The post-pandemic era has pushed operational resilience further up the agenda. We assess a maturing approach.
The elevation of ‘operational resilience’ to the top of the regulatory agenda represents the next phase in the evolution of financial services regulatory policy. Post-crisis regulatory reforms such as resolution frameworks and recalibrated prudential requirements have driven efforts to improve clarity around bank structures. This in turn facilitates better governance and risk management oversight – disciplines which themselves have been reformed in some jurisdictions via the introduction of individual accountability regimes.
In a nutshell:
Firms may be concerned that with operational resilience they are facing yet another large scale implementation programme. However, at both the conceptual and the practical level, it is more evolutionary than revolutionary. Firms will need to ‘join the dots’ across a range of existing risk management and governance requirements, including cyber security, data management, business continuity, outsourcing and culture. Operational resilience should not be the kind of policy juggernaut which flattens the business. Rather, firms should be encouraged to view operational resilience concepts as enhancements to day-to-day business management which contributes to long term sustainability.
This “evolution” is arguably more obvious in the approach taken by the US banking agencies1 and the Basel Committee2, which are developing principles-based regulation grounded in existing rules and guidance. In contrast, some major financial services jurisdictions, such as the UK and EU, are pursuing more prescriptive regimes aimed at improving both firms’ and sectoral operational resilience. The debate around operational resilience is more mature in the UK and EU, and we expect that, in due course, other jurisdictions may follow a similar, more prescriptive path.
The European Commission adopted the Digital Finance Package (DFP) at the end of September 2020. Taken together with the Retail Payments Strategy published alongside it, the DFP seeks to bolster post-pandemic economic recovery, while maintaining appropriate protections for financial services consumers in a digitalised marketplace. The package should create a more responsible and supportive innovation framework for digital start-ups in the financial sector. As a result of Covid-19, we have seen how quickly businesses and consumers have adapted, including in relation to their willingness to access digital financial services.
One element of the DFP is the Digital Operational Resilience Act (DORA). At the more prescriptive end of the operational resilience spectrum, DORA requires participants in the financial system to have the necessary safeguards in place to mitigate cyber-attacks and other risks around the use of information and communications technology (ICT). DORA also introduces a regulatory oversight framework for critical ICT providers, such as cloud service providers.
The key elements of DORA, which is expected to be published in the Official Journal of the European Union in March 2021, and to come into effect one year later (ie March 2022), include:
Governance and organisation
- Boards must define, approve, oversee and be accountable for ICT internal governance and risk management frameworks. Boards have the final responsibility for managing the financial entity’s ICT risks and are expected to introduce a suite of policies, procedures, vendor management, audit oversight and information on ICT incidents.
- The ICT risk management framework requires a clear definition of the firm’s digital resilience strategy and the information security objectives.
- Notably, board members are expected to gain and keep up-to-date sufficient knowledge and skills to understand and assess ICT risks and their impact on the operations of the entities: an explicit requirement other regulators may copy.
Risk-based approach to operational resilience testing
- This includes an expectation for a yearly cycle of testing by independent parties (internal or external), and procedures and policies aimed at prioritising, classifying and remedying all issues identified through testing.
The ever-increasing dependency of the financial sector on software and digital processes means that information communication technologies (ICT) risks are inherent in finance.
Management of ICT third-party risks
- ICT third-party risks are to be managed as an integral component of the ICT risk management framework. Firms must have in place contractual arrangements for the use of ICT services and DORA contemplates that these arrangements meet minimum standards necessary to ensure operational resilience. We expect other regulators will be attracted by this approach, which requires the kind of audit and access rights that have become more common in recent years, not least in the Guidelines3 which the European Supervisory Authorities (ESAs) have put in place for cloud and other types of outsourcing, but which should be far easier to secure with the backing of primary legislation. With an eye to IOSCO’s current consultation on its outsourcing principles as well as the Hong Kong Securities and Futures Commission’s Electronic Data Storage Provider Circular, both of which focus in part on the regulators’ ability to access regulatory records, either directly from firms or indirectly from third parties such as cloud service providers, we note that a lack of regulatory access would be a standard-term basis for termination under the DORA provisions.
- Firms will be required to report at least yearly to the competent authorities information on the use of ICT services, maintain a register of arrangements for ICT services provided by ICT third-party service providers, make it available to the competent authority and inform the competent authority about planned contracting of critical or important functions; all such requirements may also prove attractive to other regulators.
- The DORA standard terms also require that firms are able to exit contractual arrangements in a safe manner.
Information-sharing arrangements on cyber threat information and intelligence
- The draft Regulation DORA allows firms to exchange, through trusted networks, cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools. These common-sense provisions should also remove any concerns that information-sharing might breach competition laws.
Oversight framework of critical ICT third-party service providers
- DORA provides for an oversight framework for so-called critical ICT third party services providers where the ESAs play a key role. The ESAs will designate the critical ICT third-party service providers and appoint either the European Banking Authority (EBA), European Securities and Markets Authority (ESMA) or European Insurance and Occupational Pensions Authority (EIOPA) as lead overseer.
- These arrangements link to requirements to identify concentration risks amongst providers and an expectation that banks spread ICT risk.
- Again, we expect other regulators will look to achieve the same regulatory outcomes.
We need to know that you have planned for the worst and are able to continue to deliver your important business services when the worst does happen.
The UK approach matures
Meanwhile, the UK approach to operational resilience has been the subject of extensive consultation by the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority. Formal consultation started with a 2018 discussion paper, and indeed hundreds more pages of policy analysis and draft proposals have been generated since then. For the UK regulators, finalising the approach to operational resilience will happen with a post-Brexit rulebook in mind. We single out one particular feature from the UK’s proposals that we believe will prove attractive to other regulators: the requirement to set a maximum tolerable level of disruption to important business services. Failure is assumed, based on severe but plausible scenarios, which will need to be recalibrated after Covid-19. The distinctly uncomfortable requirement to assume failure and set limits on the impact of that failure on service lines should focus the attention of boards both in the contemplation of how to calibrate such limits and how to respond when limits are breached – or perhaps more challenging – nearly breached. Factors to consider in setting limits include things like outage times, customers impacted, services degradation, market impact, or any other measure.
More FSR Outlook 2021 articles
 On 30 October 2020, the Federal Reserve (Fed), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) issued ‘Sound Practices to Strengthen Operational Resilience’. The paper outlines practices to increase operational resilience that are drawn from existing regulations, guidance, statements, and common industry standards. The practices are grounded in effective governance and risk management techniques, consider third-party risks, and include resilient information systems. The paper does not revise the agencies’ existing rules or guidance.
 On 6 August 2020, the Basel Committee on Banking Supervision (BCBS) released ‘Principles for Operational Resilience’ for comment. The principles aim to strengthen the ability of banks to withstand operational risk-related events which could cause significant operational failures or wide-scale disruptions in financial markets, such as pandemics, cyber incidents, technology failures or natural disasters. The approach builds on updates to the Committee's Principles for the sound management of operational risk, and draws from previously issued principles on corporate governance for banks, as well as outsourcing-, business continuity- and relevant risk management-related guidance.