Blogs
Operational Resilience Takes Regulatory Center Stage. Are You Prepared?
- Operational Resilience
- 25 April 24
5 min read
Introduction
Operational resilience is no longer a buzzword. It has become a top priority today for financial institutions and regulatory authorities worldwide with new regulations coming into effect in a matter of months. The regulatory guardrails are important to ensure that financial services organizations have the necessary measures in place to withstand, respond to, and recover from operational disruptions.
The Basel Committee on Banking Supervision (BCBS) published the Principles for Operational Resilience (POR) in 2021, which aims to strengthen the ability of banks to “withstand operational risk-related events that could cause significant operational failures or wide-scale disruptions in financial markets.”
The regulations that are coming into force now have been many years in the making. The efforts from regulatory authorities around the world including the Australian Prudential Regulation Authority, the European Commission, the Financial Conduct Authority, the Hong Kong Monetary Authority, the Monetary Authority of Singapore, and others, began even before the COVID-19 pandemic, which tested the resilience of global financial institutions.
Let’s look at some of the prominent regulatory initiatives on operational resilience around the world.
United Kingdom
In the UK, the Bank of England (BoE), the Financial Conduct Authority (FCA), and the Prudential Regulation Authority (PRA) published the final policies on operational resilience, FCA policy statement (PS21/3) and PRA policy statement (PS6/21) in 2021.
Organizations have until 31 March 2025 to set up the measures and processes required to be compliant with the new rules. The Policy Statements 21/3 and 6/21, Building Operational Resilience and Operational Resilience: Impact tolerances for important business services respectively, require organizations to:
- Identify important business services
- Set impact tolerances for important business service
- Perform mapping and testing to ensure they remain within impact tolerances for each important business service
- Mapping dependencies and resources to important business services
- Scenario testing
- Governance
- Self-assessment to test the ability to deliver important business services
PS21/3 applies to banks, building societies, insurers, PRA-designated investment firms, Recognized Investment Exchanges (RIEs), organizations within the enhanced scope of the Senior Managers and Certification Regime (SMCR), and authorized and registered entities under the Electronic Money Regulations 2011 or Payment Services Regulations 2017. PS6/21 applies to UK banks, building societies, and PRA-designated investment firms; and UK Solvency II firms, the Society of Lloyd’s and its managing agents.
The supervisory authorities are also working on new requirements aimed at ensuring the operational resilience of the UK financial services firms when dealing with critical third parties (CTPs).
European Union
Regulators in the EU have enforced a new regulation aimed at strengthening the “digital operational resilience” of the region’s financial sector. The entire EU financial services industry is required to be compliant with the Digital Operational Resilience Act (DORA) by 17 January 2025.
Primarily focused on preventing and mitigating cyber threats, the new regulation lays out the requirements for strengthening the security of network and information systems of financial sector organizations in the region as well as critical third parties that provide Information Communication Technologies (ICT)-related services. DORA requirements are categorized under five key pillars:
- ICT Risk Management Framework
- ICT Incident Management, Classification, and Reporting
- Digital Operational Resilience Testing
- Third-Party Provider Risk Management
- Information Sharing
For a deeper dive into DORA, its key pillars and requirements, and key measures to ensure compliance, download our eBook, Demystifying DORA - Understanding and Preparing for the EU’s Digital Operational Resilience Act.
United States
Operational resilience is also a top area of focus for financial regulatory authorities in the U.S. In 2020, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) published an interagency paper that provided guidance to financial institutions on ‘Sound Practices to Strengthen Operational Resilience’.
“Robust operational risk and business continuity management anchor the sound practices, which are informed by rigorous scenario analyses and consider third-party risks. Secure and resilient information systems underpin the approach to operational resilience, which is supported by thorough surveillance and reporting,” the paper reads.
In December 2023, the Commodity Futures Trading Commission (CFTC) approved a rule proposal that requires futures commission merchants, swap dealers, and major swap participants to establish, document, implement, and maintain an Operational Resilience Framework. The commission said that the framework should be “reasonably designed” for the identification, monitoring, management, and assessment of risks relating to information and technology security, third parties, and emergencies or other significant disruptions to normal business operations.
Asia Pacific
Regulatory authorities across countries, including Australia, Hong Kong, and Singapore are also focused on strengthening the operational resilience of organizations:
- Australia: The Australian Prudential Regulation Authority (APRA) released the final cross-industry Prudential Standard CPS 230 Operational Risk Management in 2023. The standard aims to fortify the management of operational risks of all regulated entities and improve their ability to respond to business disruptions and manage the risks from the use of service providers.
- Hong Kong: In 2022, the Hong Kong Monetary Authority (HKMA) released the new Supervisory Policy Manual (SPM) module OR-2 on Operational Resilience and a revised version of the SPM module TM-G-2 on “Business Continuity Planning” with the objective of implementing the BCBS’s Principles for Operational Resilience (POR) issued in 2021. All authorized institutions were required to develop their operational resilience framework along with the timeline to become operationally resilient by May 2023. By 31 May 2026, these organizations need to be compliant with the new requirements and become operationally resilient.
- Singapore: The Monetary Authority of Singapore (MAS) built upon its Guidelines on Business Continuity Management, published in June 2003, to introduce principles and practices to strengthen the operational resilience of financial institutions. The revised guidelines were published in June 2022. Regulated entities were required to meet the new guidelines and develop a BCM audit plan by June 23 with the first audit to be conducted by June 2024.
As the risk landscape continues to evolve with growing uncertainties, the regulatory focus on operational resilience will only intensify and expand beyond financial organizations to other sectors. Organizations, however, should not view operational resilience as a mere “tick the box” compliance exercise. When done right, a strong operational resilience program can enable organizations to thrive in challenging business conditions and drive business growth and profitability.
To learn how MetricStream Operational Resilience can help you strengthen your operational resilience program, request a personalized demo today!
Jump to Topic
Related Resources
Blogs
Building Operational Resilience: A Strategic Advantage for Banks in Evolving Times
- Operational Resilience
- 10 April 24
4 min read
Introduction
The recent collapses of Silicon Valley Bank and Signature Bank have cast a spotlight on the vulnerabilities within the banking industry. These events highlight the ever-increasing importance of operational resilience – a bank's ability to adapt and function effectively even during major disruptions.
The risk landscape is constantly evolving, demanding a renewed focus on operational resilience. This urgency is reflected in a wave of recent regulatory decrees that also increasingly acknowledge the role of technology in strengthening resilience. For example, the Basel Committee on Banking Supervision (BCBS) set a new industry standard in 2021 with its Principles for Operational Resilience emphasizing banks' ability to handle and adapt to disruptions. Similarly, the UK and the EU have implemented strict rules, such as the Prudential Regulation Authority (PRA) and Bank of England's guidelines, and the Digital Operational Resilience Act (DORA) respectively. In the United States, regulatory bodies like the SEC Division of Examinations and the US Federal Reserve are also prioritizing operational resilience.
For banks navigating the evolving regulatory landscape, building operational resilience is no longer just a best practice, it's a strategic imperative. Let’s delve into key strategies for strengthening operational resilience practices in the year ahead.
Leveraging Technology for a Proactive Approach
Banks are increasingly turning to automation and artificial intelligence (AI) to bolster their resilience frameworks. These technologies offer a powerful toolkit that goes beyond mere compliance. AI can sift through vast amounts of data, uncovering hidden patterns and emerging threats that traditional methods might overlook. For example, AI can be used to detect anomalies in transactions, potentially leading to faster fraud identification.
Automation, on the other hand, streamlines incident response protocols. By automating key tasks, banks can minimize downtime during disruptions and ensure a swift recovery. For instance, if there's a cyberattack, automated systems can detect it and immediately activate predefined responses to contain the threat and minimize damage.
Scenario Testing and Incident Response Planning
Building resilience goes beyond just technology alone. It requires a structured approach to anticipating disruptions. Scenario testing can help financial institutions better understand real-world risk events like cyberattacks and other operational disruptions. These insights are then used to develop incident response plans, outlining employee actions to contain threats, restore operations swiftly, and continuously improve. Regular testing and plan refinement ensure banks are prepared for anything, minimizing downtime during disruptions.
Building a Culture of Preparedness: Every Employee a Line of Defense
Risks are not just a concern for leadership – they should be a concern for every employee at every level of an organization. Employees can be the strongest or weakest link in risk management practices. Resilience-minded leaders should look to their team and culture as an opportunity to build continued resilience.
Leaders set the standard for risk management by actively engaging with risk and resilience measures, demonstrating the importance of these practices throughout the organization. This involves investing in employee training to recognize and report potential risks, including those related to technology best practices and cyber hygiene. The training should also equip employees to follow incident response protocols during disruptions, ensuring a swift and coordinated response to minimize damage and restore operations. Additionally, creating a user-friendly, anonymous system for employees to report issues and observations empowers them to contribute to the bank's overall resilience. Fostering open communication through regular updates on risk management initiatives and the importance of employee participation solidifies a culture of awareness. A well-informed and engaged workforce becomes a vital "human firewall" – the first line of defense against potential disruptions.
Continuous Improvement: The Key to Sustainable Resilience
Operational resilience isn't a one-time fix. It's an ongoing process that requires continuous assessment and improvement. Banks need to constantly monitor and refine their risk management programs, ensuring they remain relevant and address evolving threats. This includes expanding their focus beyond traditional risk types to consider emerging challenges like geopolitical instability, economic uncertainty, and human-factor risks. By taking a holistic approach and leveraging data-driven insights, banks can develop comprehensive resilience strategies that ensure their long-term success.
The Road to Sustainable Resilience: A Call to Action
To thrive in today's dynamic environment, banks need a proactive approach to operational resilience. A connected, continuous, and technology-driven approach to risk management empowers banks to not only stay ahead of the curve but also foster a culture of resilience that drives sustainable growth. Banks can start by conducting thorough vulnerability assessments to identify potential weaknesses, prioritizing employee training programs to build a culture of awareness, and piloting scenario testing exercises to refine their incident response plans. Failure to prioritize operational resilience can leave core business functions vulnerable during cyberattacks, insider threats, geopolitical events, or pandemics. By building resilience, banks gain real-time visibility into processes and critical assets, enabling better preparation through enterprise-wide plans and responses.
This blog was initially featured as an article on Nasdaq, Inc. Read the original version here.
Find out more about MetricStream Operational Resilience Management. Request a personalized demo now.
Jump to Topic
Related Resources
Blogs
Making Resilience Core to Your Operational Risk Strategy - A Guide for Chief Risk Officers
- Operational Resilience
- 31 January 24
7 min read
Introduction
Banks and financial institutions are on the cusp of a new operational risk paradigm. Technological breakthroughs, new business models, changing customer expectations, macroeconomic conditions, geopolitical developments, and evolving risks and regulations have brought a tectonic shift in the way banks and financial services organizations operate – particularly in the post-COVID-19 era.
The recent upheaval in the banking industry has underscored the urgent need to modernize the approach to operational risk management (ORM). While the main reason for the closedown of a US bank might have been its liquidity risk or the portfolio concentration risk, a closer look reveals that effective operational controls would have helped to proactively identify and mitigate the risks.
How can chief risk officers (CROs) and risk managers rethink ORM to ensure its relevance and effectiveness? How can they revise their approach to best tackle competing risks and priorities? How can they improve organizational preparedness and resilience for what’s next?
Before we explore that, let’s look at how the scope of ORM itself is evolving.
Making Resilience Integral to Operational Risk Management
ORM is not a new concept. It emerged as a formal discipline in the early 2000s when the Basel Committee on Banking Supervision (BCBS) published the Sound Practices for the Management and Supervision of Operational Risk. Over the course of the past two decades, ORM has steadily gained importance as a conventional practice with financial institutions actively identifying and managing operational risks.
Traditionally, ORM involved the process of identifying and assessing risks, defining risk mitigation and remediation strategies, implementing controls, and reporting to the top management and the board. However, with the evolving business environment and fast-moving risks, banks and financial services organizations today are expected to not only manage risks but also ensure operational resilience.
Operational resilience is the ability of an organization to protect and sustain critical business competencies when faced with major operational disruptions. It requires going beyond risk management and business continuity and building the ability to not just prevent and mitigate risks, but to respond to and recover from risk events and also learn from them. The focus is growing on risk preparedness and business continuity, both from regulators’ and organizations’ perspectives. From a practical standpoint, CROs need not undertake a radically different strategy - they can build upon the traditional ORM approach:
- Identify critical functions, tools, and operations
- Record risks related to critical services and set impact tolerances
- Identify, assess, and prioritize risks
- Define risk mitigation and remediation strategies
- Implement controls and assess their effectiveness
- Define resilient business continuity programs and response strategies
- Set operational risk capital requirements as required by relevant regulations
- Continuously assess the effectiveness of the entire program
The Regulatory Perspective
We’ve come a long way since the financial crisis of 2008. The COVID-19 pandemic and the most recent banking crisis served as real-world tests of the risk management programs and operational capabilities of the banking and financial services industry. The post-2008 regulatory efforts have helped the sector establish necessary controls to effectively mitigate risks and stop them from becoming systemic. But there’s still room for more.
From the regulatory standpoint, the line between operational risk and resilience appears to be blurring. Some of the notable developments include the EU’s Digital Operational Resilience Act (DORA), UK BoE/FCA/PRA Discussion Paper “Operational resilience: Critical third parties to the UK financial sector”, Australia’s new prudential standard aimed at managing operational risks and responding to business disruptions, Hong Kong’s Supervisory Policy Manual (SPM) module on Operational Resilience, among others.
In an interagency paper, titled “Sound Practices to Strengthen Operational Resilience,” U.S. financial regulatory authorities, including the Board of Governors of the Federal Reserve System, the OCC, and the FDIC describe operational resilience as an “outcome” of an effective ORM program:
“Operational resilience is the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard. It is the outcome of effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions.”
In its “Principles for Operational Resilience,” the BCBS has organized the principles in seven categories – governance, operational risk management, business continuity planning and testing, mapping of interconnections and interdependencies of critical operations, third-party dependency management, incident management, and resilient information and communication technology (ICT), including cyber security.
Modernizing the ORM Approach
Today, CROs are not only tasked with risk management activities in the traditional sense but also expected to be abreast of market trends, industry best practices, and regulatory developments, and align their risk and resilience strategy accordingly. It’s time for CROs to rethink their operational risk management program so that it is agile, forward-looking, and resilient.
Here are the key considerations for modernizing the ORM approach:
- Going Beyond the Traditional Risk Types
It's important to go beyond the traditional risk types to include more relevant, recent, and emerging risks, such as economic uncertainty, digital risks, human-factor risks, environmental risks, geopolitical instability, and liquidity crises, among others. Equally important is to understand the interconnectedness among these risks to ensure a holistic and all-encompassing approach.
- Using Predictive Analytics
CROs today can leverage artificial intelligence, machine learning, and advanced analytics for predictive risk intelligence. The data-driven insights can help to quickly identify trends, patterns, and correlations, enabling organizations to effectively mitigate risks and reduce operational losses.
- Leveraging Risk Quantification
Risk quantification, i.e., quantifying risk in monetary terms, can help assess the risk exposure and impact, enabling risk teams to effectively prioritize risks for appropriate mitigation and remediation strategies. It also enables CROs to effectively communicate the risk posture with the executive management and board.
- Creating and Maintaining an Incident Response Playbook
It is also advisable to maintain a playbook that details the response strategy pertaining to different risk scenarios. When faced with a high-velocity risk event, having pre-defined roles and responsibilities, knowing the corrective action and how to respond can go a long way to improve organizational readiness and reduce the severity of impact.
- Implementing Technology-Based Solutions
Today’s fast-moving risks warrant an agile risk and resilience strategy. Technology-based software solutions can support CROs in driving such a program by automating and integrating risk management processes, transforming risk reporting with advanced risk analytics, incorporating autonomous assessments based on asset value and business impact, and providing actionable insights in a timely manner. These tools also help create bandwidth for risk teams to focus on more critical tasks.
Achieving Resilience with Operational Risk Management from MetricStream
Managing operational risks needs to be in line with today’s dynamic risk, regulatory, and economic environment, technological advancements, as well as an organization’s strategic business goals and objectives. An agile and holistic operational risk and resilience strategy requires time, investment, management’s attention, and continuous monitoring. But when done properly, it can transform an adverse situation into an organization’s strategic advantage, enabling them to drive business value.
The MetricStream Operational Resilience solution is purpose-built to support CROs in their efforts to effectively manage operational risks and prepare for potential disruptions. It helps organizations meet complex business needs by automating workflows, driving integration and collaboration, and enabling real-time reporting. By embedding risk management best practices into business continuity planning, it helps boost organizational readiness and resilience.
Request a personalized MetricStream Operational Resilience solution demo to learn how it can help your organization.
FAQs
The five components of operational resilience are
- Identifying critical business services, systems, and operations
- Defining impact tolerances
- Conducting risk and control self-assessments (RCSA) both qualitatively and quantitatively
- Defining and assessing business continuity plans
- Continuous monitoring of risk, control, and resilience programs
The main aim of operational resilience is to ensure an organization has the ability to prevent, withstand, respond to, and recover quickly from high-impact risk events. The key focus is ensuring the continued operation of critical business functions during a crisis and resuming business as usual as soon as possible.
Metrics such as Recovery Time Objective (RTO), Recovery Point Objective (RPO), downtime, incident frequency, incident response time, and Mean Time to Recover (MTTR), among others help measure an organization’s operational resilience. Other key considerations include ensuring risk exposure is aligned to risk impact tolerance levels and that business impact analysis (BIA) results are well within the limits as per the business continuity results.
To learn more about Operational Risk Management and Resilience, check out the Ultimate Guide on ORM.
Jump to Topic
Related Resources
Blogs
Top 5 Factors Driving the Need for a Future-Ready Operational Risk Management Strategy
- Operational Resilience
- 29 November 23
5 min read
Introduction
In today's increasingly volatile business landscape, operational risk has emerged as a critical concern within the banking and financial services sector. Operational risk encompasses the potential for financial losses due to errors, breaches, disruptions, or damages. Whether they are caused intentionally or accidentally by individuals, internal processes, systems, or external events, from asset misappropriation and control failure to system breaches, product failure, and natural disasters, operational risk incidents can result in substantial failures. According to the Banking Operational Risk Loss Data Report 2022, published by ORX, the global banking database, more than 65,000 loss events, on average, occurred from 2016 to 2021. This resulted in losses totaling close to $600 billion over the six-year period. Direct financial losses are only a part of the impact, as operational risk incidents can inflict enduring damage upon an organization's reputation, trigger heightened regulatory scrutiny, and introduce a host of other complexities.
So, what’s driving an urgent need for businesses to cultivate a future-ready operational risk management strategy? In this blog, let’s explore the top five challenges that have increased the complexity of operational risk management (ORM).
A Post-Pandemic Regulatory Emphasis on Operational Risk
Post the COVID-19 pandemic, there has been an increased regulatory focus on operational risk, especially from an operational resilience perspective. Whether it’s the Operational Resilience guidelines by the Bank of England, the Digital Operational Resilience Act (DORA) for the EU financial sector, the soon-to-be-finalized Australian Prudential Regulation Authority’s (APRA’s) Prudential Standard CPS 230 for Operational Risk Management, or even the US Federal Reserve’s joint paper on sound practices to strengthen operational resilience – the regulatory discussion around resilience, what it means and how to manage it is constantly evolving. Building operational resilience needs to be aligned with strong operational risk management practices, and banks and financial organizations will need to pivot their strategic initiatives to focus on how their ORM strategy can better support firm-wide resilience.
New Risks Introduced by Digitization, Ease of Doing Business, and a Global Customer Base
Banks are reinventing themselves using digitization and automation to drive digital change, streamline their operations, and provide enhanced customer journeys to a global customer base. This has created new growth opportunities as well as risks. For example, partnerships with fintech, while creating a competitive differentiator in their customer experiences, can introduce new cyber risks and produce new single points of failure. Similarly, the application of machine learning and artificial intelligence in banking operations will need to be assessed for decision bias, ethical use of customer data, and other such scenarios. With most banks adopting cloud architectures, emerging risks associated with third-party, regulatory compliance, and data sovereignty issues need to be monitored and mitigated.
Additionally, cryptocurrencies and quantum computing are also creating new risks for banks and financial institutions.Unstructured Data Hampering Accurate Visibility into Risk Exposures
Harmonized data structures are the foundation of effective operational risk management. However, over the years, organizations have accumulated a large amount of unstructured data that is inconsistent and without a uniform approach to data management, which is often compounded by global operations and diverse products and services. There is an urgent need to curate and harmonize data to convert them into insights to make the right decision at the right time. Centralized risk libraries, with a common taxonomy that defines business objectives, processes, products, risks, and controls and maps the relationships across these data elements, is a vital first step. Unlike other financial risk types (credit risk, for example), operational risk requires a universal language to be set up that is understood and accepted by the risk practitioners in an organization.
Read more on how AI Knowledge Graphs can shed light on the intricate relationships between a multitude of entries, helping fortify risk management practices in GRC.Challenges in Determining Capital Adequacy, Risk Appetite, and Impact Tolerances
One of the primary values of a well-integrated ORM strategy is to assist in evaluating the adequacy of capital in relation to the bank’s overall risk profile. The Basel II revised capital framework included three distinct methodologies to calculate the operational risk capital charge: the basic indicator approach, the standardized approach, and the advanced measurement approach (AMA). The most recent Basel Accord replaces all three Basel II methodologies for operational risk with a new standardized measurement approach (SMA). However, operational risk practitioners still find it challenging to determine not just capital adequacy but risk appetite and impact tolerances as well. While the industry has widely accepted universal methods to calculate other risk types, like credit risk, for example, most traditional approaches are able to provide only a partial view of the operational risk landscape.
Lack of Real-Time Visibility at Each Level, Along with Limited Participation from the Frontline
A lack of real-time visibility at each level, coupled with limited participation from the frontline, presents a multifaceted challenge to operational risk management. Without real-time visibility, managing operational risks becomes a reactive process. Risks may go unnoticed until they escalate into more significant issues or turn into an incident. Such a reactive stance can lead to increased losses, compliance fines, and reputational damage. Limited participation from the frontline results in those closest to the day-to-day operations not actively contributing to risk assessment. Frontline employees often possess critical insights into operational vulnerabilities. Their absence from the risk management process can result in incomplete risk assessments. Organizations need a positive risk culture and user-friendly tools to encourage the frontline to take a proactive approach toward risk management.
Power Your ORM Strategy with MetricStream
To address these factors and ensure resilience in the face of uncertainty, organizations need operational risk management strategies that are adaptable, forward-looking, and integrated across all levels of the business. Establishing an ORM architecture that includes organizational culture, governance, strategy, and execution and reporting processes is a vital first step. In addition, an effective ORM tool can help drive risk-intelligent, real-time business decisions to accelerate business performance and reduce losses.
With MetricStream’s Operational Risk Management software, your organization is empowered with:
- Centralized repository and risk framework for smarter risk management
- Advanced Risk Control Self-Assessment (RCSA) for accurate risk visibility
- Dynamic operational loss data management
- Key metrics (KPI, KRI, and KCI) monitoring for optimized operational risk management
- AI-enabled Observation recording to empower the frontline to report risks and observations in an easy manner
- AI-powered issue management to reduce redundancies
- Risk quantification and analytics to safeguard critical investments
- 360-degree risk view with intuitive graphical dashboards and reports
Interested to learn more? Request a demo now.
Jump to Topic
Related Resources
Blogs
Top Enterprise Priorities: Being Resilient by Design and Aligning to Regulations Like DORA
- Operational Resilience
- 03 August 22
3 min read
Introduction
Resilience is a term that gets a lot of airtime today. In the week leading up to my recent travel, I was avidly watching the flight cancellations hoping there would be no impact on my travel plans. I’d also seen photos of security lines outside the doors to the airport. I was lucky enough to make it to the airport and the flight still be scheduled! But as I arrived at the airport, I noticed the flurry of people at the bag drop. Now we’re talking super early in the morning before workers even manned the desks. It was chaos. I spoke to one man who had missed his connecting flight and looked destined to miss his next one. This was all due to the fact he was unable to talk to a human to get his boarding pass reprinted. When things don’t quite go to plan you hope that the processes organizations put in place can support you, or in this case, get you on a flight.
The sheer amount of flight disruptions, airspace closures, and even train cancellations due to strikes show how increasingly common parts of everyday life (like traveling to work) and the exciting plans we make (like travel) can be impacted when things don’t quite go to plan. Resilience is tested when operations are disrupted, leaving consumers to wait with eagerness for business as usual.
Travel ramblings aside – the above examples demonstrate the interconnected impacts of digital risk and physical risks and the knock-on impact which is felt by various parts of the business and/or consumers.
But that’s not all! Organizations need to deal with more than ‘bouncing back’ for their customers. They also need to effectively manage the increasing regulatory pressures, frequent cyber risks, and climate catastrophes. Additionally, they need to show that they can continue business as usual, effectively combat issues surrounding the supply chain, and protect customer data when migrating customers to the cloud, or even simply storing customer data in the cloud!
Prioritizing Operational Resilience as Part of the Organizational DNA Has Never Been More Important
Organizations that are proactive and prioritize the tracking and management of risks are ahead of the curve. Resilience embedded in controls as part of core business functions and business DNA enables a greater chance for success – and continuous improvement.
If resilience is not prioritized, core business functions may become vulnerable during cyberattacks, geo-political events, human intervention, and even pandemics. Building resilience with real-time visibility into processes and critical assets enables better preparedness for an enterprise-wide plan and response. Firms that successfully prioritize resilience are shifting their mindset away from the conventional and myopic business continuity/disaster recovery model to being “resilient by design.”
The Digital Operational Resilience Act Will Foster a Strategic Effort to Improve Operational Resilience
Early in May 2022, the European Council announced in a Press Release that they had reached an agreement with the European Parliament on the Digital Operational Resilience Act (DORA). The main purpose of DORA is to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyberattacks and other risks.
DORA sets consistent requirements for the financial sector and critical third-parties who provide ICT services like cloud platforms or data analytics. More importantly, DORA provides a framework for digital operational resilience ensuring that all firms need to make sure they can withstand, respond to, and recover from all types of ICT-related disruptions and threats. The requirements are consistent across all EU member states with the aim to prevent and mitigate cyber threats. DORA, when formally adopted, will serve the purpose of fostering a strategic effort to effectively improve operational resilience.
The provisional agreement is now subject to approval by the Council and the European Parliament before the formal adoption procedure. Once formally adopted it will be passed into law by each EU member state.
Streamline Processes and Build Resilience with MetricStream
It doesn’t matter where you are in your resilience journey, at MetricStream we have you covered with:
- Real-time aggregated view of risks and compliance status
- Quantifiable risks to prioritize risk treatment plans and investments
- Advanced AI-enabled automation and continuous monitoring capabilities
- Federated data model to bind together your core GRC libraries
- Secure private cloud architecture
Learn more about MetricStream Operational Resilience Solution. Request a demo now.
Check out more resources on how you can build operational resilience with MetricStream:
Prepare for What’s Next with Operational Resilience
Operational Resilience - A Marathon, not a Sprint
Operational Resilience: 5 Things You Can do to Become Ready for What’s Next
Jump to Topic
Related Resources
Blogs
Operational Resilience: First Stage Complete – Looking to What’s Next
- Operational Resilience
- 08 June 22
4 min read
Introduction
When I started to write this blog, my first thoughts were on the changing regulatory landscape and how it continues to evolve. I felt that the words I was writing echoed a lot of the things we were reading. I’m here to tell you that no matter how predictable my words are, I can concur that statement is 100% true. Even as someone in the industry, it still is amazing what things you come across in your day-to-day life that validate it.
This was my sentiment when I found out about the proposed Financial Services and Markets Bill in the Queen’s speech 2022. While it’s not entirely surprising that the UK may have an equivalent to the Digital Operational Resilience Act (DORA), this comes just as firms were required to outline operational resilience steps. This also revokes the EU law and provides a regulation that is specifically designed for the UK.
The purpose for the new legislation is to allow companies to take advantage of ‘the opportunities of innovative technologies in financial services, including supporting the safe adoption of cryptocurrencies and resilient outsourcing to technology providers’. True management of operational risks and resilience require more than just a tick box exercise.
Anyway…back to what we do know and what’s changed. A few months back on March 31st we saw the first hurdle for Operational Resilience come and go—regulated firms needed to identify their important business services and set appropriate impact tolerances. The next deadline in 2025 will require firms to prove they can comply with their impact tolerances and continue to quality test these to ensure sustained compliance. Put simply, operational resilience is the ability for a company to bounce back from disruptions and continue to serve customers, supply products and services, and protect their workforce.
The 2025 deadline for the FCA operational resilience framework applies to all banks, building societies, PRA-designated investment firms, insurers, recognised investment exchanges, enhanced scope SM&CR firms, and entities that are authorised and registered under the Payment Services. Organizations in the above categories should now have an operational resilience strategy in place.
Is Risk Management and Operational Resilience the Same Thing?
Organizations can have a certain level of preparedness around cyber-attacks, system failures and other vulnerabilities. Risk management has some element of predictability. Data and other sources can help us further understand exactly what exposures we have and weaknesses in our process. Operational resilience requires organizations to expect disruption to third-party supply chains and other processes. This is where mapping and understanding your risk beyond your immediate organization is so important.
Why is it Important?
There will always be an element of unpredictability with risk – however organizations can be better prepared for disruption to catastrophic events such as fires, storms, pandemics, network outages, and network disruptions. But you can’t predict the exact time of when an item of hardware may have a fault that the manufacturer was not aware of, the exact time of a cyber-attack, or some sort of event that causes a power outage to your entire office.
Download Infographic: Operational Resilience: 5 Things You Can do to Become Ready for What’s Next
Read the Article: Prepare for What’s Next with Operational Resilience
True Risk Quantification Will Play a Major Role
The current risk environment includes elevated cyber threats, geopolitical uncertainties, supply chain disruptions and sustainability challenges. As organizations continue to adjust to the new ways of doing business, adopting a connected and holistic approach to governance, risk, and compliance (GRC) has become mission critical. These form strong pillars for operational resilience and provide true understanding of your organization's risk management strategy.
I’m sure we can all agree that outdated software applications that don’t speak the same language and point solutions for GRC processes only create more work when trying to understand 1. What data you’re looking at, 2. What does it mean, 3. How to improve/solve the problem.
When working with a siloed approach there is a direct impact on risk visibility and foresight. From what we’ve been hearing from our customers, qualitative risk assessments, such as red, yellow, green heatmaps, also fall short of meeting stakeholder expectations. There’s a need to have all data points brought together in a unified way that can provide decision makers with the tools they need in real-time to drive organisational efficiencies as well as manage their overall operational resilience.
Stay Prepared for What’s Next
Built as an intelligent and interconnected GRC solution MetricStream ConnectedGRC products—BusinessGRC, CyberGRC, and ESGRC empower organizations to take a proactive approach to risk management. This enables them to build and strengthen operational resilience by:
- Quantifying risk in monetary terms
- Continuously monitoring controls to check their effectiveness
- Aggregating cyber risk at the enterprise level
- Performing financial risk assessments of third parties using Dun & Bradstreet (D&B) content
- Leveraging the TCFD framework to disclose climate related financial risks, and more
Build your organisation-wide strategy for operational resilience with MetricStream
Interested in knowing how we can help you specifically? Contact us for a custom demo.
Learn more on how you can advance on your GRC journey with MetricStream. Explore Danube—our latest software release.
Jump to Topic
Related Resources
Blogs
Key Risk Trends for Banks and Financial Institutions. OCC’s Fall 2021 Semiannual Risk Perspective Highlights Elevated Operational Risk and Heightened Compliance Risk
- Operational Resilience
- 05 January 22
5 min read
Introduction
The National Risk Committee (NRC) of the Office of the Comptroller of the Currency (OCC) monitors the condition of the U.S. federal banking system, identifies key risks facing banks, and highlights those risks that pose threats to the safety and soundness of banks and their compliance with applicable laws and regulations.
The latest edition of its guidance — the Fall 2021 Semiannual Risk Perspective – highlights four key risk areas including elevated operational risk and heightened compliance risk, and the risks associated with climate change.
Elevated Operational Risk from Increasing Cyberattacks and the Extended Enterprise
The OCC has observed that “operational risk remains elevated as cyber attacks evolve, (and) become more sophisticated.” The OCC categorizes the main reasons for the ‘elevated’ status as the increase in ransomware attacks in the financial industry, known and unknown software vulnerabilities, expansion of remote financial services, and the increasing reliance on third-party providers for services such as cloud-based environments.
With the pandemic, the banking industry has experienced a lot of change. This includes the adoption of new technology to quickly respond to customer and organizational needs. Third parties stepped in to play a vital role in bridging the gap where banks and financial institutions often lacked the expertise or technology needed to introduce new products or services. This has resulted in an increase in onboarding of third-parties to take over or assist in such functions.
Taking this growth of third parties into account, the OCC notes that “Supply chain risk continues to increase and evolve as attacks target vulnerabilities in software systems commonly used by large numbers of OCC supervised banks,” and that “Threat actors are increasingly exploiting vulnerabilities in third-party hardware and software systems to conduct malicious cyber activities.”
To manage and mitigate cyber risks, the OCC recommends the following measures for banks and financial institutions:
- Adoption of robust threat and vulnerability monitoring processes
- Implementation of stringent and adaptive security measures such as multi-factor authentication or equivalent controls to authenticate access to sensitive systems
- Proper configuration of network systems along with effective patch management processes in place
- Back up and storage of critical systems and records in immutable formats that are isolated from ransomware or other destructive malware attacks
- Building a comprehensive approach to operational resilience, which stresses on the importance of banks assessing the risks from their third parties, including the supply chain
Heightened Compliance Risk due to Pandemic-Related Regulatory and Policy Changes
Banks continue to face pandemic-related new and emerging compliance risks. The report calls out the heightened compliance risk as banks “adjust to regulatory changes and initiate efforts to serve customers in the final stages of assistance programs and initiatives related to the COVID-19 pandemic.”
With most of the assistance programs concluding, it has resulted in increased compliance responsibilities, high transaction volumes, as well as new types of fraud—all the while as banks continue to respond and operate in a changing operating environment.
The report further identifies other compliance hurdles including, “specific areas of challenge” such as ”responsibilities associated with underwriting and opening new accounts, monitoring customer activity, processing transactions, making loan modifications, servicing loans, communicating with customers, complying with consumer protection laws, and treating customers fairly.”
Other challenge areas noted by the OCC included meeting Bank Secrecy Act (BSA) and Office of Foreign Assets Control (OFAC) compliance obligations, as well as adapting to regulatory and policy actions by the Consumer Financial Protection Bureau (CFPB). The OCC also highlighted compliance risk being heightened by the rapid digitalization of banking processes and the emergence of digital assets.
To address the heightened compliance risk, the OCC proposes that banks take the following steps:
- Actively continue to monitor and manage changes and associated risks
- Ensure that new processes incorporated into their compliance risk management programs are effective and address changes in laws and regulations
- Manage and mitigate operational challenges
- Ensure compliance obligations are fulfilled while functioning with remote staff
- Monitoring of customer complaints to ensure effective compliance risk management
- Ensure effective change management and compliance risk management to identify, measure, monitor, and control the changing and emerging risks related to consumer products and services
Risks Associated with Climate Change
The impact of climate change on households, communities, businesses, and governments presents significant risk to banks and financial institutions. As per the report, “Banks are exposed to physical and transition risks presented by climate change, which may impact the safety and soundness of supervised institutions.”
This makes it important for banks and financial institutions to continually assess both physical risks such as hurricanes, wildfires, floods, heatwaves, sea level rise, etc., and transitional risk changes including those from government policy, technology, consumer/investor sentiment, etc.
Thrive on Risk with MetricStream
MetricStream’s capabilities enable banks and financial institutions to implement the OCC’s recommendations. With real-time risk intelligence, AI-powered recommendations and insights, and years of proven domain expertise, MetricStream enables you to follow a robust operational risk management strategy and strengthen your compliance posture—empowering you make risk-aware decisions to ‘thrive on risk.’
- Actively manage cyber risk with our CyberGRC product line. Easily align established security standards through an IT and Cyber Risk and Compliance Framework and comply with IT audits more efficiently. Leverage pre-packaged content and industry frameworks such as ISO 27001, NIST CSF, and NIST SP800-53, and map policies to IT controls and policy exceptions. Utilize best practices, insightful reporting, and risk quantification to build cyber resilience.
- Leverage MetricStream Operational Risk Management’s comprehensive set of capabilities and gain forward-looking risk visibility with predictive risk metrics and indicators. Reduce losses and avoid adverse risk events through proactive control structures and analytics.
- Stay primed on the complex web of regulatory obligations with MetricStream Regulatory Compliance Management that also simplifies implementing measures, processes, and policies to sustain compliance.
- Adopt a simplified and streamlined approach towards meeting all organizational requirements relating to environmental, social, and governance (ESG) with MetricStream’s ESGRC which enables the automated capture of data for a broad range of ESG metrics.
See how MetricStream can help you stay current and compliant. Request a demo today.
Jump to Topic
