Early Signs of Regulatory Alignment on Operational Resilience Concepts, Themes

In early August 2020, the Basel Committee on Banking Supervision (BCBS) released a consultative document, titled “Principles for Operational Resilience,” that proposed a pragmatic yet flexible approach to operational resilience, one intended to be principles-based. Publication of the consultative document was expected and timely, coming amid a growing regulatory focus on operational risks and the COVID-19 pandemic.

The principles outlined by the BCBS align with the overall view of operational resilience in the discussion papers published by the UK supervisory authorities, namely the Bank of England, the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA), in December 2019, although those papers present a much more prescriptive approach. This alignment among the regulatory bodies is further affirmation for many firms that have been developing or realigning their resilience programmes since the summer of 2018, when the UK supervisory authorities introduced its first discussion paper on operational resilience.

While it is similar in tone and substance to the other papers, there are some slight differences in the terms and themes used in the BCBS consultative document, a variance that may be attributed to the BCBS building on its previous papers to align to its own definitions. Nevertheless, the divergence is minimal and probably intended, as the BCBS typically strives to design potential policy measures that appeal to a wide array of stakeholders, including membership from 28 jurisdictions worldwide.

The following are two minimal differences in the BCBS’ document:

  • Whereas the UK supervisory authorities note the importance of business continuity and cybersecurity, the specific callout by the BCBS on business continuity planning and testing, as well as information and communications technology (ICT) cyber security, is more pronounced. Our belief is that COVID-19 concerns compelled the BCBS to highlight these present-day concerns.
  • The BCBS paper does not provide a definition for “impact tolerance” – the term that pertains to a point in time when the viability of an important business service is irrevocably threatened – or a corresponding metric. Rather, the paper calls for feedback on useful metrics for resilience, adding that “operational resilience is in a nascent stage and further work is required to develop a reliable set of metrics that both banks and supervisors can use to assess whether resilience expectations are being met.”

The concept of impact tolerance has been heavily discussed since 2018, with industry leaders and regulators considering various definitions and approaches. The UK supervisory authorities have offered some flexibility in determining impact tolerances, although they have made it clear time is an essential element. Specifically, they propose that, where relevant, institutions may decide also to include other metrics, such as volumes and values, in their impact tolerances, given that a metric based on time alone may be insufficient.

The BCBS emphasizes the role of governance in achieving operational resilience. In line with other published regulatory views that setting the right “tone from the top” is essential for building resilience, the BCBS proposes that boards should be held responsible for reviewing and approving banks’ operational resilience expectations, considering each organization’s risk appetite, risk capacity and risk profile. The BCBS’ view on governance is in lockstep with our own experience; we have consistently found that the success of a resilience programme is highly correlated to senior management buy-in and active engagement.

As the industry weighs various approaches and proposals to building resilience, an exercise that has become more urgent considering the COVID-19 pandemic, we expect operational resilience taxonomy to continue to evolve. The BCBS, which is inviting comments on its proposals through the end of the consultation period on November 6, 2020, has indicated it will monitor the impact of the pandemic and any lessons learned to help inform its final guidance on operational resilience. While we cannot anticipate the outcome of the pandemic and its influence on future guidance, we do not expect the pandemic’s impact to alter the principles proposed by the BCBS.

Meanwhile, the Federal Reserve Board, which lists operational resilience of critical systems among its 2020 supervisory priorities for large institution, is expected to weigh in on the topic by the end of the year. The Fed, through a senior official, previously signaled it is open to a rules-based approach that incorporates leading industry standards and best practices.

The UK supervisory authorities extended their consultation period from early April to October 1, 2020 to give firms more time to address COVID-19 concerns. The EU Commission is also expected to have papers forthcoming this year on the topic. We do not anticipate a similar release from the U.S. Office of the Comptroller of the Currency (OCC), although operational resilience is among the priorities in its 2020 supervision plan.

What’s Next

Based on the present public guidance and our analysis, we believe the UK supervisory authorities will continue to be the more prescriptive regulators on this topic, and the Fed and the EU aligning with the BCBS in tone and detail. And, while there is certainly agreement on the topic, it will be interesting to see if there are any nuanced differences in how firms are regulated under resilience.

For now, we have compiled a list of key terms and definitions around resilience (Table 1) that have so far been proposed by various regulatory bodies. This is not an exhaustive list of all regulatory proposals on operational resilience, but rather a compilation of the more developed views on this evolving topic. Some are aligned and others are not, but the intent is clear: Resilience is top of mind and not going away.

In Table 2, several high level BCBS principles are compared to relevant excerpts from the UK supervisory authorities’ papers on operational reliance. The themes discussed are consistent with those in the documents.

Protiviti’s financial services industry experts help organizations demonstrate and improve resilience through a robust testing programme, building upon existing business continuity management activities, IT disaster recovery and cybersecurity incident response. We work with and report to executive leaders and the board to address such questions and issues as:

  • Have we formally defined the important functions and services vital to the execution of the business model?
  • Are impact tolerances established and tested?
  • Are “front-to-back” mappings of components of the important functions and services understood and maintained?
  • Is there a structure in place to govern resilience across the enterprise properly?
  • Are extreme but plausible scenarios tested regularly?

Additionally, we partner with organizations to develop their overall operational resilience internal audit plans, incorporate operational resilience into existing audits, and provide assurance over the operational resilience programme.