Operational resilience: HKMA’s guidance and expectations on OR-2

Banks have 3 years to implement their operational resilience framework and demonstrate operational resilience

Operational resilience: HKMA’s guidance and expectations on OR-2

The Hong Kong Monetary Authority (HKMA) has set out its guidance and expectations on operational resilience (OR) in the Supervisory Policy Manual (SPM): “OR-2 on “Operational Resilience”. Authorised Institutions (AIs) in Hong Kong are given 1 year for framework development, and 3 years for framework implementation and to become operationally resilient. 

Now that the deadline for OR framework development has passed (i.e. 31 May 2023), AIs should start implementing their frameworks, including but not limited to mapping the interconnections and independencies of all critical operations, conducting scenario testing to validate its ability to deliver the critical operations through disruptions and incident management, before 31 May 2026.

What should AIs achieve by the end of the implementation deadline (i.e. 31 May 2026)?

  • Complete the mapping of interconnections and interdependencies of all critical operations
  • Identify potential risks that may affect the delivery of critical operations
  • Conduct scenario testing and document any gaps or weaknesses identified and the remedial actions planned 
  • Design process of continuous improvement of mapping documentation 
  • Establish an incident management programme to manage the incidents and learning from disruptions or near misses
Operational resilience: HKMA’s guidance and expectations on OR-2

The HKMA OR-2 requirements related to implementation:

Pro person 3

Mapping interconnections and interdependencies

It is imperative to first identify and document the supporting assets of critical operations. Next, mapping the interconnections and interdependencies between these operations is essential. Lastly, identifying potential risks or disruptive events that affect or disrupt the delivery of critical operations.

Pro Document Folder

Manage risks to operations delivery

Effective risk management involves comprehensive preparations and oversight of potential threats to critical operations. This encompasses operational risk management, business continuity planning, third-party relationships, and safeguarding information and communication technology, including cybersecurity.

Pro Document Consent

Scenario testing

To ensure uninterrupted critical operations, it's imperative to consistently evaluate the system's capability and diligently address any gaps or weaknesses detected through documentation and remediation processes.

Pro Legal Briefcase

Incident management

To enhance business resilience, it's crucial to implement a comprehensive incident management program, one that carefully tracks incidents throughout their entire lifecycle. By doing so, organisations can learn valuable lessons from these incidents, ultimately strengthening their ability to withstand future challenges.

Operational resilience: HKMA’s guidance and expectations on OR-2

Role of the Board and senior management

  • Senior management should report regularly to the Board and review remedial actions planned for addressing deficiencies identified
  • The Board should prioritise the remedial actions and oversee the communication and trainings to relevant parties
  • Both the Board and senior management are required to review the OR-2 framework on a regular basis (i.e. annually)
Operational resilience: HKMA’s guidance and expectations on OR-2
Operational resilience: HKMA’s guidance and expectations on OR-2

Challenges AIs typically face

  • Resource and expertise constraints: Limited staff knowledge and/or time available to conduct comprehensive end-to-end mapping and test ability to remain within tolerance for disruption for all critical operations.
  • Lack of collaboration between front and back-office teams: Siloed organisational structures that make it challenging for front and back-office teams to collaborate effectively. This can result in insufficient granularity of mapping and hinder the ability of AIs to identify vulnerabilities.
  • Failure to demonstrate the resilience of a bank: Inability to demonstrate appropriateness of an operational resilience framework in line with the organisation's nature, size, complexity and risk profile. There are challenges showing the Board, senior management, internal auditors, regulators and other key stakeholders that the framework is fit for purpose and the bank is able to achieve resilience.
Operational resilience: HKMA’s guidance and expectations on OR-2

Why Protiviti?

We understand the challenges that AIs face and we have unique and competitive advantages that can help you achieve operational resilience. 

  • Flexible delivery model – We offer different engagement models to address client demands (i.e., project-based, staff argumentation, or hybrid). Flexible models, complemented by professional specialists to help support you in conducting mapping and scenario testing.
  • Knowledge and experience – We understand the regulatory requirements and have extensive experience utilising technology capabilities to perform process mapping and business continuity planning (BCP) testing for financial institutions. 
  • Cross-domain competencies – Our team has extensive cross-domain expertise and project management experience that promotes cross-team synergies.
  • Proven track record – We have a proven regulatory change track record of developing end-to-end process flows, conducting scenario testing and ensuring regulatory compliance for our financial services clients, which includes banks, insurance companies, asset managers and other financial institutions.
Operational resilience: HKMA’s guidance and expectations on OR-2

How Protiviti can help

Key focus areasHow we can support you…What to expect from us …
Mapping interconnections and interdependenciesAdopt technologies to visualise the end-to-end process flow for each critical operation
  • Identify the interconnections and independencies of critical operations through conducting walkthrough meetings and reviewing relevant documentation
  • Create a comprehensive end-to-end process map
  • Identify potential risks that may affect critical operations delivery
Scenario testingUse of skilled professionals to perform testing to validate the bank’s ability to deliver the critical operation under      
  • Deploy professionals to conduct scenario testing for critical      
  • Establish formal testing reports with gaps identified and propose remedial actions
OR-2 related policies upliftUtilise our team's expertise in risk management to review OR-2 related      
  • Review and uplift the OR-2 related policies
  • Draft an OR-2 policy outlining the operational resilience framework
Incident managementEstablish incident management      
programme to enable the bank to      
promptly manage, respond to and recover from an incident
  • Define incident’s severity criteria
  • Establish comprehensive internal and external communication plans for reporting incidents
  • Develop/uplift the incident management programme to enable prompt incident response and recovery
Self-assessmentAssist in performing self-assessment of      
the operational resilience framework and      
critical operations for the bank to assess      
its resilience
  • Assist in performing a self-assessment
  • Document methodology/approach, review process and lesson learnt
Project management supportEnable seamless project delivery and      
promote effective communication amongst project stakeholders
  • Manage project risks and report to the client on a timely basis
  • Facilitate an effective and efficient communication and discussion between relevant stakeholders


Find out more about operational resilience services here.


Jeffrey Hau
Jeffrey leads Protiviti Hong Kong's risk and compliance and internal audit practices with more than 20 years of experience in regulatory compliance consulting and auditing. As the leader of the financial services practice, his specific areas of focus include advising ...
Michael Pang
Michael is a managing director with over 20 years’ experience. He is the IT consulting practice leader for Protiviti Hong Kong and Mainland China. His experience covers cybersecurity, data privacy protection, IT strategy, IT organisation transformation, IT risk, post ...