions in these services.

• Pandemic Disruptions: The COVID-19 pandemic highlighted vulnerabilities in traditional operational models, necessitating adaptations to remote work environments and digital processes.

• Cyber Attacks: The growing cyber threats, including ransomware attacks and phishing scams, pose significant risks to data integrity and operational continuity.

• Remote Work Challenges: Greater reliance on remote working arrangements introduces new challenges in maintaining operational resilience.

What is Operational Resilience?

In layman’s words, it can be said that Operational resilience is like a bank's ability to keep functioning even when things go wrong. It's about managing risks well so that even if there are problems, they don't cause too much harm.

OR

Operational resilience refers to a financial institution's ability to sustain critical business operations in the face of disruptions. Achieving operational resilience requires effective management of operational risks, reducing the likelihood of losses due to outages, disruptions, or lapses in operations. Banks need to acknowledge the inevitability of disruptions and align their risk tolerance with their operational objectives.

To address operational risks comprehensively, banks leverage various business functions, including:

• Business Continuity

• Disaster Recovery

• Crisis Management

• Third-party Risk Management

However, integrating these functions in silos does not guarantee operational resilience. Instead, a holistic approach that considers these elements collectively is necessary to enhance resilience.

The Seven Principles of Operational Resilience

The BIS outlines seven principles that serve as guiding frameworks for operational resilience:

1. Governance:

• Utilize existing governance structures to establish, govern, and implement operational resilience.

• The board of directors plays a pivotal role in approving and overseeing the resilience approach.

• Senior management is responsible for execution, allocating necessary resources.

• Clear communication of operational objectives is essential.

2. Operational Risk Management:

• Identify and manage all operational risks across business units comprehensively

• Address internal and external threats, vulnerabilities, and potential failures.

• Robust risk assessment processes are crucial for prioritization.

3. Business Continuity Planning and Testing:

• Identify critical operations via Business Impact Analysis (BIA)

• Identify internal and external dependencies

• Establish Recovery Strategies

• Develop and test business continuity plans for critical operations under various severe yet plausible scenarios.

• Include Crisis Management and Disaster Recovery Frameworks

• Ensure alignment with other operational resilience functions.

• Incorporate roles, responsibilities, and communication strategies.

• Define triggers and decision-making process

• Regular testing and updates are necessary for plan effectiveness.

4. Mapping Internal and External Dependencies:

• Map internal and external dependencies across all business functions.

• Identify vulnerabilities and connections among people, processes, technologies, and facilities.

• Thorough understanding enables proactive risk mitigation and contingency planning.

5. Dependency Management for Third Parties:

• Conduct risk assessments and due diligence on third-party service providers.

• Ensure equivalent levels of operational resilience and establish alternative arrangements where necessary.

• Clear contractual agreements and continuous monitoring are essential.

6. Incident Management:

• Establish plans for incident response and recovery, encompassing the entire lifecycle of incidents.

• Integrate with existing business continuity and crisis management frameworks.

• Effective incident communication and post-incident analysis are critical.

7. Information and Communication Technology (ICT) including Cybersecurity:

• Maintain resilient ICT infrastructure with robust cybersecurity measures.

• Documented policies, governance structures, incident response plans, and controls to safeguard critical IT assets (information, infrastructure, etc.).

• Regular evaluations and updates are essential to adapt to evolving cyber threats.

Summary

Operational resilience is incredibly important for banks. By adhering to the principles outlined by the BIS, banks can keep things running smoothly even in tough times. Embracing operational resilience not only helps the banks themselves but also keeps the whole financial system stable.

Key Takeaways

To be operationally resilient, banks need to:

• Plan Ahead: They have to expect that problems will happen and prepare for them.

• Work Together: Different parts of the bank need to coordinate to deal with issues effectively.

• Learn from Mistakes: After a problem, they should figure out what went wrong and how to do better next time.

Please click here to know more on how to implement Operational Resilience according to OSFI E-21 Guideline.

References

1. Revisions to the Principles for the Sound Management of Operational Risk

2. OSFI Operational Resilience and Operational Risk Management - Draft guideline (2023)

#OperationalResilience #BankingSecurity #RiskManagement #BISGuidelines #BusinessContinuity #ThirdPartyrRiskManagement #DisasterRecovery #CrisisManagement #OSFIe21Guideline #OperationalRisk #BusinessResilience #BusinessContinuityManagement #BusinessImpactAnalysis #CyberSecurity #BCP #BIA #BCM #BCMFramework #BCMGovernance