Operational Resilience – Less than Six Months to Go
In December 2021, the Central Bank of Ireland (the “CBI”) published its cross-industry guidance on operational resilience (the “Guidance”) for regulated financial service providers (“RFSPs”). The Guidance is designed to help advance the CBI’s strategic commitment of strengthening the resilience of the financial system.
The CBI expects that the boards and senior management of RFSPs (including investment funds and fund management companies) will review the Guidance and adopt appropriate measures to strengthen and improve their operational resilience frameworks and their effective management of operational resilience. RFSPs must be in a position to evidence actions/plans to apply the Guidance by 1 December 2023.
What is operational resilience and why is it in focus?
Operational resilience is the ability of a firm, and the financial services sector as a whole, to identify and prepare for, respond and adapt to, and recover and learn from, operational disruption. In effect, an operationally resilient firm should be able to recover its critical or important business services from significant unplanned disruption (such as cyber-attacks, insider threats, natural disasters and systems failures) while minimising its impact and protecting its customers and the integrity of the financial system. Effective operational resilience firstly requires a firm to accept that operational disruption will occur and that a firm needs to be prepared to respond accordingly and have measures in place to limit disruptive impacts. With this shift in mind-set, a firm can then look to supplement its existing processes and measures designed to prevent risks from occurring (typically called an operational risk management framework) with operational resilience capabilities that deal with risks and minimise their impact when they do actually occur.
The Guidance identifies a number of factors that are contributing to the increasing importance of operational resilience. One factor is that firms are becoming increasingly dependent on technology and the pace of technological change is continuing to accelerate (this is particularly true in light of the COVID-19 pandemic and its impact on ways of working). Another factor is the increasingly complex outsourcing structures utilised by many firms to operate their businesses. The CBI notes that these and other factors have led to a rise in operational incidents affecting firms and contributed to the heightened importance of firms implementing and maintaining a robust operational resilience framework. The sharp focus and importance that the CBI places on operational resilience is also evident from the fine of €24.5 million that the CBI imposed on Bank of Ireland in November 2021 for regulatory failings relating to Bank of Ireland’s service continuity framework and related internal controls. This was one of the highest fines ever imposed by the CBI and it is noteworthy that a fine of this scale related to failings around service continuity and operational resilience.
Scope of Application
The Guidance applies to all RFSPs. This includes AIFs and UCITS, as well as AIFMs and UCITS management companies. However, despite the broad scope of application, the Guidance is intentionally not particularly prescriptive, which facilitates its pragmatic application. In effect, the Guidance is designed to be flexible and can be applied by firms in a proportionate manner based on the nature, scale and complexity of their businesses. Accordingly, while the Guidance applies to all RFSPs, it is likely that a higher standard of operational resilience will be expected of AIFMs and UCITS management companies when applying the Guidance to their businesses, compared to AIFs and UCITS.
Core Principles and Pillars of the Guidance
The core principles underpinning the Guidance are:
- A firm must identify its critical or important business services along with the activities, people, processes, information, technologies and third parties (e.g. outsourced service providers) involved in the delivery of these services;
- A firm must set impact tolerances for each of its critical or important business services so as to quantify the maximum level of disruption that can be accepted to such services, and the firm must test its ability to stay within those tolerances during a severe but plausible operational disruption scenario; and
- A firm must continually review how it has responded to disruptive events so that lessons can be learned and incorporated so as to continually enhance the operational resilience of the firm.
To support the application of these core principles, the Guidance identifies three pillars of operational resilience and outlines key guidelines under each of these pillars. These pillars are:
Identify & Prepare
There are ten guidelines under this pillar which focus on: enshrining board responsibility for, and approval of, operational resilience within the firm; identifying the firm’s critical or important business services; developing impact tolerances for these services (including clear metrics to help the firm monitor that it stays within these tolerances); testing the firm’s ability to remain within these impact tolerances; identifying dependencies on third parties for critical or important business services (e.g. outsourced service providers); and maintaining a technology and cyber strategy that supports operational resilience.
Respond & Adapt
There are three guidelines under this pillar which focus on integrating other aspects of the firm’s risk management strategy and processes into the operational resilience framework, namely the firm’s business continuity management processes, incident management strategy and internal/external crisis communication plan.
Recover & Learn
There are two guidelines under this pillar which focus on conducting a lessons learned exercise after a disruptive event to enhance the firm’s ability to respond to future events and promoting a culture of learning and continuous improvement as ‘good’ operational resilience evolves.
Timing
The CBI expects firms to be “actively and promptly” addressing operational resilience vulnerabilities within their organisation and to be in a position to evidence actions/plans to apply the Guidance at the latest by 1 December 2023. If an RFSP has delegated certain functions to a service provider that is itself subject to the Guidance (for example, where an AIF or a UCITS has appointed an AIFM or a UCITS management company), the RFSP should request that such delegate provide confirmation by 1 December 2023 that it is able to evidence the actions/plans it is taking to apply the Guidance. Such confirmation should be provided as part of the regular reporting by the delegate to the board of the RFSP.
If you would like to discuss these requirements or how to implement additional measures to address the pillars of operational resilience described above, please contact your usual Arthur Cox contact.