Strengthening resilience throughout the financial system is one of the strategic commitments by the Central Bank of Ireland (CBI) . Resilience includes understanding existing vulnerabilities and mitigating those risks to ensure the financial system can withstand and limit the impact of future disruptions. A firm that is operationally resilient can recover its critical or important business services from a significant unplanned disruption, while minimising impact and protecting its customers and the integrity of the financial system. Owen Lewis, Ian Nelson, Patrick Farrell and David Polley from our Operational Resilience team explain below.
The Cross Industry Guidance on Operational Resilience (released December 2021) aims to understand different views from stakeholders on how to prepare for, respond to, recover and learn from an operational disruption that impacts a firms’ ability to deliver a critical or important business service and applies to all regulated firms e.g. insurance, credit institutions, investment firms, RCFs, and PIs.
The Cross Industry Guidance on Operational Resilience
The Cross Industry Guidance on Operational Resilience sets out a holistic approach to the management of operational resilience and related risks which is built around the following three pillars of Operational Resilience:
- Identify & Prepare
- Respond & Adapt
- Recover & Learn
The three pillars are supported by 15 guidelines which have been developed by the Central Bank following engagement with their international regulatory colleagues. The expectation from the Central Bank is that regulated firms’ boards and senior management should take appropriate action to ensure that their operational resilience frameworks are well designed, are operating effectively, and are sufficiently robust Boards should also be able to demonstrate that they have applied the guidelines within an appropriate timeframe, and in a flexible and proportionate manner based on the nature, scale and complexity of the business.
The global landscape
The Operational Resilience concept has been gaining traction globally and financial services firms have experienced challenges from various disruptive events including technology failures, cyber incidents, the COVID-19 pandemic and natural disasters. New standards and consultations are continually being proposed across multiple jurisdictions. While the various authorities might promote different terms, the core aspects remain the same - regulatory authorities are concerned with ensuring a firm can evidence their approach to operational continuity.
The Central Bank confirms that this Guidance is in line with international best practice and compatible with and complementary to the ‘Digital Operational Resilience Act’ DORA. The Central Bank will continue to update and align the intended outcomes of the supervisory approach with relevant international operational resilience policy developments as they evolve. The Central Bank has determined that there are no contradictions between this Guidance and the forthcoming DORA regulation. There are however, many elements of DORA that, when applied, will require firms to build greater resilience into their critical or important business service and thus align with the intended outcome of these guidelines. The Central Bank confirms that it will continue to monitor international developments after the issuance of this Guidance, including any updates to ICT & Cyber Resilience best practices.
Some examples of relevant guidance are detailed below.
Relevant marketplace movements
- The Basel Committee on Banking Supervision’s (BCBS) ‘Principles for operational resilience’;
- The joint Bank of England (BoE), Prudential Regulatory Authority (PRA) and the Financial Conduct Authority (FCA) policy statement on their approach to operational resilience across the financial services sector;
- European Commission published its proposed legislation in digital operational resilience, DORA;
- The US Federal Reserve Board (FRB), the UK’s PRA, and the European Central Bank (ECB) have agreed coordinated statements on operational resilience, which have been issued to all Global Systemically Important Banks (GSIBs), and non-GSIBs;
- The UK has taken the lead in developing the concept of Operational Resilience, with other jurisdictions paying close attention. It is expected that, over time, a global approach will emerge. Operational Resilience is the new consideration all financial services firms will have to adapt to going forward.
Timing & expectations
The CBI has released the Cross Industry Guidance on Operational Resilience in December 2021. The authority expects firms to actively and promptly address their operational resilience vulnerabilities and be in a position to evidence actions / plans to apply the guidance by the end of 2023.
The Central Bank will conduct supervisory engagements to assess the level of Operational Resilience maturity in firms. This includes looking for evidence that the board is seeking the required information to enable it to understand the risk and resilience profile of the firm, the firm’s understanding of the delivery of its own critical or important business services and the operational assets that underpin the delivery of these services, the firm’s ability to determine appropriate impact tolerances for its important business services and the firm’s consideration of third parties in its response and recovery process.
Get in touch
KPMG has supported clients on their Operational Resilience journeys since 2017 and has extensive experience in Ireland, the UK and Europe via our Operational Resilience Centre of Excellence.
Specifically, our team has deep technical expertise across the Operational Resilience Pillars as outlined by the CBI including ICT and Cyber Resilience, Incident Management, and Business Continuity in addition to broad governance risk, regulatory and compliance skills. If you would like to discuss the potential impact of the above on your business, please contact any of our Operational Resilience experts below.
Contact our Operational Resilience team
Owen Lewis
Head of Management Consulting and Head of Banking and Capital Markets
KPMG in Ireland
Ian Nelson
Head of Financial Services & Regulatory
KPMG in Ireland
Patrick Farrell
Partner
KPMG in Ireland
Dani Michaux
EMA Cyber Leader
KPMG in Ireland
David Polley
Director – Management Consulting
KPMG in Ireland