Stay in the know
We’ll send you the latest insights and briefings tailored to your needs
The post-pandemic era has pushed operational resilience further up the agenda. We assess a maturing approach.
The elevation of ‘operational resilience’ to the top of the regulatory agenda represents the next phase in the evolution of financial services regulatory policy. Post-crisis regulatory reforms such as resolution frameworks and recalibrated prudential requirements have driven efforts to improve clarity around bank structures. This in turn facilitates better governance and risk management oversight – disciplines which themselves have been reformed in some jurisdictions via the introduction of individual accountability regimes.
In a nutshell:
|
Firms may be concerned that with operational resilience they are facing yet another large scale implementation programme. However, at both the conceptual and the practical level, it is more evolutionary than revolutionary. Firms will need to ‘join the dots’ across a range of existing risk management and governance requirements, including cyber security, data management, business continuity, outsourcing and culture. Operational resilience should not be the kind of policy juggernaut which flattens the business. Rather, firms should be encouraged to view operational resilience concepts as enhancements to day-to-day business management which contributes to long term sustainability.
This “evolution” is arguably more obvious in the approach taken by the US banking agencies1 and the Basel Committee2, which are developing principles-based regulation grounded in existing rules and guidance. In contrast, some major financial services jurisdictions, such as the UK and EU, are pursuing more prescriptive regimes aimed at improving both firms’ and sectoral operational resilience. The debate around operational resilience is more mature in the UK and EU, and we expect that, in due course, other jurisdictions may follow a similar, more prescriptive path.
The European Commission adopted the Digital Finance Package (DFP) at the end of September 2020. Taken together with the Retail Payments Strategy published alongside it, the DFP seeks to bolster post-pandemic economic recovery, while maintaining appropriate protections for financial services consumers in a digitalised marketplace. The package should create a more responsible and supportive innovation framework for digital start-ups in the financial sector. As a result of Covid-19, we have seen how quickly businesses and consumers have adapted, including in relation to their willingness to access digital financial services.
One element of the DFP is the Digital Operational Resilience Act (DORA). At the more prescriptive end of the operational resilience spectrum, DORA requires participants in the financial system to have the necessary safeguards in place to mitigate cyber-attacks and other risks around the use of information and communications technology (ICT). DORA also introduces a regulatory oversight framework for critical ICT providers, such as cloud service providers.
The key elements of DORA, which is expected to be published in the Official Journal of the European Union in March 2021, and to come into effect one year later (ie March 2022), include:
Governance and organisation
Risk-based approach to operational resilience testing
The ever-increasing dependency of the financial sector on software and digital processes means that information communication technologies (ICT) risks are inherent in finance. |
Management of ICT third-party risks
Information-sharing arrangements on cyber threat information and intelligence
Oversight framework of critical ICT third-party service providers
We need to know that you have planned for the worst and are able to continue to deliver your important business services when the worst does happen. |
Meanwhile, the UK approach to operational resilience has been the subject of extensive consultation by the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority. Formal consultation started with a 2018 discussion paper, and indeed hundreds more pages of policy analysis and draft proposals have been generated since then. For the UK regulators, finalising the approach to operational resilience will happen with a post-Brexit rulebook in mind. We single out one particular feature from the UK’s proposals that we believe will prove attractive to other regulators: the requirement to set a maximum tolerable level of disruption to important business services. Failure is assumed, based on severe but plausible scenarios, which will need to be recalibrated after Covid-19. The distinctly uncomfortable requirement to assume failure and set limits on the impact of that failure on service lines should focus the attention of boards both in the contemplation of how to calibrate such limits and how to respond when limits are breached – or perhaps more challenging – nearly breached. Factors to consider in setting limits include things like outage times, customers impacted, services degradation, market impact, or any other measure.
[1] On 30 October 2020, the Federal Reserve (Fed), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) issued ‘Sound Practices to Strengthen Operational Resilience’. The paper outlines practices to increase operational resilience that are drawn from existing regulations, guidance, statements, and common industry standards. The practices are grounded in effective governance and risk management techniques, consider third-party risks, and include resilient information systems. The paper does not revise the agencies’ existing rules or guidance.
[2] On 6 August 2020, the Basel Committee on Banking Supervision (BCBS) released ‘Principles for Operational Resilience’ for comment. The principles aim to strengthen the ability of banks to withstand operational risk-related events which could cause significant operational failures or wide-scale disruptions in financial markets, such as pandemics, cyber incidents, technology failures or natural disasters. The approach builds on updates to the Committee's Principles for the sound management of operational risk, and draws from previously issued principles on corporate governance for banks, as well as outsourcing-, business continuity- and relevant risk management-related guidance.
[3] EIOPA Cloud Outsourcing Guidelines (final report issued in February 2020); ESMA Cloud Outsourcing Guidelines (consultation draft issued in June 2020, the final report will be published in Q1/2021); EBA Outsourcing Guidelines (final report issued in February 2019)
Partner, Head of Financial Services Regulatory, Madrid
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2024
We’ll send you the latest insights and briefings tailored to your needs