Beyond Compliance of Operational Resilience

Introduction

Operational Resilience is one of the key themes of regulation currently.  The impact of the COVID crisis has bought a clearer understanding as to what Operational Resilience is and why it differs from traditional approaches.  The Bank for International Settlements in February 2021 issued their Operational Resilience sound practices paper, and it is compliance with these requirements that are discussed throughout this article.

At its simplest Operational Resilience is about ensuring that an organisation is able to deliver critical services and functions under a stress environment.  This requires continuity of service aligned to what are generally referred to as minimum acceptable service criteria.

There is much confusion as to what this really refers to.  Let us start with what it is not:

• only about operational risk, so Operational Resilience does not fall neatly into the operational risk management structure
• only about customers
• just another way of saying business continuity

What Operational Resilience entails – Critical Services

As we have said it is about ensuring that critical services can be provided under stress.  The stress could be caused, for example, by a failure of ICT (information, communications, technology).  However, in judging whether a service provided is critical it needs to be judged based on its significance to:

• The firm itself
• Customers
• The market in general

That renders a range of services as critical depending upon the importance that the regulated firm plays within the markets it serves.  Some things are clearly immediately captured.  These include payment services generally including participation in clearing systems.  Dealing with other financial counterparties and most aspects of correspondent banking are critical, as is treasury and treasury management.

Deposit taking tends to be critical since were deposits to not be received this would impact the liquidity profile of the organisation.  Lending is also critical if the absence of the firm from the market would significantly disadvantage potential future customers.  Loan repayments are critical since they could also impact liquidity.  What this means in practice is that banks will need to continue to provide loans and deposits during the crisis that is being considered.  Other areas including trade finance are clearly critical under these rules.  Banks will need to a full and proper assessment as to what is and what is not critical based upon the series of questions that the BIS have included within the policy document.

Critical Functions and Critical Information

Critical functions are those that are required to ensure that the firm can maintain critical services. 

Critical information is the information that is also required to achieve this.  Recognise that under stress that information needs to be adequately protected, accurate and available to meet the service expectations.

Under these standards the obligation is to provide the critical service.  However, the requirement does not state that it must be provided in an identical way or to an identical service quality.  This is where the minimum acceptable service criteria (MASC) need to be addressed for each critical service.  It will differ between them quite considerably with the MASC for areas such as internet banking and correspondent banking being much shorter than would be the case for other areas such as branch banking.

The critical functions need to be drawn broadly.  They include, for example, finance since without that function operating the bank would not be certain to comply with minimum capital requirements.  Likewise bank capital management and bank risk management are also critical.  Data management is also critical, as is information security.  HR is critical as is payroll.  Legal and compliance are also critical, as well as operations and all elements of ICT.

As to what is not critical, one area specifically referred to is marketing and another is probably internal audit.  All of this needs to be carefully analysed. 

Third Party Risks and Operational Resilience

Important to note is that this paper must be aligned with Third Party Risk Management (TPRM), the requirements towards which are emerging globally.   Here the requirement is that, for critical services and functions, the bank needs to map both internal and external connectivity including the movement of data.  

The objective is to identify all interdependencies which would impact the ability of the organisation to meet the operational resilience objectives.

This is not straight forward and requires a depth of modelling of activity that most firms have not currently undertaken.  It is then necessary to implement Service Level Agreements (SLAs) internally and externally and to monitor to ensure that the MASC is always maintained.  The requirements also require that the service quality maintained at third parties in respect of operational resilience are at a consistent level with that achieved by the Bank.  In terms of considering achievement of this, independent reviews are recommended.  However, the problems associated with this are recognised.  In many cases the third party, which may or may not be an Other Systemically Important Institution (OSII) or a domestic equivalent (ODII), may commission such an additional report for all of its clients.  Again, additional regulation in this area is anticipated.

The complexity of this modelling process should not be underestimated.  It needs to cover the whole of the organisation and all critical services.  A service that subsequently becomes critical will also need to be modelled and this consideration of interdependencies needs to be embedded throughout the organisation and in decision-making.

Business Continuity Plans (BCP) and Operational Resilience

As we have said Operational Resilience is not just another way of saying business continuity or disaster recovery.  Existing protocols often would lead to a cessation of activity as a consequence of an event occurring.  The firm would try to get the staff to go to a backup site and then reactive all or part of the activities of the bank.  That is not what is now required.

For critical services and functions required for their delivery whether internal to the organisation or external, the MASC becomes the guiding principle for acceptability. In many cases the options available within the BCP  will not achieves these obligations.  New solutions need to be identified often using the idea of substitutability.  This means that the MASC will be delivered through a substitute approach or firm.  This needs to be achieved within the MSAC at an acceptable cost.

There will of course be areas of the bank’s activities that are not considered as critical.  This could be due to their nature (e.g., marketing) or due to their being full substitutability and customers can easily go elsewhere without a significant impact on competition in the market or the liquidity or capital maintained by the bank.  In such cases the existing business continuity plan would still be applied to those areas, albeit that many of the functions required to deliver these not critical services will be critical for other services and therefore fully captured.

Hence a completely new form of Operational Resilience plan will be required.  The service needs to be delivered within the MASC.  It will not necessarily be delivered in an identical way as previous or by the same people.   Consequently, there is still a recovery plan to implement as the critical activity returns to business as usual.

Incident Management and Internal Loss Data

Incidents relevant for operational resilience are not the same as events that are required under the existing operational risk standards to be incorporated into an operational risk database.  Operational resilience is all about service quality and the impact that this might have on the bank, its customers or the market.  Consequently, a reduction in service would immediately become an incident and would need to be recorded, the cause and consequences identified, and actions taken, as necessary.

This will lead to banks building a completely new suite of risk identifiers to ensure that warning signs are promptly heeded in respect of operational resilience.

Some of the incidents may well also end up in the internal loss database, however others will not.  Loss of market risk directly impacts bank capital and is therefore an incident regardless as to whether it is an operational loss or just a market movement. Assets losing liquidity impacting the maintenance of high-quality liquid assets would also not appear, nor would a loss on a major loan concentration.  These are all however operational resilience events since they could impact the ability of the firm to function.  All of this needs to be undertaken in the context of the risk appetite framework of the bank and consistent with its still seeking to achieve its goals and missions.

Accordingly, it is not just the internal loss data which is recorded here.  The incident management database and analysis will become much larger and will include everything that impacts the organisation from project overruns to loan arrears increases.

The Project

Do not underestimate the size of this task.  It needs clear governance and leadership albeit existing 1^st line reporting structures should be applied.  Most firms will need to create an Operational Resilience working party, reporting directly into Executive Management or the Board.  The project will need to be properly resourced and then these principles will need to be translated into policies and procedures to be implemented throughout business units.

This is a major task and forward-thinking financial institutions will need to commence or expedite their project  in early 2022 rather than waiting for a local regulator to provide detailed guidance.  

January 10, 2022
Dennis Cox

CEO, Risk Reward Ltd

dwc@riskrewardlimited.com