In early August 2020, the Basel Committee on Banking Supervision (BCBS) released a consultative document, titled “Principles for Operational Resilience,” that proposed a pragmatic yet flexible approach to operational resilience, one intended to be principles-based. Publication of the consultative document was expected and timely, coming amid a growing regulatory focus on operational risks and the COVID-19 pandemic.
The principles outlined by the BCBS align with the overall view of operational resilience in the discussion papers published by the UK supervisory authorities, namely the Bank of England, the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA), in December 2019, although those papers present a much more prescriptive approach. This alignment among the regulatory bodies is further affirmation for many firms that have been developing or realigning their resilience programmes since the summer of 2018, when the UK supervisory authorities introduced its first discussion paper on operational resilience.
While it is similar in tone and substance to the other papers, there are some slight differences in the terms and themes used in the BCBS consultative document, a variance that may be attributed to the BCBS building on its previous papers to align to its own definitions. Nevertheless, the divergence is minimal and probably intended, as the BCBS typically strives to design potential policy measures that appeal to a wide array of stakeholders, including membership from 28 jurisdictions worldwide.
The following are two minimal differences in the BCBS’ document:
- Whereas the UK supervisory authorities note the importance of business continuity and cybersecurity, the specific callout by the BCBS on business continuity planning and testing, as well as information and communications technology (ICT) cyber security, is more pronounced. Our belief is that COVID-19 concerns compelled the BCBS to highlight these present-day concerns.
- The BCBS paper does not provide a definition for “impact tolerance” – the term that pertains to a point in time when the viability of an important business service is irrevocably threatened – or a corresponding metric. Rather, the paper calls for feedback on useful metrics for resilience, adding that “operational resilience is in a nascent stage and further work is required to develop a reliable set of metrics that both banks and supervisors can use to assess whether resilience expectations are being met.”
The concept of impact tolerance has been heavily discussed since 2018, with industry leaders and regulators considering various definitions and approaches. The UK supervisory authorities have offered some flexibility in determining impact tolerances, although they have made it clear time is an essential element. Specifically, they propose that, where relevant, institutions may decide also to include other metrics, such as volumes and values, in their impact tolerances, given that a metric based on time alone may be insufficient.
The BCBS emphasises the role of governance in achieving operational resilience. In line with other published regulatory views that setting the right “tone from the top” is essential for building resilience, the BCBS proposes that boards should be held responsible for reviewing and approving banks’ operational resilience expectations, considering each organisation’s risk appetite, risk capacity and risk profile. The BCBS’ view on governance is in lockstep with our own experience; we have consistently found that the success of a resilience programme is highly correlated to senior management buy-in and active engagement.
As the industry weighs various approaches and proposals to building resilience, an exercise that has become more urgent considering the COVID-19 pandemic, we expect operational resilience taxonomy to continue to evolve. The BCBS, which is inviting comments on its proposals through the end of the consultation period on November 6, 2020, has indicated it will monitor the impact of the pandemic and any lessons learned to help inform its final guidance on operational resilience. While we cannot anticipate the outcome of the pandemic and its influence on future guidance, we do not expect the pandemic’s impact to alter the principles proposed by the BCBS.
Meanwhile, the Federal Reserve Board, which lists operational resilience of critical systems among its 2020 supervisory priorities for large institution, is expected to weigh in on the topic by the end of the year. The Fed, through a senior official, previously signaled it is open to a rules-based approach that incorporates leading industry standards and best practices.
The UK supervisory authorities extended their consultation period from early April to October 1, 2020 to give firms more time to address COVID-19 concerns. The EU Commission is also expected to have papers forthcoming this year on the topic. We do not anticipate a similar release from the U.S. Office of the Comptroller of the Currency (OCC), although operational resilience is among the priorities in its 2020 supervision plan.
Based on the present public guidance and our analysis, we believe the UK supervisory authorities will continue to be the more prescriptive regulators on this topic, and the Fed and the EU aligning with the BCBS in tone and detail. And, while there is certainly agreement on the topic, it will be interesting to see if there are any nuanced differences in how firms are regulated under resilience.
For now, we have compiled a list of key terms and definitions around resilience (Table 1) that have so far been proposed by various regulatory bodies. This is not an exhaustive list of all regulatory proposals on operational resilience, but rather a compilation of the more developed views on this evolving topic. Some are aligned and others are not, but the intent is clear: Resilience is top of mind and not going away.
In Table 2, several high level BCBS principles are compared to relevant excerpts from the UK supervisory authorities’ papers on operational reliance. The themes discussed are consistent with those in the documents.
Table 1: List of key terms and definitions around resilience
Definition: The ability of a bank to deliver critical operations through disruption. This ability enables a bank to identify and protect itself from threats and potential failures, respond and adapt to, as well as recover and learn from disruptive events to minimise their impact on the delivery of critical operations through disruption.
Definition: The ability of firms and financial market infrastructures (FMI) and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.
Definition: Not defined
Definition: Activities performed for third parties where failure would lead to the disruption of services that are vital for the functioning of the real economy and for financial stability due to the banking group’s size or market share, external and internal interconnectedness, complexity and cross-border activities. Examples include payments, custody, certain lending and deposit-taking activities in the commercial or retail sector, clearing and settling, limited segments of wholesale markets, market making in certain securities and highly concentrated specialist lending sectors.
Definition: A service provided by a firm or FMI to an external end user or participant where a disruption to the provision of the service could cause intolerable harm to consumers or market participants; harm market integrity; threaten policyholder protection; safety and soundness; or financial stability.
Definition: Not Defined
Definition: A business function, which, if disrupted, is likely to have a significant impact on a financial institution, whether financially or non-financially.
Definition: Not defined
Table 2: Comparison of high level BCBS principles
Boards are specifically required to approve the important business services identified for their firm and the impact tolerances that have been set for each of these. The operational resilience parts require that a firm’s board must approve and regularly review the firm’s important business services, impact tolerances and written self-assessment. In delivering this responsibility, boards must regularly review assessments of the firm’s important business services, impact tolerances, and the scenario analyses of its ability to remain within the impact tolerance for these important business services.
The supervisory authorities do not propose to be prescriptive on a mapping process. Firms and FMIs can develop their own methodology and assumptions to best fit their business. Firms and FMIs could use methods such as process mapping, transaction life cycle documentation, and customer journeys.
* Bank of England consultation paper: CP30/19: Outsourcing and Third-Party Risk Management
How We Help Companies Succeed
Protiviti’s financial services industry experts help organisations demonstrate and improve resilience through a robust testing programme, building upon existing business continuity management activities, IT disaster recovery and cybersecurity incident response. We work with and report to executive leaders and the board to address such questions and issues as:
- Have we formally defined the important functions and services vital to the execution of the business model?
- Are impact tolerances established and tested?
- Are “front-to-back” mappings of components of the important functions and services understood and maintained?
- Is there a structure in place to govern resilience across the enterprise properly?
- Are extreme but plausible scenarios tested regularly?
Additionally, we partner with organisations to develop their overall operational resilience internal audit plans, incorporate operational resilience into existing audits, and provide assurance over the operational resilience programme.
1 Principles for Operational Resilience, Basel Committee on Banking Supervision.
2 Building the U.K. Financial Sector’s Operational Resilience, Bank of England.
3 Principles for Financial Market Infrastructures: Disclosure Framework and Assessment Methodology, IOSCO, December 2012.
4 Proposed Revisions to Guidelines on Business Continuity Management, Monetary Authority of Singapore, March 2019.