US Agencies Outline Practices to Strengthen Operational Resilience
US Agencies (FDIC, FED, and OCC) published an interagency paper that outlines sound practices designed to help large banks enhance operational resilience. These practices bring together the existing regulations, guidance, statements, and common industry standards to provide a comprehensive approach that firms may use to strengthen and maintain their operational resilience. The paper details practices in areas such as governance, operational risk management, business, continuity management, third-party risk management, scenario analysis, secure and resilient information system management, and surveillance and reporting. The paper does not revise the agencies' existing rules or guidance. These practices are intended for domestic banks with more than USD 250 billion in consolidated assets or banks with more than USD 100 billion in total assets and other risk characteristics.
The following are the key highlights of practices presented in the paper:
- Governance—As a best practice, the board of directors of a firm should approve and periodically review its risk appetite for weathering disruption from operational risks at the enterprise level and for the firm’s critical operations and core business lines. Senior management must be held accountable for developing, implementing, and managing effective and resilient information systems and controls, as appropriate, to maintain critical operations and core business lines consistent with the firm’s tolerance for disruption.
- Operational risk management—By identifying, managing, and mitigating operational risk exposures related to internal processes, people, systems, external threats, and third parties, a firm should be able to strengthen its operational resilience. Effective operational risk management involves close engagement by the firm’s senior management, business line operations, independent operational risk management function, and independent internal (or external) audit function.
- Business continuity management—The business continuity management should incorporate business impact analysis; testing, training, and awareness programs; and communication and crisis management policies. A firm should periodically review its business continuity plan to ensure contingency strategies remain consistent with current operations, risks and threats, its tolerance for disruption, and recovery priorities. The firm should leverage information contained in its recovery or resolution plans, where applicable, to identify options to respond to a wide range of severe but plausible internal and external stress scenarios.
- Third-party risk management—Firm should identify and analyze third-party risk of critical operations and core business lines. Firm should periodically review reports of systems and controls and summaries of test results or other equivalent assessments of third parties. It should verify that third parties have sound risk management practices and controls in place that serve to identify and mitigate hazards to operations and are consistent with the firm’s tolerance for disruption. It should also identify other third parties that may be available to assist in the event its current third parties are unable to continue delivering services.
- Scenario analysis—As a sound practice, scenario analysis helps a firm to develop, validate, and calibrate a firm’s tolerance for disruption. Firms may integrate the analysis with disaster recovery and business continuity management for use in assessing operational resilience. In designing scenarios, a firm should leverage both the mapped interconnections and interdependencies of its critical operations and the core business lines, including the third-party risks set forth in its recovery or resolution plans, as well as relevant business impact analyses.
- Secure and resilient information system management—Secure and resilient information systems underpin the operational resilience of a firm’s critical operations and core business lines. The appropriate implementation, use, and protection of information systems can help a firm to identify and detect risks to operational resilience. A firm should routinely apple and evaluate the effectiveness of processes and controls to protect the confidentiality, integrity, availability, and overall security of its data and information systems. A firm should review information systems and controls on a regular basis, against common industry standards and best practices.
- Surveillance and reporting—A firm should identify and monitor ongoing exposure to operational risk relative to its risk appetite and tolerance for disruption. Anomalous activity should be detected in a timely manner to avoid or mitigate a disruption in the firm’s critical operations and core business lines. A firm must conduct continuous surveillance and report to senior management and the board of directors, providing sufficient data and information for timely and appropriate decisions regarding measures to respond to a disruption.
Given the significance and technical nature of cybersecurity risk, which is one of the most important types of operational risk, the US Agencies have presented, in Appendix A, a separate collection of sound practices for the management of cyber risk. The sound practices for cyber risk management are aligned to the National Institute of Standards and Technology Cybersecurity Framework (NIST) and augmented to emphasize governance and third-party risk management. In the coming months, the US Agencies intend to convene discussions with the public on further steps to improve operational resilience. Given that many of the firms have extensive cross-border activities, the agencies will seek to minimize the potential for market fragmentation and to align best practices for operational resilience. The agencies may update these sound practices to reflect input from such discussions.
Related Links
Keywords: Americas, US, Banking, Operational Resilience, Operational Risk, Cyber Risk, Governance, Third-Party Risk, Sound Practices, Large Banks, Scenario Analysis, US Agencies
Previous Article
OCC Finalizes Rule to Determine True Lender in Loan TransactionsNext Article
BOT Circular Introduces Changes to Reduce Bank NPLsRelated Articles
EBA Clarifies Use of COVID-19-Impacted Data for IRB Credit Risk Models
The European Banking Authority (EBA) published four draft principles to support supervisory efforts in assessing the representativeness of COVID-19-impacted data for banks using the internal ratings based (IRB) credit risk models.
EP Reaches Agreement on Corporate Sustainability Reporting Directive
The European Council and the European Parliament (EP) reached a provisional political agreement on the Corporate Sustainability Reporting Directive (CSRD).
PRA Consults on Model Risk Management Principles for Banks
The Prudential Regulation Authority (PRA) launched a consultation (CP6/22) that sets out proposal for a new Supervisory Statement on expectations for management of model risk by banks.
EC Regulation Amends Standards for Calculating Credit Risk Adjustments
The European Commission (EC) published the Delegated Regulation 2022/954, which amends regulatory technical standards on specification of the calculation of specific and general credit risk adjustments.
HKMA Announces Launch of Data Repository on Sustainable Finance
The Hong Kong Monetary Authority (HKMA) announced that the Green and Sustainable Finance (GSF) Cross-Agency Steering Group has launched the information and data repositories and outlined the progress made in advancing the development of green and sustainable finance in Hong Kong.
BIS Hub Updates Work Program for 2022, Announces New Projects
The Bank for International Settlements (BIS) Innovation Hub updated its work program, announcing a set of projects across various centers.
EIOPA Issues Cyber Underwriting Proposal, Statement on Open Insurance
The European Insurance and Occupational Pensions Authority (EIOPA) published two consultation papers—one on the supervisory statement on exclusions related to systemic events and the other on the supervisory statement on the management of non-affirmative cyber exposures.
NGFS Report on Integration of G-Cubed Model into NGFS Scenarios
The Network for Greening the Financial System (NGFS) published a report that explores the feasibility of integrating the G-Cubed general equilibrium model into the NGFS suite of models.
US Senate Members Seek Details on SEC Proposed Climate Disclosure Rule
Certain members of the U.S. Senate Committee on Banking, Housing, and Urban Affairs issued a letter to the Securities and Exchange Commission (SEC)
EIOPA Consults on Review of Securitization Framework in Solvency II
The European Insurance and Occupational Pensions Authority (EIOPA) published a consultation paper on the advice on the review of the securitization prudential framework in Solvency II.