In recent years, the growth of technology-related threats has increased the importance of banks’ operational resilience. The Covid-19 pandemic has made the need to address these threats even more pressing. Given the critical role played by banks in the global financial system, increasing banks’ resilience to absorb shocks from operational risks, such as those arising from pandemics, cyber incidents, technology failures or natural disasters, will provide additional safeguards to the financial system as a whole.
Recognizing that a concerted operational resilience effort may not prevent a significant shock resulting from a specific hazard, the Committee seeks comment on proposed Principles for operational resilience that aim to mitigate the impact of potentially severe adverse events by enhancing banks’ ability to withstand, adapt to and recover from them.
The Committee is of the view that operational resilience is also an outcome of effective operational risk management. Activities such as risk identification and assessment, risk mitigation (including the implementation of controls) and ongoing monitoring work together to minimize operational disruptions and their effects when they materialize.
Given this natural relationship between operational resilience and operational risk, the Committee is proposing updates to its Principles for the sound management of operational risk (PSMOR). Specifically, the Committee is proposing a limited number of updates to: (i) align the PSMOR with the recently finalized Basel III operational risk framework; (ii) update the guidance where needed in the areas of change management and ICT; and (iii) enhance the overall clarity of the principles document.
The proposed principles for operational resilience set forth in this consultative document not only build upon the proposed updates to the PSMOR, they are largely derived and adapted from existing guidance on outsourcing, business continuity and risk management-related guidance issued by the Committee or national supervisors over a number of years.
By building upon existing guidance and current practices, the Committee is seeking to develop a coherent framework and avoid duplication. The proposed operational resilience principles focus on governance; operational risk management; business continuity planning and testing; mapping interconnections and interdependencies; third-party dependency management; incident management; and resilient cybersecurity and ICT.
Comments to the CDs should be submitted by here by Friday 6 November 2020. All comments may be published on the BIS website unless a respondent specifically requests confidential treatment.