Central Bank of Ireland, December 2021 released a Consultation Paper, CP140 on Operational Resilience for Financial Institutions.

This guidance paper comments to the preparedness of financial institutions to continued operations with regard to events that may occur that impact on its continuing operations and or ability to deliver member services.

“The objective of this guidance is to communicate to industry how to prepare for, respond to, recover and learn from an operational disruption that affects the delivery of critical or important business services.”

An operational resilient firm is able to recover its critical or important business services from a significant unplanned disruption, while minimising impact and protecting its customers and the integrity of the financial system.

Scope for this Guidance Report:

Timeframe We expect firms to be actively and promptly addressing operational resilience vulnerabilities and be in a position to evidence actions/plans to apply the guidance at the latest within two years of its being issued

Operational Risk Management

Operational risk management is focused on minimising risk, through development of controls that reduce the impact and probability of an operational event occurring. It focuses on building capabilities to deal with risk events when they materialise, rather than purely focusing on building defences to prevent risk events from occurring – to remain a viable ongoing concern, absorb shocks rather that contribute to them, to recover and adapt when disruptions occur.

Operational resilience requires coordination between risk management, business continuity management (BCM), incident management, third party risk management, Information Communication Technology (ICT) and cyber risk and recovery and resolution planning.   

Board ownership and accountability for the firm’s operational resilience strategy and framework and the firm’s ability to demonstrate a keen understanding of its critical or important business services. The Central Bank outlined that they analyse evidence that the board is seeking the required information to enable it to understand the risk and resilience profile of the firm and make targeted investment decisions to support on-going resilience efforts.

The Central Bank report states “A firm should document and update written self-assessments highlighting how the firm meets current operational resilience policy requirements on at least an annual basis. These reviews should cover all aspects of the three pillars of operational resilience, from the identification of critical or important business services through to lessons learned exercises and ensure that no emerging vulnerabilities are overlooked.  (page 28)

The guidance document chronicles a 3-pillar structure for Operational Resilience.

Pillar 1: Identify and Prepare

Pillar 2: Respond and Adapt

Pillar 3: Recover and Learn

Three Pillars of Operational Resilience

Identify and Prepare

1 Governance

Guideline 1: The Board has ultimate responsibility for the Operational Resilience of a firm.

Guideline 2: The Operational Resilience Framework should be aligned with a firm’s overall Governance and Risk Management Frameworks.

2 Identification of Critical or Important Business Service

Guideline 3: The Board reviews and approves the criteria for critical or important business services.
Guideline 4: A firm should identify its critical or important business services.

3 Impact Tolerances

Guideline 5: Impact tolerances should be approved for each critical or important business service.

Impact tolerances assume that the risk event has already crystallised and, therefore, the probability element of risk appetite is removed.

Impact tolerances include processes used for Business Impact Analysis (BIA), Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs) and Maximum Tolerable Outage (MTO).

Guideline 6: A firm should develop clear impact tolerance metrics.

4 Mapping of Interconnections and Interdependencies

Guideline 7: A firm should understand and map out how its critical or important business services are delivered.
Guideline 8: A firm should capture third party dependencies in the mapping of critical or important business services.

5 ICT and Cyber Resilience

Guideline 9: A firm should have ICT and Cyber Resilience strategies that are integral to the operational resilience of its critical or important business services.

6 Scenario Testing

Guideline 10: A firm should document and test its ability to remain within impact tolerances through severe but plausible scenarios.

The nature and frequency of testing should be proportionate to firm size and complexity.

Pillar 2: Respond and Adapt

7 Business Continuity Management

Guideline 11: Business Continuity Management should be fully integrated into the overarching Operational Resilience Framework and linked to a firm’s risk appetite.

8 Incident Management

Guideline 12: The Incident Management Strategy should be fully integrated into the overarching Operational Resilience Framework.

A firm should develop and implement response and recovery plans and procedures to manage incidents that have the potential to disrupt the delivery of critical or important business services.

9 Communication Plans

Guideline 13: Internal and External Crisis Communication plans should be fully integrated into the overarching Operational Resilience Framework.

Pillar 3: Recover and Learn

10 Lessons Learned Exercise and Continuous Improvement

Guideline 14: A lesson learned exercise should be conducted after a disruption to a critical or important business service to enhance a firm’s capabilities to adapt and respond to future operational events.

These questions should identify deficiencies that caused a failure in the continuity of service and, these deficiencies should be addressed as a matter of priority. Specifically, at a minimum, the following should be considered:

Guideline 15: A firm should promote an effective culture of learning and continuous improvement as operational resilience evolves.