The Growing Regulatory Focus On Operational Resilience

Global regulators are focused on the financial services industry’s

response preparedness for operational disruptions and

whether firms are doing enough to increase operational

resilience. Their growing interest is expected to usher in a new

era of enhanced resilience supervision.

The Growing Regulatory Focus on Operational Resilience · 1protiviti.com

Information technology failures. Digital

transformation. Outsourcing. Industry

consolidation. Extreme weather. Recession

fears. What do these global trends have in

common? They are fueling global interest

in operational resilience, and the financial

services industry, given its criticality to the

stability of the global economy, is bearing a

fair share of the scrutiny.

1 blog.protiviti.com/2019/12/12/operational-resilience-supervision-moves-into-high-gear-with-latest-consultation-papers-for-uk-institutions/

2 www.bankofengland.co.uk/prudential-regulation/publication/2018/building-the-uk-financial-sectors-operational-resilience-discussion-paper

Increasingly, regulators are concerned about the

financial industry’s ability to respond quickly and

effectively to disruptive events before they significantly

affect consumers, other businesses, and the economy.

The regulators’ interest in the industry’s capabilities

is shifting from how effectively institutions can

prevent events from occurring to how quickly they can

recover and remain viable following major disruptions,

including severe but plausible stress events.1

The most significant effort to date by any financial

regulator to create formal rules around the topic of

operational resilience occurred on December 5, 20192,

when the UK supervisory authorities proposed new rules

and expectations aimed at strengthening the operational

resilience of the UK financial services sector. The

proposals were released collectively by the Prudential

Regulation Authority (PRA), the Bank of England (BOE)

and the Financial Conduct Authority (FCA) through a

series of coordinated consultation papers.

In the consultation papers, the supervisory authorities

provide their view on key concepts essential to building

operational resilience. Their proposals emphasize the

Firms Should Act Now to Become Operationally Resilient

need for boards and senior managers to improve their

understanding of the criticality of their businesses; set

clear standards for resilience, including the maximum

level of disruption their businesses can tolerate;

and establish contingency arrangements to enable

the delivery of important business services when

disruptive events occur.

Given the UK development and the groundswell of

activity around operational resilience globally, companies

should act now to stay ahead of the regulatory curve. The

following are immediate actions that firms can take:

• Identify important business services and functions

and their reliance on third-party providers.

• Quantify the maximum acceptable level of

disruption, referred to as “impact tolerance,” by

establishing a point in time when the viability

of an important business service is irrevocably

threatened.

• Monitor and test the resilience of important

business services and business lines against worst-

case scenarios.

• Identify and document (also known as mapping) the

necessary people, processes, technology, facilities

and information required to deliver each of their

important business services.

• Communicate resilience discussions and practices

across the organization.

The action items above are discussed in greater detail

later in this report. In addition, we provide a high-level

overview of how operational resilience became a key

agenda topic and highlight several recent and significant

proposals aimed at enhancing resilience supervision.

2 · Protiviti

The Resurgence of Interest in Operational Resilience

Operational resilience represents an

organization’s ability to withstand adverse

changes in its operating environment and

continue the delivery of business services

and economic functions. The number of

financial institutions that have suffered

severe financial and reputational harm

from major disruptive events in recent

years continues to increase, renewing

the urgency around building operational

resilience. As a result of these events and

growing regulatory concerns, financial

industry trade groups are working with

their members to consolidate their views

on operational resilience and to elevate

their resilience capabilities to a broad

range of threats.

The key components of operational resilience include

defining important business services, impact tolerance

and economic impact, and developing a complete

understanding of all business services, functions and

third-party relationships. Specifically, it requires

that firms develop a process of prioritizing the

important business lines or services they provide to

various stakeholders; assessing the impact tolerance

of the organization for each business line and how a

prolonged disruption will affect various stakeholders;

and considering the effects of business disruptions not

only on the institution’s stakeholders, but also on the

financial sector at large.

Requirements to support resilient operations are not

new to financial services leaders. Many financial

institutions have long addressed key aspects of

operational resilience under the guise of business

continuity, disaster recovery, information technology

change management, and cybersecurity risk

management. Nonetheless, in the seminal July 2018

joint discussion paper issued by the BoE, the PRA

and the FCA, “Building the U.K. Financial Sector’s

Operational Resilience,” the supervisory authorities

asserted that management of operational resilience

is best viewed in the context of business services —

versus distinct systems and processes.3 The discussion

paper not only jump-started interest in operational

resilience but also signaled regulators’ interest in

holding financial institutions and financial market

infrastructures (FMIs) accountable both for disruption

and for failing to recover rapidly from those events.

3 www.bankofengland.co.uk/news/2018/july/discussion-paper-building-the-uk-financial-sectors-operational-resilience

The Growing Regulatory Focus on Operational Resilience · 3protiviti.com

Regulators in various jurisdictions are weighing

different approaches to operational resilience

supervision. Many are revising existing policies,

including those on risk management, outsourcing,

controls and communication, and business continuity

plans. Others intend to build on existing supervisory

approaches or to supplement existing policies to

improve the resilience of the financial system. Some

jurisdictions are weighing a more prescriptive approach

to resilience supervision, such as establishing specific

resilience tolerances for institutions, and others have

signaled their openness to a rules-based approach

that incorporates leading industry standards and best

practices. The latter approach was raised in May 20194

by a senior U.S. Federal Reserve Bank official. The

Federal Reserve Bank’s intent is to incentivize new

behaviors and investments to support the industry’s

progress toward financial stability objectives. However,

it has not ruled out the option of establishing specific

tolerances and thresholds related to operational

resilience for certain key business services.

The differing approaches under consideration imply that

multinational institutions may be obligated to comply

with varying operational resilience rules from various

regulatory authorities. Many leading financial institutions

have also voiced support for a principles-based regulatory

approach to operational resilience — one that is firm-led,

flexible in design, and not overly prescriptive.

Additionally, the financial industry is engaged in

direct dialogue with regulators on several of its main

concerns, including the need for global harmonization

of operational resilience regulations. The discussions are

already having an impact; the UK supervisory authorities

said the industry’s feedback helped reshape some of the

proposals in the December consultation papers.

4 www.corporatecomplianceinsights.com/regulatory-supervision-operational-resilience/

5 www.bankofengland.co.uk/news/2019/june/mas-and-uk-financial-authorities-announce-collaboration-on-cyber-security

6 www.mas.gov.sg/news/media-releases/2019/singapore-and-uk-to-enhance-cooperation

7 www.fsb.org/work-of-the-fsb/implementation-monitoring/monitoring-of-priority-areas/basel-iii/

8 www.investopedia.com/articles/economics/10/understanding-basel-3-regulations.asp

9 www.bis.org/bcbs/events/icbs20/ws6.pdf

Conversations on Operational Resilience Around the World

Signs of Emerging Cross-Jurisdictional Collaboration

Hopeful signs of broader cross-jurisdictional collaboration on operational resilience regulation are emerging.

These early signs suggest various regulatory bodies and professional organizations see the value in working

to consolidate global standards.

• Singapore and UK: In June 2019,5 the Monetary Authority of Singapore and the UK financial authorities announced agreements to collaborate on strengthening cybersecurity and resilience in their financial sectors. Both parties will cooperate on facilitating data flows, enhancing cross-border Know Your Customer (KYC) processes, and developing skills and competencies in the financial sector.6

• The Basel Committee on Banking Supervision: In January 2022,7 the member countries of the Basel Committee on Banking Supervision (BCBS) will begin a five-year phase in of Basel III reforms. These reforms will protect world economies from damage by banks that assume undue risk.8 At the beginning of 2018,9 the BCBS established the Operational Resilience Working Group, whose initial task has been to assess gaps and identify potential policy measures to strengthen operational resilience. The BCBS strengthens regulation and supervision of banks to enhance global financial stability. Its membership draws from 28 jurisdictions worldwide.

4 · Protiviti

There has been a flurry of activity around operational resilience in recent months and over the past year. The following

are a few recent major proposals and developments.

United Kingdom

The aforementioned December 5, 2019 proposals spell

out the supervisory authorities’ clear expectations

for regulated UK institutions, including the need

for firms to take ownership of their operational

resilience, prioritize plans and investment choices

based on their impacts on the public interest, and

communicate clearly to customers when disruptions

occur. While key concepts essential to building

operational resilience, such as defining important

business services and impact tolerance, are clarified, the

supervisory authorities stayed away from proposing

taxonomies and prescriptive definitions relating to

operational resilience.

Here are additional key takeaways from the

consultation papers:

• Regulated institutions are expected to take a group-

level view of operational resilience to ensure the

risks of the whole group or organization, including

parts or subsidiaries that are not subject to individual

requirements, are considered.

• The supervisory authorities migrated from the

term “critical business services” to “important

business services,” expanding the number of

services a regulated institution would have to

validate as resilient. This change is expected to

result in increased mapping of more processes and

systems (possibly data flows), using a front-to-back

approach to identify important business services.

• Regulated institutions are expected to use a time-

based metric to define their impact tolerance or when

the viability of a service is irrevocably threatened and

be able to identify the stakeholders that would create

the point of irrevocability.

UK regulators are under pressure to hold institutions

and their executives more accountable for operational

failures. In October 2019, the UK government’s Treasury

Select Committee (Treasury Committee) published a

report10 decrying the current level and frequency of

operational disruptions and consumer harm and urged

regulators to act to reduce the “unacceptable” number

of IT failures in the financial services sector. In the

report,11 the Treasury Committee called for banks and

responsible individuals within the sector to be held

more accountable. It urged regulators (specifically, the

FCA, PRA and BOE) to apply their enforcement powers

to ensure failures do not go unpunished.

10 www.publications.parliament.uk/pa/cm201920/cmselect/cmtreasy/224/224.pdf

11 www.protiviti.com/UK-en/insights/it-failures

Recent Regulatory Proposals on Operational Resilience

The Growing Regulatory Focus on Operational Resilience · 5protiviti.com

United States

In November 2019, the Federal Financial Institutions

Examination Council (FFIEC) released12 an updated

business continuity management booklet designed

to make it easier for financial institutions to comply

with its guidance and to help examiners determine

whether management is addressing risks related

to the availability of critical financial products and

services. Among the notable changes from the earlier

(2015) version, the booklet emphasizes operational

resilience concepts such as the importance of

understanding comprehensive process flows,

potential systemic impacts, the need for more

robust end-to-end testing, and maximum tolerable

downtime (MTD). Also, as part of their examination

objectives, FFIEC examiners will determine if

management documented and implemented, as

appropriate, resilience measures for third-party

service providers. Specifically, the examiners will

also consider disruptive events that threaten the

operational resilience and viability of the entity’s

third-party service providers.

Cybersecurity and operational resilience also feature

prominently in the Office of the Comptroller of

the Currency’s (OCC) Fall 2019 Semiannual Risk

Perspective13 and 2020 fiscal year Bank Supervision

Operating Plan.14 While these topics have been on

the OCC’s supervisory radar for several years, the

emphasis has expanded. According to the OCC, banks’

exposure to operational risks is on the rise as they

adapt to a changing and increasingly complex operating

environment. A key factor driving the elevation in

operational risk is the need to adapt and evolve current

technology systems for ongoing cybersecurity threats.

Canada

In June 2019, the Bank of Canada launched15 the

Canadian Financial Sector Resiliency Group (CFRG), a

public-private partnership to strengthen the resilience

of Canada’s financial sector in the face of risks to

business operations, including cyber incidents. CFRG,

which brings together the Department of Finance

Canada, the Office of the Superintendent of Financial

Institutions (OSFI), Canada’s systemically important

banks, and designated Canadian FMIs, will be

responsible for coordinating a sectorwide response to

systemic-level operational incidents. CFRG will also

support ongoing resilience initiatives, such as regular

crisis simulation and benchmarking exercises. The

partnership replaces the Joint Operational Resilience

Management Program (JORM), which played a similar

role but had a different membership base and did not

have the mandate to look at resilience coordination for

cyber events.

12 blog.protiviti.com/2019/12/03/ffiecs-updated-bcm-booklet-highlights-operational-resilience-concepts/

13 www.occ.treas.gov/publications-and-resources/publications/semiannual-risk-perspective/index-semiannual-risk-perspective.html

14 www.occ.gov/news-issuances/news-releases/2019/2019-111a.pdf

15 www.bankofcanada.ca/2019/06/bank-of-canada-announces-partnership-improve-resilience-financial-sector/

6 · Protiviti

European Union

In December 2019, the European Commission launched

a public consultation16 on a proposed digital operational

resilience framework for the EU financial sector. The

Commission aims to gather the public’s views on

strengthening the digital operational resilience of the

financial sector, particularly in the areas of information

and communications technology (ICT) and security risk,

and the potential impacts of such policies. The public

consultation will remain open until March 18, 2020.

In the paper, the Commission states that the financial

sector is the largest user of ICT in the world, accounting

for about a fifth of all ICT expenditure. The sector’s

operational resilience will continue to hinge on ICT,

given the growing use of emerging models, concepts

or technologies such as distributed ledger and artificial

intelligence. In the Commission’s view, the increased use

of artificial intelligence in financial services may generate

a need for stronger operational resilience and, accordingly,

increased regulatory supervision.

This latest paper follows earlier efforts by the European

Supervisory Authorities (ESAs) to address the need for

improvements to ICT risk management requirements in

the EU’s financial services industry. In April 2019,17 the

ESAs clarified their requirements on ICT governance and

sought to ensure secure delivery of regulated services.

The ESAs’ proposals (Joint Advice) promote operational

resilience of the EU’s financial sector.18 They point out

that as financial services firms’ reliance on technology

increases, exposure to cyber risk also grows. The

European supervisors continue to suggest changes to

harmonize risk management rules throughout the EU.

Singapore

In March 2019,19 MAS released a pair of consultation

papers. The first paper proposed expanding Technology

Risk Management (TRM) guidelines to include

direction on cyber surveillance, software development

security, adversarial attack simulation, and cyber risk

management connected to the Internet of Things. The

second paper proposed updates to Business Continuity

Management (BCM) guidelines that will increase

financial institution business continuity plans’ focus

on interdependencies across operational units and with

third-party service providers.

16 https://ec.europa.eu/info/law/better-regulation/initiatives/financial-services-digital-resilience-2019/public-consultation_en

17 https://eba.europa.eu/-/esas-publish-joint-advice-on-information-and-communication-technology-risk-management-and-cybersecurity

18 www.linklaters.com/en-us/insights/blogs/fintechlinks/2019/april/eu-supervisors-propose-writing-operational-resilience-and-cybersecurity-standards

19 www.mas.gov.sg/news/media-releases/2019/mas-consults-on-proposed-enhancements-to-trm-and-bcm-guidelines

The Growing Regulatory Focus on Operational Resilience · 7protiviti.com

The pressure to comply with operational resilience

requirements and/or guidance and the desire to avoid

the consequences of operational failures are strong

motivations for institutions to strengthen operational

resilience. The benefits extend beyond mere compliance;

companies can protect their profits and reputations by

staying on top of the industry best practices.

Here are a few initiatives that institutions can

take immediately:

• Given that most organizations already have an idea

of what their important business services are, they

should not wait for future requirements requiring

a formal approach to defining “important business

services.” Acting now to gain internal consensus on

which services are important will help firms increase

their understanding of the scope and impact of any

future operational resilience regulations focused on

important business services.

• Institutions should develop action plans to address

known operational risks or gaps, whether self-

identified, noted by internal audit, communicated

by regulators in a matter requiring attention

(MRA) or ordered by a court. Focusing on and

addressing known gaps is a crucial step for firms to

demonstrate resilience and their ability to respond

to or recover from severe-but-plausible scenarios.

• Building a robust operational resilience program

will require investment in technical and human

resources. It is therefore important for firms to

immediately begin the process of weighing the

impact on budget and other resources. Clearly,

budgetary considerations may vary, depending

on a specific institution’s existing capabilities.

Operational resilience professionals can help

institutions assess resources required to support

implementation and the budgetary impacts

and benchmark.

• While institutions have invested significant

resources in the foundational elements, providing a

true front-to-back mapping of important business

services — inclusive of all processes, systems,

and third parties involved — is a challenge for

many institutions. Mapping is critical, as it will

help institutions identify vulnerabilities in the

delivery of important business services within an

impact tolerance and take action to remedy the

discovered vulnerabilities.

How Financial Institutions Can Respond Now

8 · Protiviti

ABOUT PROTIVITI

Protiviti (www.protiviti.com) is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Through its network of more than 85 offices in over 25 countries, Protiviti and its independent and locally owned Member Firms provide clients with consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit.

Named to the 2020 Fortune 100 Best Companies to Work For® list, Protiviti has served more than 60% of Fortune 1000® and 35% of Fortune Global 500® companies. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

To learn more about operational resilience, and how Protiviti is helping clients improve their resilience practices, visit: https://www.protiviti.com/US-en/operational-resilience

Patrick Scott Executive Vice President +1.312.476.6397 patrick.scott@protiviti.com

Carol Beaumier Senior Managing Director and Asia-Pacific Financial Services Leader +1.212.603.8337 carol.beaumier@protiviti.com

Michael Brauneis Managing Director and Americas Financial Services Industry Leader +1.312.476.6327 michael.brauneis@protiviti.com

Ron Lefferts Managing Director, Global Leader, Protiviti Technology Consulting +1.212.603.8317 ron.lefferts@protiviti.com

Andrew Retrum Managing Director, Global Operational Resilience Leader, Technology Consulting +1.312.476.6353 andrew.retrum@protiviti.com

Douglas Wilbert Managing Director, US Operational Resilience Leader, Risk & Compliance +1.212.708.6399 douglas.wilbert@protiviti.com

Matthew Moore Managing Director, Global Risk and Compliance Leader +1.704.972.9615 matthew.moore@protiviti.com

Bernadine Reese Managing Director, Risk and Compliance +44.20.7024.7589 bernadine.reese@protiviti.co.uk

Matt Taylor Managing Director, Risk and Compliance +44.20.7930.8808 matt.taylor@protiviti.co.uk

CONTACTS

© 2020 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. PRO-0320-103145

THE AMERICAS UNITED STATES

Alexandria

Atlanta

Baltimore

Boston

Charlotte

Chicago

Cincinnati

Cleveland

Dallas

Denver

Fort Lauderdale

Houston

Kansas City

Los Angeles

Milwaukee

Minneapolis

New York

Orlando

Philadelphia

Phoenix

Pittsburgh

Portland

Richmond

Sacramento

Salt Lake City

San Francisco

San Jose

Seattle

Stamford

St. Louis

Tampa

Washington, D.C.

Winchester

Woodbridge

ARGENTINA*

Buenos Aires

BRAZIL*

Rio de Janeiro Sao Paulo

CANADA

Kitchener-Waterloo Toronto

CHILE*

Santiago

COLOMBIA*

Bogota

MEXICO*

Mexico City

PERU*

Lima

VENEZUELA*

Caracas

EUROPE, MIDDLE EAST & AFRICA

FRANCE

Paris

GERMANY

Berlin

Dusseldorf

Frankfurt

Munich

ITALY

Milan

Rome

Turin

NETHERLANDS

Amsterdam

SWITZERLAND

Zurich

UNITED KINGDOM

Birmingham

Bristol

Leeds

London

Manchester

Milton Keynes

Swindon

BAHRAIN*

Manama

KUWAIT*

Kuwait City

OMAN*

Muscat

QATAR*

Doha

SAUDI ARABIA*

Riyadh

UNITED ARAB EMIRATES*

Abu Dhabi

Dubai

EGYPT*

Cairo

SOUTH AFRICA *

Durban

Johannesburg

ASIA-PACIFIC AUSTRALIA

Brisbane

Canberra

Melbourne

Sydney

CHINA

Beijing

Hong Kong

Shanghai

Shenzhen

INDIA*

Bengaluru

Hyderabad

Kolkata

Mumbai

New Delhi

JAPAN

Osaka

Tokyo

SINGAPORE

Singapore

*MEMBER FIRM

© 2

018

Proti

viti

Inc.

An

Equa

l Opp

ortu

nity

Em

ploy

er M

/F/D

isab

ility

/Vet

eran

s. P

RO-0

918