Hollywood blockbuster or rotten tomato: does the Basel Committee paper on operational resilience deliver?
26 August 2020
The Basel Committee of Banking Supervision (BCBS) has finally published their long-awaited and eagerly anticipated consultation paper on ‘Principles for Operational Resilience’. And in a summer devoid of Hollywood blockbusters to fill conversation, it may end up being no less talked about. At least in operational resilience circles.
Initially the principles will be directly relevant only for banks. But they could be applied more broadly as regulators seek to harmonise arrangements. We have already seen the European Supervisory Authorities do this with cloud outsourcing and ICT risk management.
Unlike others, who have focused on specific elements or supervision, the UK has led the global policy agenda on an overall operational resilience framework. And with UK representation on the BCBS Operational Resilience Working Group, there was an expectation that we’d already seen the trailer for its output.
The first thing you’ll notice about the paper is that it’s brief. Just nine pages in fact. It achieves this through linking to well-established practice on risk management, business continuity and recovery and resolution. Being rooted in operational risk discipline also helps BCBS to convey the importance of balancing activities aimed at preventing incidents with those focused on the response.
Both the BCBS and UK approaches seem to drive the same set of familiar activities: identify what is important to make resilient; understand how those things are delivered; set standards of resilience; and test against them. However, there are some key differences.
First, BCBS defines operational resilience as ‘the ability of a bank to deliver critical operations through disruption’1. Critical operations encompasses the FSB's view of critical functions, ‘plus activities, processes, services and their relevant supporting assets, where disruption would be material to the continued operation of the bank or its role in the financial system’. This definition seems to leave a material gap in not explicitly considering the customer, or end user, lens as advocated by the UK authorities. For instance, the PRA paper CP29/19 states: ‘for many firms, [the new approach] will mean a shift away from thinking about the resilience of individual systems and resources and a shift towards considering services that are provided to users.'
Given this shift, it won’t be surprising that the paper does not specify the introduction of new ‘impact tolerances’, as per the UK. BCBS is instead relying on firms adapting their existing risk appetite and their ‘risk tolerance2 for disruption’. That creates more flexibility in how firms approach setting standards of resilience rather than mandating impact tolerances are set for each service.
Like a good Hollywood sequel, the paper ties in to the story so far including the significant work undertaken by banks in recent years on their recovery and resolution plans (RRP). BCBS suggests that ‘internationally active banks’ leverage their RRP for definitions of critical operations and consider whether their operational resilience efforts are appropriately harmonised with their recovery and resolution plans. Typically we have not seen firms make strong enough connections between these disciplines which are often led by different business units. Where this is the case, firms should ensure that they are reviewing the respective work programmes and aligning where appropriate. There are clear benefits here including operational efficiencies in delivering the work as well as clear messaging for regulators.
In a recent blog we suggested that the UK proposed policy is unlikely to change as a result of COVID-19 as the ambition and means of achieving it both remain valid. I think that remains true today in light of the BCBS paper, though I think there remains more for the UK authorities to do to help explain how the various frameworks come together where they exist in specific sectors. ‘Reviews’ of the BCBS paper should be made by 6 November 2020. The next anticipated release in this long-running saga is the EC Digital Operational Resilience Framework in autumn 2020, though we wait to see what the US and other jurisdictions may release in the meantime.
There is a parallel BCBS consultation underway on revisions to the principles for the sound management of operational risk. Read more in our separate blog: Basel Committee serves up a healthy dose of operational risk management.
1 In contrast, the UK supervisory authorities define operational resilience as: ‘the ability of firms and FMIs and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions’.
2 The parallel BCBS consultation paper on Revisions to the principles on operational risk includes additional implementation guidance on risk appetite and risk tolerance which align with the UK’s perspective, such as making them easy to communicate and requiring a clearly articulated rationale for thresholds.