Operational resilience, the idea of a “bend, don’t break” strategy, has long been a focus of policy makers and regulators throughout the globe. The increased length of multinational supply chains and the operational complexity that globalisation engenders, means that firms must be ready and able to overcome the most perverse of obstacles. Even a 400 metre tanker in the Suez Canal.
Within the financial sector, the havoc wreaked from the Great Recession highlighted resilience as one of the key risks and concerns impacting firms. As such, financial regulators globally have been forced to reconsider how they must guide the sector to address this more effectively.
Last week, the Central Bank of Ireland became the latest National Competent Authority to set out its approach to addressing operational resilience. They published a cross industry consultation paper, CP140, detailing 15 principle-based guidelines to drive all financial sector firms to achieve a standard level of operational resilience.
One of five strategic themes of the CBI, as outlined in its 2019-2021 strategic plan, has been to strengthen resilience with the goal of equipping the financial system with the tools and capabilities to cope with external shocks and future crises. The publication of this consultation paper is the latest step in the journey to completing this strategic objective.
An Operational Resilience Maturity Assessment was conducted across a sample of financial services firms in Q4 of 2020. The results gathered from that exercise have informed the consultation paper.
This publication follows closely after the March 2021 publication of the cross industry guidance on Outsourcing, with effective outsourcing management being one of the key parameters to achieving resilience due to the reliance on internationally-based outsource providers to support operations. There are cross-overs and synergies between the guidelines set out in the two papers, to ensure that the management of third parties underpins the resilience of firms and the whole Irish financial system.
The consultation paper on operational resilience looks to and aligns with existing regulation on the topic, with the approach regarding important business services and impact tolerances aligning to the UK regulators approach. There are also elements that feed from the EU Digital Operational Resilience Act (DORA), particularly around the focus on ICT and cyber resilience. The CBI states that it intends these guidelines to align with international thinking and allow for a cross-jurisdictional approach to the application of operational resilience.
The CBI define operational resilience as:
the ability of a firm, and the financial services sector as a whole, to identify and prepare for, respond and adapt to, recover and learn from an operational disruption”.
This is aligned with the FCAs description.
Operational resilience is not an activity, but an end state. Design and management steps and activities are taken to improve operational resilience.
The CBI describes operational resilience as an evolution of operational risk and business continuity management (BCM), with firms building an end-to-end comprehension of the services received by their customers, and the activities and processes underpinning them.
Operational resilience is predicated on the fact that things do go wrong, not all potential hazards can be prevented. Operational resilience sets out a firm’s ability to react to and recover from such events through building out capabilities to deal with them.
The papers are split into three pillars (Identify and Prepare, Respond and Adapt and Recover and Learn) that guide a firm through the core principles of operational resilience. There are 15 specific guidelines split between these pillars, which provide the journey and steps required to achieve and continuously enhance a firm’s operational resilience.
Key themes that flow through the paper include:
As with the outsourcing papers, the audience of the consultation paper is defined as the board and senior management team, with the CBI driving home the requirement for boards to be informed, trained and accountable for the operational reliance of their firm. Boards cannot afford to delegate this responsibility, overlook it, or, lack focus on their incumbent responsibilities.
The approach outlined in the guidance shifts the focus of harm from just the firm to a broader, more holistic viewpoint. Considering the importance of business services, the impact of disruption to customers, and overall market integrity as well as the firm’s own safety and soundness, and viability needs to be considered. The aim of the CBI is to ensure that the risks of a firm’s operational continuity do not transmit to other market participants and limits the impact to customers’ interests.
For informed decision-making and effective actions to be taken, reporting and management information (MI) needs to underpin the framework. Escalations and standardised reporting structures must be in place, right up to the board to enable oversight and governance for both:
A high standard of data and information is required to allow operational resilience to operate effectively.
Operational resilience relies on the effectiveness of existing pillars and capabilities within a firm, including: governance; risk; third party management; business continuity management; ICT and cybersecurity. Operational resilience aspects need to be weaved into the existing frameworks, policies and responsibilities, and not siloed or set outside of the existing structures/functions.
The prevalence of operational resilience risk comes on the back of the global interconnectedness. To successfully combat this risk, internal interconnectedness is paramount – which is achieved through cross-functional embedding of operational resilience. These interdependencies and reliances are where operational resilience is either successfully embedded or fails to be effective in times of disruption. The mapping of people, processes, technology, facilities, third parties and data to important business services will need to be undertaken collaboratively across the business’s capabilities.
This is a key area of focus, with the outsourcing consultation paper being published within weeks of the operational resilience paper. The dependencies on third parties need to be fully understood and considered before entering into any outsourcing arrangement and then considered as part of scenario testing, continuity and incident management. The regulator calls for a firm to ensure that for any third parties for which there exists a critical dependency, the operational resilience of that party is of a standard equal to the firm itself.
The consultation paper aims to guide firms on the steps they need to take to achieve an adequate level of resilience, rather than being prescriptive about the outcomes and parameters of each step. There are suggestions of what to consider, which decisions need to be made, and the specific governance checks to challenge & ratify. The guidance gives firms enough flexibility to determine their own decision-making process. Senior management is expected to have a multi-year operational resilience strategy that increases in sophistication and evolves over time. Firms should undertake a bespoke self-assessment with sufficient detail to enable decision-making to meet the desired outcome of the CPs. The third pillar of Recover and Learn is focused on continuously improving a firm’s approach and maturing its framework.
Consultation on CP140 is open until 9 July and the operational resilience guidance is expected to be published in the later part of 2021. Firms should reflect on the consultation papers, their end-to-end mapping of important business services, related people, processes, technology and data, and alignment of business continuity, incident management, third party risk management and cybersecurity frameworks to form a view on potential impact.
EY, on behalf of its clients, can submit a response to the consultation with its views on the regulators’ proposals. Don’t hesitate to reach out if you have a question.