Operational resilience is about understanding that disruptions and incidents are a certainty for organisations over time. Therefore, firms need to work to better identify, recover and learn from critical business service outages, to avoid causing harm to their customers, themselves, and the wider financial ecosystem and build greater levels of trust with the pubic, regulators and others in the industry.
The harm operational disruptions have had on firms and their customers over the past decade has brought operational resilience to the forefront of the regulatory agenda. In response, there has been an influx of guidance from regulators across the globe with the Central Bank of Ireland’s (CBI) being one of the latest additions to this cohort. Following the initial consultation process in Q1 2021, the Cross-Industry Guidance on Operational Resilience was released in December 2021 by the CBI.
The CBI is seeking to deliver on their 2018 strategic commitment of strengthening resilience throughout the financial system with the introduction of this Guidance. The Central Bank’s stance on the importance of operational resilience was further underlined by recent enforcement actions against firms for failing to ensure continuity of service in the event of a significant IT disruption and for outsourcing-related control failings.
This Guidance initiates a holistic operational resilience approach across the financial sector and are aimed to align with their UK, European and US counterparts to allow multi-jurisdictional firms create a single operational resilience framework and overall approach.
CBI defines operational resilience as
‘the ability of a firm, and the financial services sector as a whole, to identify and prepare for, respond and adapt to, recover and learn from an operational disruption.
This guidance is centred around four core principles:
- Board accountability and ownership of the operational resilience framework;
- Identification of critical or important business services and all activities, including people, technology and processes to deliver these services;
- Setting of impact tolerances for each of these identified critical or important business services and testing the firm’s ability to stay within these tolerances; and
- Continually enhance the operational resilience of the firm by incorporating learning into the process
CBI expects firms to actively and promptly address operational resilience vulnerabilities and be in a position to evidence actions/plans to apply the Guidance at the latest by December 2023.
The approach to achieving and continually managing operational resilience is focused on three pillars – “Identify & Prepare”, “Respond and Adapt” and “Recover and Learn” – which is further elaborated across 15 guidelines as follows:
Pillar 1: Identify and Prepare
- Guideline 1: Board accountability for the operational resilience framework
- Guideline 2: Alignment of the operational resilience framework with existing governance and risk management frameworks
- Guideline 3: Board approval of criteria for identifying critical or important business services
- Guideline 4: Identification of critical or important business services
- Guideline 5: Approval of impact tolerances for each critical or important business service
- Guideline 6: Development of impact tolerance metrics
- Guideline 7: Mapping of critical or important business services
- Guideline 8: Capturing of third party dependencies as part of mapping
- Guideline 9: ICT and Cyber Resilience strategies integrated with operational resilience
- Guideline 10: Completion of scenario testing of impact tolerances
Pillar 2: Respond & Adapt
- Guideline 11: Business Continuity Management integrated with operational resilience
- Guideline 12: Incident Management integrated with operational resilience
- Guideline 13: Internal and external crisis communication plans integrated with operational resilience
Pillar 3: Recover & Learn
- Guideline 14: Lessons learned exercise to be conducted following disruptions
- Guideline 15: Embedding a culture of continuous learning and improvement
Changes from Consultation Paper (CP) 140 to the final guidance
- Operational Risk and Operational Resilience Framework Alignment
The final guidance has been amended to reflect that a firm should develop a documented operational resilience framework that should be “aligned with the Operational Risk and Business Continuity Frameworks” rather than “incorporating the Operational Risk and Business Continuity Frameworks”. This gives firm flexibility to maintain existing frameworks with their related process & reporting but to establish alignment to the operational resilience framework.
- Number of critical or important business services
The final guidance has amended the observation that larger firms are likely to identify a larger number of critical or important business services when compared to smaller firms. The finalised guidance state that the number of critical or important business services should be proportionate to the nature, scale and complexity of the business. This means that the number of important business services is primarily related to the business model and level of products and services operated by the firm rather than the size of the organisation itself.
- Impact tolerances can be both qualitative and quantitative
The definition of impact tolerance has been amended. The final guidance state impact tolerances “determine”, rather than “quantify”, the maximum acceptable level of disruption to a critical or important business service. This gives the flexibility to organisations to choose the tolerance, qualitative or quantitative, that best represents impact tolerance breaches.
- Third-party resilience
Another key change relates to third-party resilience. Where CP140 noted Outsourced Service Partners should have “at least, equivalent” levels of operational resilience as the firm, this has been amended to “a firm should undertake due diligence in respect of its OSPs prior to entering into an outsourcing arrangement, to ensure that third party arrangements have appropriate operational resilience conditions that enable the firm to remain within its impact tolerances” in the final guidance. This is a more practical requirement than trying to establish equivalence between resilience mechanisms across different organisations.
- Role of the Board
A core principle of the Guidance is the enhanced role the board must play in shaping the resilience of the firm. The Guidance explicitly call for the Board to be educated on operational resilience and periodically review operational resilience management information (MI) in addition to a number of discrete formal review and approvals of: the operational resilience framework; criteria for important business services; the identified critical or important business services; impact tolerances; business service maps; scenario testing results; remediation plans results; communications plans; and the self-assessment.
Given the increase in their responsibilities, firms will need to proactively engage with their Board both early on and regularly throughout their operational resilience journey over the coming 18 months. Board approvals should also be factored into the timelines of a firm’s operational resilience programme. Consideration should also be given to the imminent Senior Executive Accountability Regime (SEAR) that will formally define accountabilities including those for operational resilience at the senior executive levels.
- Business service lens
Business services, in the context of operational resilience, are services provided to an external customer or market participant and encompass all key activities comprising this service. This end-to-end service lens will in many cases be a challenge for firms who typically consider processes and underlying resources at an individual level as part of a more siloed approach. Firms must consider this when framing business services and acknowledge that each business service will span multiple functions and teams. In order to gain a full understanding of business services, institutions will require input and support from multiple stakeholders across their organisation including third parties.
- Impact tolerances
Impact tolerance, the maximum acceptable level of disruption to a critical or important business service, is a concept that is new for most institutions. Where existing recovery time objectives (RTOs) focus on the recovery of a process or system often in a rather narrow frame of scenarios, impact tolerances are required to consider harm (customer, firm and market) as the driver for setting impact tolerance metrics. Furthermore, when setting impact tolerances firms must assume that contingencies are not in place. Firms should consider these assumptions and ensure key stakeholders acknowledge and understand them to ensure impact tolerances are set correctly.
- Scenario testing
Firms are expected to have tested their ability to remain within the impact tolerance for each of their critical or important business services. While a firm’s existing testing capabilities can be leveraged for this activity, given the business service lens noted above, these capabilities may not be appropriate.
Firms are required to consider the extent to which their existing testing can effectively be leveraged in order to test their impact tolerances. In the event additional testing is required, the firm should not underestimate the time and effort of such an activity and should sufficiently include this in their operational resilience programme plans.
With firm’s looking to ensure compliance with the CBI’s guidance on operational resilience by December 2023, below are some key next steps that firms can take to begin that journey:
- Complete a current state analysis against the guidance and determine the maturity of firm’s resilience capabilities
- Where gaps have been identified, strategically outline how these will be resolved prior to the deadlines
- Establish an operational resilience programme and steering committee with appropriate terms of reference and stakeholder involvement
- Appoint a senior accountable executive with responsibility for operational resilience
- Communicate with the Board to ensure they are aware of their new roles and responsibilities with respect to operational resilience
How can EY help
EY can support you in meeting your operational resilience requirements by tailoring our operational resilience processes and frameworks to meet your specific needs and objectives. Reach out to us to discuss your requirements. Some of the common services which we have provided in the past to clients include:
|Current state assessment
Perform an assessment of your current state maturity and confidence in delivery plans to meet regulatory expectations and timelines.
|Governance & Methodology
Establish governance, ownership, and accountability for resilience, and develop a tailored resilience methodology to guide you through your guideline requirements.
|Important business services pilot
For one or multiple important business services, work through the end-to-end operational resilience journey (mapping, impact tolerances, scenario testing), focusing on knowledge transfer for future import business services and avoiding common implementation pitfalls.
|Enhancing maturity and focus of key capabilities and functions
Support with practical improvements to existing enterprise-wide resilience capabilities and key controls, aligning them to your business services framework.
Prepare and deliver training to Boards to equip them with the necessary information to handle their role in overseeing and owning the resilience of their firm.
|Management Information (MI) and reporting
Define tactical reporting for programme and future-state dashboards to support active management and decision making.
Meet the team
Associate Partner, Risk
If you would like more information on how EY's team of experts can help, please reach out today.