Operational resilience has emerged as a critical area of focus for regulators worldwide. The pace of developments in rules and regulations governing operational resilience is accelerating, driven by the increasing complexity of global financial systems and requirements by regulators to supervise and mitigate risks associated with technological advancements, cyber threats, and unforeseen global events. Operational resilience is now a key regulatory priority for financial services firms in terms of c maintaining financial stability, ensuring customer protection, and facilitating effective risk management. FinregE’s horizon scanning software, powered by its cutting-edge AI Regulatory Intelligence Gatherer (RIG) provides the perfect tool to capture and analyse operational resilience rules and standards being released across the globe, offering firms an invaluable resource to maintain compliance and enhance their resilience strategies efficiently.
In this blog, we will explore the global landscape of operational resilience regulations, as captured by FinregE’s horizon scanning. We will also delve into how FinregE’s RIG can serve as a pivotal tool in navigating this complex regulatory terrain.
Such demonstrably efficient and replicable scanning of the changing regulatory landscape allows executive decision-makers to better champion operational resilience and oversight, identify at a glance crucial business functions and gaps in existing regulatory frameworks, and capture areas needing better business agility.
FinregE's Horizon Scanning software utilizes a comprehensive historical data repository spanning the past decade. This enables users to conduct efficient searches using keywords and filters such that a user query on "operational resilience" can yeild results within seconds, eliminating the need for time-consuming manual research.
Country | Regulator | Rule/Regulation | Summary |
Australia | APRA | APRA prudential standard to strengthen operational resilience | The Australian Prudential Regulation Authority (APRA) prudential standard, CPS 230 Operational Risk Management is aimed at enhancing operational resilience in the banking, insurance, and superannuation sectors. The standard sets out minimum requirements for managing operational risk, including updated provisions for business continuity and service provider management. It emphasizes maintaining effective internal controls, ensuring continuity of critical operations during disruptions, and managing risks associated with service providers |
Global | BIS | The Principles for Operational Resilience (POR), published in 2021, build upon the Basel Committee on Banking Supervision’s Principles for the Sound Management of Operational Risk (PSMOR). The POR aim to enhance operational resilience by effectively managing risks arising from disruptions like pandemics, cyber-attacks, or technology failures. They define operational resilience as a bank’s ability to maintain critical operations despite disruptions, emphasizing the need for identifying, protecting against, responding to, and recovering from such events. The POR outline seven principles covering governance, operational risk management, business continuity planning and testing, mapping interconnections, third-party dependency management, incident management, and information and communication technology (ICT) resilience, providing a comprehensive framework for banks to ensure operational resilience across their organizations. | |
Global | FSB | In a letter to G20 Finance Ministers and Central Bank Governors, FSB Chair Klaas Knot outlined priorities for 2023, citing lingering uncertainties in the global economy due to high debt levels, rising debt service costs, and stretched asset valuations. The FSB will deliver reports on non-bank financial intermediation (NBFI), crypto-assets and DeFi, and cross-border payments at the upcoming G20 meeting. Efforts will focus on addressing vulnerabilities in commodity markets, assessing risks associated with DeFi, and regulating crypto-assets and markets. Additionally, the FSB aims to enhance cyber and operational resilience, manage climate-related financial risks, and promote structural changes in the financial system, emphasizing international cooperation for financial stability. | |
Global | IAIS | The Issues Paper on Insurance Sector Operational Resilience aims to identify and address issues impacting operational resilience in the insurance sector, particularly in light of the lessons learned during the Covid-19 pandemic. It focuses on three specific areas: cyber resilience, IT third-party outsourcing, and business continuity management (BCM). It highlights the importance of sound governance, information sharing, and evolving BCM approaches to meet the challenges of today’s environment. | |
Global | IOSCO | This report highlights the operational resilience of trading venues and market intermediaries during the COVID-19 pandemic. Despite facing unprecedented challenges such as mobility restrictions and extreme market volatility, regulated entities demonstrated significant resilience by continuing to serve clients and support the broader economy. The report emphasizes the importance of operational resilience beyond technological solutions, considering processes, premises, personnel, and interconnectivity. It also underscores the need for updated business continuity plans, effective governance frameworks, and enhanced information security measures to adapt to evolving risks and maintain resilience in the face of future crises. | |
Hong Kong | HKMA | Supervisory Policy Manual (SPM): New module OR-2 on “Operational Resilience” and revised module TM-G-2 on “Business Continuity Planning | The new Supervisory Policy Manual module, OR-2, on “Operational Resilience” and an updated version of module TM-G-2 on “Business Continuity Planning” are designed to align with the Basel Committee on Banking Supervision’s Principles for Operational Resilience, emphasizing the development of a holistic operational resilience framework and enhanced business continuity planning. Authorized Institutions are expected to develop their operational resilience framework by May 2023 and achieve operational resilience by May 2026. |
Japan | JFSA | Discussion Paper on Ensuring Operational Resilience (June 23, 2023) | The Discussion Paper provides a thorough examination of the significance of operational resilience within the financial sector, emphasizing the need for a comprehensive framework to mitigate risks associated with IT system failures, cyberattacks, pandemics, and natural disasters. It outlines the expected roles of financial institutions in identifying critical operations, setting disruption tolerance levels, mapping interconnections, and securing necessary management resources. Furthermore, the paper discusses international principles established by organizations such as the Basel Committee on Banking Supervision (BCBS) and developments by major overseas supervisory authorities, offering valuable insights and guidance for financial institutions and supervisory bodies to navigate the challenges of ensuring operational resilience in a dynamic business environment. |
South Africa | Reserve Bank | The directive outlines principles for operational resilience for banks, controlling companies, and branches of foreign institutions. It emphasizes the need for an enterprise-wide and systematic approach to operational resilience in light of evolving risks and recent events such as natural disasters and cyber-attacks. The directive references the principles outlined by the Basel Committee on Banking Supervision (BCBS) and requires banks to assess the adequacy of their current policies, processes, and practices against these principles. It sets out specific requirements and deadlines for compliance, including assessing operational resilience controls, implementing risk-based approaches, and ensuring alignment with recovery and resolution plans. | |
United Kingdom | BOE/FCA | CP26/23 – Operational resilience: Critical third parties to the UK financial sector | The consultation paper outlines proposed requirements for critical third parties (CTPs) jointly issued by the Prudential Regulation Authority (PRA), Financial Conduct Authority (FCA), and Bank of England, aiming to manage risks to the stability of the UK financial system. The document emphasizes international coordination, aligning with global standards, and complementing existing regulatory frameworks for firms and financial market infrastructures (FMIs). Consent to publication is requested for responses, and a cost-benefit analysis suggests potential net benefits to the financial sector. Overall, the proposal seeks to enhance operational resilience while maintaining regulatory accountability and facilitating efficient oversight of CTPs. |
United Kingdom | BOE/FCA | The document focuses on enhancing operational resilience in financial institutions, underscoring the critical need for robust preparation against disruptions. It outlines key steps like identifying essential operations, setting disruption tolerance levels, securing management resources, and continuous resilience testing. The challenges of managing third-party risks and the importance of flexibility in response to environmental shifts to sustain operational resilience are also discussed, highlighting the strategic necessity for financial institutions to remain adaptive and vigilant in a rapidly changing landscape. | |
United States | CFTC | This rule on Operational Resilience Framework for Futures Commission Merchants, Swap Dealers, and Major Swap Participants require that futures commission merchants, swap dealers, and major swap participants establish, document, implement, and maintain an Operational Resilience Framework (ORF) reasonably designed to identify, monitor, manage, and assess risks relating to information and technology security, third-party relationships, and emergencies or other significant disruptions to normal business operations. The framework would include three components—an information and technology security program, a third-party relationship program, and a business continuity and disaster recovery plan—supported by broad requirements relating to governance, training, testing, and recordkeeping. The proposed rule would also require certain notifications to the Commission and customers or counterparties. The Commission further proposed guidance relating to the management of risks stemming from third-party relationships. | |
United States | FDIC | Federal bank regulatory agencies released a paper on October 30, 2020, detailing sound practices for large banks to enhance operational resilience. The paper, addressing risks like cyberattacks, natural disasters, and pandemics, draws from current regulations and industry standards. It focuses on effective governance, risk management, third-party risks, and robust information systems, specifically targeting domestic banks with assets over $250 billion or those over $100 billion with specific risk characteristics, without altering existing rules or guidance. |
To demonstrate the power of our AI RIG in action, we tasked it with summarizing the following regulatory updates listed below. See the results delivered by AI RIG, showcasing its ability to quickly analyse complex documents in seconds.
Country | Regulator | Regulatory Update | AI RIG Summary |
United Kingdom | BOE | The document is a supervisory statement from the Prudential Regulation Authority (PRA) titled “Operational resilience Impact tolerances for important business services” It provides guidance and expectations for financial institutions on setting impact tolerances for their important business services, mapping these services, testing their ability to deliver within impact tolerances, and addressing any vulnerabilities or risks identified. The document emphasizes the importance of operational resilience in the financial sector, particularly in the face of increasing complexity, reliance on technology and third parties, and international interconnectedness It also highlights the need for boards and senior management to prioritize operational resilience and make necessary improvements to meet the standards set by the PRA | |
United Kingdom | BOE | Policy Statement | PS6/21 Operational resilience: Impact tolerances for important business services | The document discusses the use and approach to the self-assessment for operational resilience in financial institutions. The document mentions that some respondents suggested an iterative approach or splitting the self-assessment document into two parts to avoid it becoming too large. Others suggested using the self-assessment to evidence upcoming activities aimed at building resilience and prioritizing qualitative reporting over quantitative reporting. The document states that the PRA has decided to publish its final policy as consulted upon, and the self-assessment should be used as a tool for firms to understand their operational resilience efforts and plans for remediation. The document also clarifies that there is no prescribed minimum standard for assurance on the self-assessment before board sign-off, but firms should have a reasonable understanding of their work in demonstrating operational resilience. Lastly, there is a request for clarification on when the document would be required by the PRA. |
At FinregE, we specialize in tailoring regulatory compliance solutions to fit our clients’ unique requirements. We understand the challenge of staying current with ever-changing compliance regulations. With our expertise and advanced regulatory management software, you can rest assured that you’ll remain compliant. Reach out to us today to discuss your needs.
