On the Frontlines: Building Operational Resilience

In Europe, recent guidance and regulations include:

• The Bank of England, Prudential Regulation Authority, and Financial Conduct Authority's Operational Resilience: Impact Tolerances for Important Business Services.
• The Basel Committee for Banking Supervision's Principles for Operational Resilience and the work program and strategic priorities for 2021/2022.
• The European Commission's draft Digital Operational Resilience Act and the Network and Information Security (NIS) 2 Directive.

Following the release of Operational Resilience: Impact Tolerances for Important Business Services in June, U.K. financial services firms should focus on third-party risk management by considering emerging technology risk linked to the cloud strategy, concentration risk against the major providers, and sub-outsourcing risk. Firms should shift their focus from the internal critical functions to the important business services that, if disrupted, could harm consumers or market integrity as well as threaten the viability and image of firms.

Also, for each important business service, firms should set impact tolerances that quantify the maximum tolerable level of disruption. In determining these tolerances, they should work from the basis that the impact has already occurred, rather than the risk of it occurring.

Additionally, firms should identify and document the people, processes, technology, facilities, and information that support important business services. They should take actions to remain within the impact tolerances through a range of plausible disruption scenarios. Moreover, they should devise a plan to test important business services against the tolerances to provide assurance that:

• This is a true and accurate reflection of the organization's tolerance for disruption of that service.
• The organization has a good understanding of its own level of resilience.

The Basel Committee on Banking Supervision's work program and strategic priorities for 2021/2022 reflect the outcome of a recent strategic review by the committee. The review is intended to ensure that the committee continues to effectively promote global financial stability and strengthen the regulation, supervision, and risk management practices of banks worldwide. The work program focuses on three key themes:

• COVID-19 resilience and recovery monitoring and assessment of risks and vulnerabilities to the global banking system.
• Horizon scanning and mitigation of medium-term risks and trends, including work related to the ongoing digitalization of finance, climate-related financial risks, and the impact on banks' business models resulting from a "low-for-long" interest rate environment.
• Strengthening supervisory coordination and practices with a focus on the role of artificial intelligence/machine learning in banking and supervision, data and technology governance by banks, operational resilience, and the role of proportionality in bank regulation and supervision.

In the European Union (EU), the Digital Operational Resilience Act aims to establish a foundation for EU financial regulators and supervisors to be able to expand their focus to ensure firms remain financially resilient through a severe operational disruption. Considerations for the proposed law include:

• Bringing critical information and communications technology (ICT) third-party providers — including cloud service providers — within the regulatory perimeter. In this way, one of the European Supervisory Authorities would have the power to perform off-site and on-site inspections and issue recommendations.
• Setting EU-wide standards for digital operational resilience testing.
• Harmonizing ICT risk management rules across financial services sectors, based on existing guidelines that ask to set the appropriate risk and impact tolerances for ICT disruptions as well as review the firm's business continuity and disaster recovery plans.
• Harmonizing ICT incident classification and reporting, and opening the door to establish a single EU-hub for major ICT-related incident reporting by financial institutions. The measures, in aggregate, would provide EU regulators with a better picture of the kinds of vulnerabilities that are most common across firms and potentially help them take further action.

The pandemic has confirmed the importance of preparing for the digital decade as well as the need to continually improve cyber resilience based on the growth of network and information systems dependences and interconnections among sectors and services.

To respond to the growing threats posed by digitalization and the surge in cyberattacks, the European Commission has proposed replacing the NIS Directive. The NIS2 Directive (PDF) would strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonized sanctions across the EU.

Most organizations have embarked on their own thinking and interpretation of these rules, and their approaches are likely to vary from one organization to another. Organizations will need internal audit's support to improve their resilience framework, alongside the contributions of risk and business continuity management experts.