CBI perspective on Operational Resilience CBI perspective on Operational Resilience CBI perspective on Operational Resilience

Strengthening resilience throughout the financial system is one of the strategic commitments by the Central Bank of Ireland (CBI) . Resilience includes understanding existing vulnerabilities and mitigating those risks to ensure the financial system can withstand and limit the impact of future disruptions.  A firm that is operationally resilient can recover its critical or important business services from a significant unplanned disruption, while minimising impact and protecting its customers and the integrity of the financial system. Owen Lewis, Ian Nelson, Patrick Farrell and David Polley from our Operational Resilience team explain below.

The Cross Industry Guidance on Operational Resilience (released December 2021) aims to understand different views from stakeholders on how to prepare for, respond to, recover and learn from an operational disruption that impacts a firms’ ability to deliver a critical or important business service and applies to all regulated firms e.g. insurance, credit institutions, investment firms, RCFs, and PIs. 

The Cross Industry Guidance on Operational Resilience sets out a holistic approach to the management of operational resilience and related risks which is built around the following three pillars of  Operational Resilience:

• Identify & Prepare
• Respond & Adapt
• Recover & Learn

The three pillars are supported by 15 guidelines which  have been developed by the Central Bank following  engagement with their international regulatory  colleagues. The expectation from the Central Bank is  that regulated firms’ boards and senior management should take appropriate action to ensure that their operational resilience frameworks are well designed, are operating effectively, and are sufficiently robust Boards should also be able to demonstrate that  they have applied the guidelines within an appropriate  timeframe, and in a flexible and  proportionate manner based on the nature, scale and  complexity of the business. 

The Operational Resilience concept has been gaining traction globally and financial services firms have experienced challenges from various disruptive events including technology failures, cyber incidents, the COVID-19 pandemic and natural disasters. New standards and consultations  are continually being proposed across multiple jurisdictions. While the various authorities might promote  different terms, the core aspects remain the same - regulatory authorities are concerned with ensuring a firm can evidence their approach to operational continuity.

The Central Bank confirms that this Guidance is in line with international best practice and compatible with and complementary to the ‘Digital Operational Resilience Act’ DORA. The Central Bank will continue to update and align the intended outcomes of the supervisory approach with relevant international operational resilience policy developments as they evolve. The Central Bank has determined that there are no contradictions between this Guidance and the forthcoming DORA regulation. There are however, many elements of DORA that, when applied, will require firms to build greater resilience into their critical or important business service and thus align with the intended outcome of these guidelines. The Central Bank confirms that it will continue to monitor international developments after the issuance of this Guidance, including any updates to ICT & Cyber Resilience best practices.

Some examples of relevant guidance are detailed below.

• The Basel Committee on Banking Supervision’s (BCBS) ‘Principles for operational resilience’;
• The joint Bank of England (BoE), Prudential Regulatory Authority (PRA) and the Financial Conduct  Authority (FCA) policy statement on their approach to operational resilience across the financial  services sector;
• European Commission published its proposed legislation in digital operational resilience, DORA;
• The US Federal Reserve Board (FRB), the UK’s PRA, and the European Central Bank (ECB) have agreed coordinated statements on operational resilience, which have been issued to all Global  Systemically Important Banks (GSIBs), and non-GSIBs;
• The UK has taken the lead in developing the concept of Operational Resilience, with other jurisdictions  paying close attention. It is expected that, over time, a global approach will emerge. Operational Resilience is the new consideration all financial services firms will have to adapt to going forward.

The CBI has released the Cross Industry Guidance on Operational Resilience  in December 2021. The authority expects firms to actively and promptly address their operational resilience  vulnerabilities and be in a position to evidence actions / plans to apply the guidance by the end of 2023.

The Central Bank will conduct supervisory engagements to assess the level of Operational Resilience  maturity in firms. This includes looking for evidence that the board is seeking the required information  to enable it to understand the risk and resilience profile of the firm, the firm’s understanding of the  delivery of its own critical or important business services and the operational assets that underpin the  delivery of these services, the firm’s ability to determine appropriate impact tolerances for its important  business services and the firm’s consideration of third parties in its response and recovery process.

KPMG has supported clients on their Operational Resilience journeys since 2017 and has extensive  experience in Ireland, the UK and Europe via our Operational Resilience Centre of Excellence.

Specifically, our team has deep technical expertise across the Operational Resilience Pillars as outlined  by the CBI including ICT and Cyber Resilience, Incident Management, and Business Continuity in  addition to broad governance risk, regulatory and compliance skills.  If you would like to discuss the potential impact of the above on your business, please contact any of our Operational Resilience experts below.