Background
Operational resilience in the financial services sector is a key concern across the European regulatory landscape, with Ireland being no exception. Operational resilience became a key issue as a result of disruptions faced in the financial services industry on foot of cyber-attacks, political unrest, technology incidents and natural disasters. Particularly, as reliance on international outsourced services providers has become the norm across the sector, firms’ operations have become increasingly complex and contingent on third party resources.
In recent years, the Central Bank of Ireland (the “Central Bank”) made operational resilience a focal point, publishing Cross Industry Guidance on Operational Resilience (the “Guidance”) in December 2021 following a consultation with a wide range of industry stakeholders. The consultation process provided stakeholders with an opportunity to highlight their concerns and queries around the proposed guidance. The primary themes which arose on foot of the consultation were:
- Proportionality;
- International alignment;
- Governance and board ownership;
- Critical and important business services;
- Mapping of outsourced services providers;
- Impact tolerances; and
- Scenario testing.
Notwithstanding the extensive feedback received through the consultation process, the finalised Guidance remains largely unchanged from the draft Guidance issued in April 2021, save for some additional reassurance around the application of the Guidance.
The Guidance serves to delineate the expectations of the Central Bank in a clear manner and reducing ambiguity around best practices in operational resilience. This is achieved through the adoption of the three pillars of Operational Resilience:
- Identify and Prepare;
- Respond and Adapt;
- Recover and Learn.
The Central Bank explains that “ these three pillars support a holistic approach to the management of operational resilience and related risks and create a feedback loop that fosters the perpetual embedding of lessons learned into a firm’s preparation for operational disruptions.”
Additionally, one of the key takeaways from the Guidance is that operational resilience cannot simply be treated as a routine exercise at board level. The Central Bank has made clear that it expects to see boards and senior management “adopt measures to strengthen and improve their operational resilience framework.”
The challenge now presented to financial institutions, their boards and senior management, is how to apply the Guidance effectively across day-to-day management as well as in respect of longer term planning and strategy. With this in mind, Matheson has compiled what we refer to as the “10 Steps to ensuring Operational Resilience”. We hope that these steps will support your firm in the task that lies ahead.
Step One: Review the Guidance
Ultimate responsibility for the approval and oversight of a firm’s operational resilience framework rests with the board. Therefore, it is vital that boards and senior management fully inform themselves around what’s expected under the Guidance. From the outset, firms must ensure that the Guidance has been reviewed and that all board members and senior management are familiar with its content.
Step Two: Approve an Operational Resilience Framework
A firm must ensure that its existing governance frameworks and committee structure include responsibilities with respect to operational resilience. An Operational Resilience Framework should align with the Operational Risk and Business Continuity Frameworks of a firm, or alternatively one framework could be implemented encompassing all risk areas.
Step Three: Embed Resilience
Implementation of a suitable Operational Resilience Framework should be a holistic, cross-departmental exercise, in particular ensuring that the following areas are catered for:
- Operational risk;
- Cyber and information technology;
- Business continuity management;
- Incident management; and
- Communication plans.
Step Four: Identify Critical or Important Business Services
In order to effectively safeguard against operational disruption and risk, a firm must identify what services within their business are critical or important. To categorize these services correctly, a firm should consider whether there would be a material impact on the consumer in a disruption event affecting that service. By way of example, a firm should consider the following questions when evaluating whether a business service is critical or important:
- would a disruption cause material customer detriment or threaten policyholder protection;
- would it harm market integrity;
- impact on a firm's viability, safety and soundness; and/or
- impact negatively on the firm’s overall financial stability.
Step Five: Identify Impact Tolerances
An impact tolerance represents the maximum level of disruption which can be tolerated by a critical or important business service before the disruption represents a risk to the firm or could cause detriment to the consumer.
It is important to differentiate between standard risk appetite and impact tolerance. Standard risk management and risk appetite processes are focussed on minimising risk to a firm, through controls that reduce the impact and probability of a disruption event arising. Operational resilience focuses on building a firm’s capabilities to deal with risk events when they materialise, rather than purely focussing on building defences to prevent risks from occurring. By developing impact tolerances a firm can quantify the maximum level of disturbance a service can withstand, therefore allowing them to prioritize restoration of services appropriately following a disruption.
Step Six: Map the Processes to Deliver a Critical or Important Business Service
In order to ensure that critical or important business services do not exceed their impact tolerances, an analysis of the method and processes involved in the delivery of the service must be undertaken. Mapping how the service is delivered should include identifying the following:
- key members of staff involved in the delivery of the service;
- facilities and technology required; and
- any third parties or outsourced service providers involved in the provision of the service.
By mapping interconnections and interdependencies, the firm can effectively identify any points of potential failure, dependencies or key vulnerabilities.
Step Seven: Implement ICT and Cyber Resilience Strategies
As technology is central to effective and efficient operation of most businesses, it needs to be treated as a vital component of the operational resilience of a firm. This means that a firm must ensure that not only is their technology suitable for their business needs but that all possible weaknesses and vulnerabilities have been identified where technology is relied upon to provide a critical or important business service.
Further, the Central Bank has advised that firms must consider its Cross Industry Guidance in respect of Technology and Cybersecurity Risks and all relevant European Supervisory Authorities’ Guidance.
Step Eight: Perform Annual Review and Stress Testing
In order to ensure operational resilience, a firm must carry out stress testing exercises in respect of severe but plausible scenarios. Severe but plausible scenarios can be identified by clearly mapping the processes of and vulnerabilities affecting the critical or important business services identified.
Testing should be completed on an annual basis at a minimum.
Step Nine: Implement Business Continuity Management
Business continuity management should form part of the overall approach to operational resilience, including the implementation of a Business Continuity Plan. Further, internal and external crisis communication plans should be designed and form part of either the Operational Resilience Framework or the Business Continuity Plan.
Step Ten: Implement Lessons Learned
Following a disruption to a critical or important business service, the firm should reflect on lessons learned from the incident. The analysis of the lessons learned should include both successes and failures which occurred in the remediation process, as well as the instigating factors which led to the incident. By critically evaluating the approach taken in respect of a disruption, deficiencies can be identified and rectified and recovery processes can be improved allowing for better responses in the future.
Conclusion
The Central Bank has stated that it will deploy risk-based supervisory engagement to assess the core principles of operational resilience in firms and drive to enhance and mature operational resilience across the financial system. This engagement includes an assessment of a firm’s ability to determine appropriate impact tolerances for its critical or important business services and that they test their ability to remain within those impact tolerances under severe but plausible scenarios.
From a timing perspective, there is a maximum 2 year timeframe for implementation of the Guidance. By December 2023, all firms will need to be in a position to demonstrate the actions and plans in place to comply with the Guidance.
For further information or advice in respect of preparing your firm for compliance with the operational resilience requirements, please get in touch with a member of the team or your usual Matheson contact. Full details of Matheson's Financial Institutions group together with further updates, articles and briefing notes written by members of these teams, can be accessed at www.matheson.com .
This material is provided for general information purposes only and does not purport to cover every aspect of the themes and subject matter discussed, nor is it intended to provide, and does not constitute or comprise, legal or any other advice on any particular matter. For detailed and specific professional advice, please contact any member of our Financial Institutions Group.