Central Bank of Ireland, December 2021 released a Consultation Paper, CP140 on Operational Resilience for Financial Institutions.
This guidance paper comments to the preparedness of financial institutions to continued operations with regard to events that may occur that impact on its continuing operations and or ability to deliver member services.
“The objective of this guidance is to communicate to industry how to prepare for, respond to, recover and learn from an operational disruption that affects the delivery of critical or important business services.”
An operational resilient firm is able to recover its critical or important business services from a significant unplanned disruption, while minimising impact and protecting its customers and the integrity of the financial system.
Scope for this Guidance Report:
- Communicate to the boards and senior management of Regulated Financial Service Providers (RFSPs), the Central Bank’s expectations with respect to the design and management of operational resilience.
- Emphasise the boards and senior management responsibilities when considering operational resilience as part of their risk management and investment decisions; and
- Require that the boards and senior management take appropriate action to ensure that their operational resilience frameworks are well designed, are operating effectively, and are sufficiently robust.
Timeframe We expect firms to be actively and promptly addressing operational resilience vulnerabilities and be in a position to evidence actions/plans to apply the guidance at the latest within two years of its being issued
Operational Risk Management
Operational risk management is focused on minimising risk, through development of controls that reduce the impact and probability of an operational event occurring. It focuses on building capabilities to deal with risk events when they materialise, rather than purely focusing on building defences to prevent risk events from occurring – to remain a viable ongoing concern, absorb shocks rather that contribute to them, to recover and adapt when disruptions occur.
Operational resilience requires coordination between risk management, business continuity management (BCM), incident management, third party risk management, Information Communication Technology (ICT) and cyber risk and recovery and resolution planning.
Board ownership and accountability for the firm’s operational resilience strategy and framework and the firm’s ability to demonstrate a keen understanding of its critical or important business services. The Central Bank outlined that they analyse evidence that the board is seeking the required information to enable it to understand the risk and resilience profile of the firm and make targeted investment decisions to support on-going resilience efforts.
- The firm’s understanding of the delivery of its own critical or important business services, the activities, technology, people and third parties that support that delivery, and the criticality of those services to the wider financial system.
- A firm’s ability to determine appropriate impact tolerances for its critical or important business services and that they test their ability to remain within those impact tolerances under severe but plausible scenarios; and
- The firm’s consideration of third parties in its response and recovery processes and that they are aligned and tested for effectiveness.
The Central Bank report states “A firm should document and update written self-assessments highlighting how the firm meets current operational resilience policy requirements on at least an annual basis. These reviews should cover all aspects of the three pillars of operational resilience, from the identification of critical or important business services through to lessons learned exercises and ensure that no emerging vulnerabilities are overlooked. (page 28)
The guidance document chronicles a 3-pillar structure for Operational Resilience.
Pillar 1: Identify and Prepare
Pillar 2: Respond and Adapt
Pillar 3: Recover and Learn
Three Pillars of Operational Resilience
Identify and Prepare
|Guideline 1: The Board has ultimate responsibility for the Operational Resilience of a firm.|
- The board and senior management should have accurate and adequate oversight of resilience activity, trends and remediation measures, which allows them to make the business decisions regarding investments and risk exposure.
- The board has responsibility for the approval of the operational resilience framework and approval of the critical or important business services, impact tolerances, business service maps, scenario testing to ascertain the firm’s ability to remain within impact tolerances, and communications plans.
|Guideline 2: The Operational Resilience Framework should be aligned with a firm’s overall Governance and Risk Management Frameworks.|
- Existing governance frameworks and committee structures include responsibilities with respect to operational resilience.
- A firm should develop a documented Operational Resilience Framework aligned with the Operational Risk and Business Continuity Frameworks.
2 Identification of Critical or Important Business Service
|Guideline 3: The Board reviews and approves the criteria for critical or important business services.|
- A firm should be able to identify its critical or important business services and prioritise them in the event of a disruption.
- Should be reviewed and approved by the board annually or at the time of implementing material changes.
|Guideline 4: A firm should identify its critical or important business services.|
- Critical or important business services should be identified to enable a firm to clearly determine impact tolerances based on maximum acceptable levels of disruption, perform mapping of the end-to-end delivery of the business service, including any dependence on third parties, and test based on severe but plausible scenarios.
3 Impact Tolerances
|Guideline 5: Impact tolerances should be approved for each critical or important business service.|
- The purpose of an impact tolerance is to determine the maximum acceptable level of disruption to a critical or important business service. Impact tolerances should be set at the point at which disruption to the firm’s business service would pose, or have the potential to pose.
- A board should review and approve impact tolerances at least annually or when a disruption occurs. They are separate and distinct tolerance measurement from the Risk appetite statement.
Impact tolerances assume that the risk event has already crystallised and, therefore, the probability element of risk appetite is removed.
Impact tolerances include processes used for Business Impact Analysis (BIA), Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs) and Maximum Tolerable Outage (MTO).
|Guideline 6: A firm should develop clear impact tolerance metrics.|
- Impact tolerance metrics need to be clear and measurable, and can be both qualitative and quantitative.
4 Mapping of Interconnections and Interdependencies
|Guideline 7: A firm should understand and map out how its critical or important business services are delivered.|
- A firm will need to understand the chain of activities that contribute to the delivery of each of its critical or important business services, in order to be able to identify any critical or single points of failure, dependencies, or key vulnerabilities.
- A firm should identify, document and map the necessary people, processes, information technology, facilities, and third parties service providers required to deliver each of its critical or important business services.
|Guideline 8: A firm should capture third party dependencies in the mapping of critical or important business services.|
- A firms’ operating models are increasingly relying on third parties for the delivery of key elements of their critical or important business services can often result in a firm being dependent on a multitude of resources. If a disruptive event occurs anywhere within this network of interconnected activities, the firm can be impacted, even if the event did not occur within its own systems.
- A firm should undertake due diligence in respect of its Outsourced Service Provider’ (Progress, NSSL, Other) prior to entering into an outsourcing arrangement, to ensure that third party arrangements have appropriate operational resilience conditions that enable the firm to remain within its impact tolerances.
5 ICT and Cyber Resilience
|Guideline 9: A firm should have ICT and Cyber Resilience strategies that are integral to the operational resilience of its critical or important business services.|
- A firm should ensure that its information and communication technology is robust and resilient and is subject to protection, detection, response and recovery programmes in line with industry best practice.
- The identified systems should be regularly tested as part of IT security, cyber-security and resilience testing, using severe but plausible scenarios, to ensure continuity of critical or important business services during severe disruptions.
6 Scenario Testing
|Guideline 10: A firm should document and test its ability to remain within impact tolerances through severe but plausible scenarios.|
- a firm should identify an appropriate range of adverse circumstances of varying nature, severity and duration relevant to its business and risk profile and consider the risks to delivery of the firm’s critical or important business services in those circumstances.
- A firm’s board should review the results of all scenario testing carried out on critical or important business services.
The nature and frequency of testing should be proportionate to firm size and complexity.
Pillar 2: Respond and Adapt
7 Business Continuity Management
|Guideline 11: Business Continuity Management should be fully integrated into the overarching Operational Resilience Framework and linked to a firm’s risk appetite.|
- BCM focuses on single points of failure, such as individual systems, people or processes, operational resilience goes a step further by determining how these single points of failure have the potential to affect the end-to-end delivery of critical or important business services.
- Key personnel should be identified and have completed the necessary training. Training and awareness programmes should be customised based on specific roles to ensure that staff can effectively execute contingency plans when responding to a disruption.
8 Incident Management
|Guideline 12: The Incident Management Strategy should be fully integrated into the overarching Operational Resilience Framework.|
- Operational resilience requires a firm to have an approach to incidents that covers the full life cycle of an event, from the classification of incidents that trigger approved response procedures, to testing the incident management procedures and reflecting on lessons learned from the occurrence of incidents.
A firm should develop and implement response and recovery plans and procedures to manage incidents that have the potential to disrupt the delivery of critical or important business services.
9 Communication Plans
|Guideline 13: Internal and External Crisis Communication plans should be fully integrated into the overarching Operational Resilience Framework.|
- Communications plan is the identification and preparation of key resources and experts that can be leveraged when a disruption occurs.
- Internal and external communication plans and stakeholder maps that can be implemented during a disruption.
Pillar 3: Recover and Learn
10 Lessons Learned Exercise and Continuous Improvement
|Guideline 14: A lesson learned exercise should be conducted after a disruption to a critical or important business service to enhance a firm’s capabilities to adapt and respond to future operational events.|
- A lesson learned exercise should utilise the information gathered as part of the incident management or disaster recovery process.
These questions should identify deficiencies that caused a failure in the continuity of service and, these deficiencies should be addressed as a matter of priority. Specifically, at a minimum, the following should be considered:
- How and why the incident occurred;
- The identified vulnerabilities;
- The impact on the delivery of critical or important business services;
- Whether the risk controls, decisions and recovery processes and communications were appropriate; and
- The speed of recovery and whether the impact tolerances are adequate.
|Guideline 15: A firm should promote an effective culture of learning and continuous improvement as operational resilience evolves.|
- Operational resilience needs to be a fundamental element of any strategic decision taken by a firm. Any changes to strategy or the business model should be considered through a business service lens.