What is operational resilience?

Operational resilience in the UK

In the context of the UK, operational resilience refers to the ability of organisations to continue delivering their essential services and functions during and after disruptions. This concept gained prominence with the UK’s regulatory focus on ensuring that firms in the financial sector can withstand and recover from various operational risks, including cyber threats, technology failures, natural disasters, and other unforeseen events.

The regulatory framework for operational resilience in the UK is primarily overseen by regulatory bodies such as the FInancial Conduct Authority (FCA), the Prudential Regulation Authority (PRA), and the Bank of England. These regulatory bodies have developed guidelines and expectations for financial institutions and other relevant organisations to enhance their operational resilience.

Key components:

• Business Impact Analysis (BIA): Organisations are required to conduct a thorough assessment of their critical business processes and identify the potential impact of disruptions. This involves understanding dependences, vulnerabilities, and setting appropriate tolerance levels.
• Scenario Testing: Firms are encouraged to perform scenario testing to simulate various disruptive events and assess their ability to continue operations. This includes testing response and recovery capabilities.
• Mapping and Understanding Key Services: Organisations must have a clear understanding of their key services, the systems, and processess supporting those services, and the dependencies that exist within their ecosystems.
• Setting Impact Tolerances: Establishing impact tolerances involves defining the maximum acceptable level of disruption that an organisation is willing to tolerate for its key services. This helps guide resilience efforts and resource allocation.
• Communication and Notifications: Effective communication strategies, including notification procedures, are crucial elements of operational resilience. Organisations need to have mechanisms in place to communicate with stakeholders, including employees, customers, and regulators, during disruptions.
• Collobaration and Co-ordination: Operational reilience emphasises the need for collaboration and co-ordination within organisations and across the industry. This includes sharing best practices, lessons learned, and fostering a collective approach to resilience.

Operational resilience is an evolving and dynamic area, and organisations in the UK are expected to adapt their practices to meet regulatory requirements and promote a culture of continuous improvement in managing operational risks. The goal is to ensure the stability and reliability of critical services, even in the face of unexpected challenges.

Operational resilience in the European Union (EU)

Operational resilience within the EU refers to the ability of financial institutions and other relevant entities to prevent, respond to, recover from, and learn from disruptions to their operations. The concept is closely related to ensuring the continuous delivery of critical services and functions, even in the face of unexpected events.

Operational resilience has become a significant focus within the EU financial services sector, and regulatory bodies, such as the European Banking Authority (EBA), are actively involved in shaping guidelines and standards to strengthen the operational resilience of financial institutions. The Digital Online Operational Resilience Act (DORA), is an EU regulation that creates a binding, comprehensive ICT risk management framework for the EU financial sector – it establishes technical standards that financial entities and their critical third party technology service providers must implement in their ICT systems by 17th January 2025.

Key components:

• Risk Management Requirements: Establishing requirements for financial institutions to identify, assess, and manage operational and cyber risks effectively.
• Incident reporting: Mandating incident reporting requirements for significant disruptions or cyber incidents affecting financial services, including reporting to regulatory authorities.
• Business Continuity Planning: Requiring financial institutions to develop and maintain robust business continuity plans to ensure the continuity of critical services during and after disruptions.
• Outsourcing Oversight: Enhancing oversight of outsourcing arrangements, particularly concerning critical or important functions, to ensure that third-party providers meet adequate operational resilience standards.
• ICT Security Requirements: Setting minimum cybersecurity and information and communication technology (ICT) security standards for financial institutions to protect against cyber threats and ensure the resilience of digital infrastructure.
• Testing and Simulation Requirements: Mandating regular testing and simulation of operational resilience and cyber response capabilities to evaluate preparedness and identify areas for improvement.
• Supervisory Framework: Establishing a supervisory framework to oversee compliance with DORA requirements and enforce measures where necessary.

DORA aims to address the growing challenges and risks associated with digitalisation in the financial sector and strengthen the resilience of financial institutions and the broader financial system. It reflects the EU’s commitment to safeguarding financial stability, protecting consumers, and promoting trust in digital financial services.

Operational resilience in the United States (US)

Financial institutions must have robust measures in place to effectively address cybersecurity risk. This includes utilising industry-recognized risk assessment tools like the FFIEC Cybersecurity Assessment Tool, the National Institute of Standards and Technology Cybersecurity Framework (NIST), the Center for Internet Security Critical Security Controls, and the Financial Services Sector Coordinating Council Cybersecurity Profile. These tools are essential for measuring and aligning cybersecurity risk with industry standards.

In addition, recent regulations from the three US federal banking regulators now require banks and their key service providers to have comprehensive incident response plans. These plans must include a mechanism to identify and immediately report “material” cybersecurity incidents to regulators. This includes incidents such as ransomware attacks, malware infections, denial of service (DoS) attacks, and other hacking or similar incidents. Notification is required for any attack or incident that has or is reasonably likely to disrupt or degrade the bank’s ability to operate, deliver products and services, or impact business lines that are vital to the bank’s profits and franchise value. Notice is also explicitly required for any attack or incident that poses a threat to US financial stability.

Key components:

• Governance: Effective governance ensures that firms operate in a safe and sound manner, comply with applicable laws and regulations, and maintain operational resilience.
• Operational Risk Management: Identifying, managing, and mitigating operational risk exposures related to internal processes, people, systems, external threats, and third parties. 
• Business Continuity Management: Business continuity plans consider market and enterprise-wide stresses and idiosyncratic risks that can imperil the continuity of a firm’s critical operations and core business lines, or otherwise have a broader impact on the financial system.
• Third-Party Risk Management: Recognition of third-party risk is vital to operational resilience, especially if outsourcing arrangements involve entities that perform critical operations.
• Scenario Analysis: Develops, validates, and calibrates a firm’s tolerance for disruption. May be integrated with disaster recovery and business continuity management for use in assessing operational resilience.
• Secure and Resilient Information System Management: Appropriate implementation, use, and protection of information systems to identify and detect risks to operational resilience, and enhance its ability to withstand disruptions or failures and facilitate the flow of information to enable effective decision making during a disruption.
• Surveillance and Reporting: Ongoing surveillance and reporting of operational risks, and dissemination of that information to the board of directors and relevant stakeholders across the firm.

While the US regulators have not yet implemented a separate operational resilience framework like that of the UK, it’s important to recognise that crucial aspects of the UK framework are addressed within existing US regulations governing business continuity and resolution planning.

Read more from Alert Cascade…