The Basel Committee on Banking Supervision (Basel Committee or BCBS) has issued the Principles for Operational Resilience in response to the impact of COVID-19 and increased awareness of operational-related risks. BCBS also updated its Principles for the Sound Management of Operational Risk (PMSOR) to keep current on these events.’
The Basel Committee views operational resilience as a critical practice for successful firms to maintain business continuity. The documents emphasize existing guidance and current practices, such as principles-based guidance on corporate governance, business continuity, and outsourcing, ultimately aiming at developing an overarching, cohesive framework.
Principles for operational resilience
The Basel Committee defines operational resilience as “the ability to deliver critical operations through disruption.” Within the last few years, COVID-19, inflation and market fluctuations have tested financial firms’ ability to withstand disruptions. While capital and liquidity requirements have bolstered banks’ ability to absorb financial shocks, more must be done to improve the banks’ ability to absorb, respond and adapt to operational risks. Banks need to focus on the threats that could cause the most harm from operational failures. These risks can include, but are not limited to, pandemics, technology failures, personnel oversights or cyber incidents. BCBS has crafted the Principles of Operational Resilience as a response to these possible events, and to provide strategies to anticipate, mitigate and respond to these potential incidents.
This principles-based approach to operational resilience offers the following seven categories as a guideline.
- The Board of directors is ultimately responsible for the review and approval of the bank’s operational risk expectations, as well as its risk appetite, risk capacity, and risk profile. They should also assess “severe but plausible” scenarios when formulating the bank’s risk tolerance for disturbances to its critical operations.
- Operational risk management
- This function uses business continuity planning to create controls and procedures to identify external and internal threats and vulnerabilities regarding people, processes, and systems sufficiently.
- Business continuity planning and testing
- This principle involves putting strategies in place to mitigate impacts of disruptions and test controls to ensure they function within an acceptable limit. Business continuity plans should routinely exercise responses to “severe but plausible scenarios” that impact critical daily operations. It should also be data and analytics driven to offer the most accurate information. This step should also address the most extreme cases of disruption to ensure action is taken among the worst disasters.
- Mapping interconnections and interdependencies
- This principle must outline all vulnerabilities and test risk tolerance levels. These vulnerabilities should reflect all areas of operations and interdependencies, whether internal or external – including people, technology, processes, information, and facilities involved in delivering critical operations.
- Third-party dependency management
- All third parties must be thoroughly vetted prior to onboarding and regularly throughout the partnership. The third party’s operational resilience conditions, safeguards and responses to disruptions must be on par with the firms’ standards of resiliency. It should be documented how disruptions within third-parties will be handled.
- Incident management
- After anticipating potential incidents, recovery plans should be strategically crafted detailing how to manage disruptions. These plans should be routinely monitored and tested to ensure they are working efficiently.
- This principle should also be used as a period of reflection and adaptation should new or evolved practices be needed to replace existing unsuccessful strategies.
- Resilient information and communication technology (ICT), including cyber security
- Security should be at the forefront of maintaining cyber operational resilience. Routine updates and monitoring should be conducted, as well as creating a documented ICT policy, including cyber security, detailing governance and oversight, risk ownership and accountability, information security, periodic testing and monitoring, and plans for incident response, business continuity, and disaster recovery.
Using these principles presented by BCBS provide a framework to maintain the most efficient strategies for optimal operational resilience.