Site Search

Menu

Technology

Menu

About Us

Loading Results

Operational resilience: Pulling the threads together

10 December, 2021

On the 1st December 2021, the Central Bank of Ireland (CBI) published its response to the feedback it received on consultation paper CP140 and their finalised guidelines on Operational Resilience.

All Irish regulated financial service providers (RFSPs) will need to develop an OR Framework and demonstrate they are applying the new guidelines from 1st December 2023.

The finalised guidelines reflect minimal change to the draft set out in CP 140 However the CBI's feedback statement sets out a number of subtle but nevertheless important changes firms should be aware of and which we will explore below.

A photo of a young man working on car engines on an assembly line.

What is operational resilience?

The concept of Operational Resilience has shot up the international regulatory agenda over the last few years, with BCBS issuing principles on Operational Resilience, the UK developing new regulatory requirements and the EU's planned Digital Operational Resilience Act. These iniatives reflect concern that financial service providers are insufficiently prepared to withstand, adapt and learn from operational disruptions such as; cyber-attack, data corruption and loss, or physical damage from fire, flood, terrorism etc.

The CBI's recent enforcement action against a firm for failing to ensure continuity of service in the event of a significant IT disruption reinforces the consequences for firms should they fail to meet the regulator's expectations.

The CBI's approach emulates that of the UK, adopting amongst other things their definition of Operational Resilience, as: 'the ability of a firm, and the financial services sector as a whole, to identify and prepare for, respond and adapt to, recover and learn from an operational disruption.'

An Operationally Resilient firm is one that can recover Critical or Important Business Services with minimal impact to customers and the financial system, following a significant disruption.

Two of the critical concepts in the CBI and UK's approach to Operational Resilience are:

  1. No business is immune to disruption. This requires a cultural shift in firms so they broaden their focus from trying to prevent incidents occurring to also ensuring they have the capabilities to respond, recover and learn from inevitable disruptive events.
  2. Operational Resilience is focused on maintaining Critical or Important Business Services. This requires firms to take a different perspective, looking beyond activities as defined in the Org. structure and instead considering those activities a firm conducts which deliver specific outcomes to end users, examples include drawing down a loan or transferring funds between accounts.

The changes to the draft guidelines

  1. Relationship between Operational Resilience, Operational Risk and Business Continuity

    At first glance Operational Resilience might seem to be a rebadging of operational risk and business continuity, indeed one of the points in the feedback was for further clarity on the relationship between Operational Resilience and Operational Risk.

    The wording in the finalised guidelines have been amended,so Operational Resilience and Operational Risk should now be enacted through 'aligned frameworks' rather than 'one consistent framework' and that the Operational Resilience framework should be 'aligned' rather than 'incorporated' with Operational Risk and Business Continuity Frameworks.

    This is a subtle but important change. Operational Risk is predominantly focused on minimising the financial impact of operational disruption, but no amount of capital can guard against essential activities being disrupted.

    Business Continuity Planning addresses the failure/ interruption of individual systems or processes and therefore does not consider the impact of Critical or Important Business Services being disrupted. These two activities therefore have different and distinct objectives to Operational Resilience but their effective implementation are components which help achieve the outcome of Operational Resilience.

    Echoing the UK's approach it is clear that the CBI regards Operational Resilience as an evolution rather than revolution, building on and adapting existing activities for a different objective.
  2. Role of the Board

    Industry Feedback also questioned whether the Board was the appropriate forum to own and approve components of the Operational Resilience Framework, such as approval of Critical or Important Business Services and Impact Tolerances.

    No changes were made in this area of the guidelines, reinforcing the CBI's expectation that the Board is best positioned to drive the cultural change required to deliver an effective Operational Resilience framework. This emphasis on Board and Senior Management Accountability is another priority for the CBI, which will be driven home by the introduction of the Senior Executive Accountability Regime.

    The Board is also in the best position to take the holistic 'firm wide and customer' perspectives required to determine Critical or Important Business Services.
  3. Critical or Important Business Services Definition

    The feedback also sought further clarity around how to define Critical or Important Business Services or for examples to be provided. The CBI noted that the guidelines are deliberately non-prescriptive, as each firm has a unique  business model and are their own best arbiters of what services are critical or important.

    Moreover, given the evolving nature of regulations and the threat environment, frameworks need to be adaptable, reinforcing the need for at least an annual review and update.

    The final guidelines did amend the wording around the observation that larger firms were likely to have more Critical or Important Business Services. Instead firm's are now expected to consider whether the number of Critical or Important Business Services accurately reflects the size and complexity of the firm. Presumably the implication is that smaller firms with a large number of Critical or Important Business Services will need to invest in resources and capabilities to ensure the Operational Resilience of those services.
  4. Impact Tolerances can be both Quantitative and Qualitative measures

    The guidelines around Impact Tolerances have also been updated. Impact Tolerances are the maximum level of disruption to Critical or Important Business Services and therefore differ from a risk appetite, as they assume a particular incident has occurred and focus on the impact to financial stability, the firm's safety and soundness and customers. Risk appetites in contrast are set in reference to the firm's business objectives.

    The guidelines now state that 'impact tolerances determine the maximum acceptable level of disruption' rather than 'quantify'. This change reflects that impact tolerances could cover elements such as specific customer cohorts, geographic regions or quality of service, not simply time-based metrics.

    Echoing the earlier point about the evolution of existing processes/ approaches, the guidelines clarify that firms can leverage approaches from Business Impact Analysis (BIA), Recovery Time Objectives (RTOs) etc. to determine Impact Tolerances.

Conclusion and next steps

Operational Resilience is an outcome determined by the effective alignment and management of the firm's technology, data, people, facilities, suppliers and culture.

The core principles for building an Operational Resilience Framework are set out in the guidelines and provide the framework for firms to follow. However a key accelerator for firms will be to identify the synergies across existing activities to inform their Operational Resilience framework. Firms should look to pull the threads of operational risk, business continuity planning, stress testing etc. together to help them weave their Operational Resilience Framework.

To assist in this task firms should be looking at:

  1. Completing an Operational Resilience Maturity Assessment, comparing current activities against the CBI's Three Pillars of Operational Resilience.
  2. Developing an overall roadmap to address gaps identified in the maturity assessment. This should include a governance programme consisting of senior stakeholders overseeing the plan.
  3. Creating or updating a Resilience taxonomy to define and adopt a common resilience language in the context of your organisation to ensure everyone is on the same page.
  4. Communicating the impact of the programme; particularly what a resilient culture which is set up to learn and continuously improve will look like.
  5. Identifying and socialising the benefits of Operational Resilience. By identifying Critical or Important Business Services firms will gain valuable insight about what customers deem to be important and can therefore prioritise resources to support these services.

PwC have extensive experience working with firms across the financial services sector applying the capabilities required to deliver a successful Operational Resilience Framework, including; regulatory SMEs, process management experts, cyber-risk practitioners, data and technology consultants, programme managers and experts in people and change. PwC has also developed approaches and tools that have been used to help firms develop their Operational Resilience Frameworks and test their capabilities.

Contact us

Sinead Ovenden

Partner, PwC Ireland (Republic of)

Linkedin Follow Email

Andy Banks

Partner, PwC Ireland (Republic of)

Linkedin Follow Email

Karen Donnelly

Director, PwC Ireland (Republic of)

Email

Daniel Crean

Director, PwC Ireland (Republic of)

Email
Follow PwC Ireland