Featured Product

    US Agencies Outline Practices to Strengthen Operational Resilience

    October 30, 2020

    US Agencies (FDIC, FED, and OCC) published an interagency paper that outlines sound practices designed to help large banks enhance operational resilience. These practices bring together the existing regulations, guidance, statements, and common industry standards to provide a comprehensive approach that firms may use to strengthen and maintain their operational resilience. The paper details practices in areas such as governance, operational risk management, business, continuity management, third-party risk management, scenario analysis, secure and resilient information system management, and surveillance and reporting. The paper does not revise the agencies' existing rules or guidance. These practices are intended for domestic banks with more than USD 250 billion in consolidated assets or banks with more than USD 100 billion in total assets and other risk characteristics.

    The following are the key highlights of practices presented in the paper:

    • Governance—As a best practice, the board of directors of a firm should approve and periodically review its risk appetite for weathering disruption from operational risks at the enterprise level and for the firm’s critical operations and core business lines. Senior management must be held accountable for developing, implementing, and managing effective and resilient information systems and controls, as appropriate, to maintain critical operations and core business lines consistent with the firm’s tolerance for disruption.
    • Operational risk management—By identifying, managing, and mitigating operational risk exposures related to internal processes, people, systems, external threats, and third parties, a firm should be able to strengthen its operational resilience. Effective operational risk management involves close engagement by the firm’s senior management, business line operations, independent operational risk management function, and independent internal (or external) audit function.
    • Business continuity management—The business continuity management should incorporate business impact analysis; testing, training, and awareness programs; and communication and crisis management policies. A firm should periodically review its business continuity plan to ensure contingency strategies remain consistent with current operations, risks and threats, its tolerance for disruption, and recovery priorities. The firm should leverage information contained in its recovery or resolution plans, where applicable, to identify options to respond to a wide range of severe but plausible internal and external stress scenarios.
    • Third-party risk management—Firm should identify and analyze third-party risk of critical operations and core business lines. Firm should periodically review reports of systems and controls and summaries of test results or other equivalent assessments of third parties. It should verify that third parties have sound risk management practices and controls in place that serve to identify and mitigate hazards to operations and are consistent with the firm’s tolerance for disruption. It should also identify other third parties that may be available to assist in the event its current third parties are unable to continue delivering services.
    • Scenario analysis—As a sound practice, scenario analysis helps a firm to develop, validate, and calibrate a firm’s tolerance for disruption. Firms may integrate the analysis with disaster recovery and business continuity management for use in assessing operational resilience. In designing scenarios, a firm should leverage both the mapped interconnections and interdependencies of its critical operations and the core business lines, including the third-party risks set forth in its recovery or resolution plans, as well as relevant business impact analyses.
    • Secure and resilient information system management—Secure and resilient information systems underpin the operational resilience of a firm’s critical operations and core business lines. The appropriate implementation, use, and protection of information systems can help a firm to identify and detect risks to operational resilience. A firm should routinely apple and evaluate the effectiveness of processes and controls to protect the confidentiality, integrity, availability, and overall security of its data and information systems. A firm should review information systems and controls on a regular basis, against common industry standards and best practices. 
    • Surveillance and reporting—A firm should identify and monitor ongoing exposure to operational risk relative to its risk appetite and tolerance for disruption. Anomalous activity should be detected in a timely manner to avoid or mitigate a disruption in the firm’s critical operations and core business lines. A firm must conduct continuous surveillance and report to senior management and the board of directors, providing sufficient data and information for timely and appropriate decisions regarding measures to respond to a disruption.

    Given the significance and technical nature of cybersecurity risk, which is one of the most important types of operational risk, the US Agencies have presented, in Appendix A, a separate collection of sound practices for the management of cyber risk. The sound practices for cyber risk management are aligned to the National Institute of Standards and Technology Cybersecurity Framework (NIST) and augmented to emphasize governance and third-party risk management.  In the coming months, the US Agencies intend to convene discussions with the public on further steps to improve operational resilience. Given that many of the firms have extensive cross-border activities, the agencies will seek to minimize the potential for market fragmentation and to align best practices for operational resilience. The agencies may update these sound practices to reflect input from such discussions.

     

    Related Links

    Keywords: Americas, US, Banking, Operational Resilience, Operational Risk, Cyber Risk, Governance, Third-Party Risk, Sound Practices, Large Banks, Scenario Analysis, US Agencies

    Related Articles
    News

    ESAs Issue Multiple Regulatory Updates for Financial Sector Entities

    The three European Supervisory Authorities (ESAs) issued a letter to inform about delay in the Sustainable Finance Disclosure Regulation (SFDR) mandate, along with a Call for Evidence on greenwashing practices.

    November 15, 2022 WebPage Regulatory News
    News

    ISSB Makes Announcements at COP27; IASB to Propose IFRS 9 Amendments

    The International Sustainability Standards Board (ISSB) of the IFRS Foundations made several announcements at COP27 and with respect to its work on the sustainability standards.

    November 10, 2022 WebPage Regulatory News
    News

    IOSCO Prioritizes Green Disclosures, Greenwashing, and Carbon Markets

    The International Organization for Securities Commissions (IOSCO), at COP27, outlined the regulatory priorities for sustainability disclosures, mitigation of greenwashing, and promotion of integrity in carbon markets.

    November 09, 2022 WebPage Regulatory News
    News

    EBA Finalizes Methodology for Stress Tests, Issues Other Updates

    The European Banking Authority (EBA) issued a statement in the context of COP27, clarified the operationalization of intermediate EU parent undertakings (IPUs) of third-country groups

    November 09, 2022 WebPage Regulatory News
    News

    OSFI Sets Out Work Priorities and Reporting Updates for Banks

    The Office of the Superintendent of Financial Institutions (OSFI) published an annual report on its activities, a report on forward-looking work.

    November 07, 2022 WebPage Regulatory News
    News

    APRA Finalizes Changes to Capital Framework, Issues Other Updates

    The Australian Prudential Regulation Authority (APRA) finalized amendments to the capital framework, announced a review of the prudential framework for groups.

    November 03, 2022 WebPage Regulatory News
    News

    BIS Hub and Central Banks Conduct CBDC and DeFI Pilots

    The Bank for International Settlements (BIS) Innovation Hubs and several central banks are working together on various central bank digital currency (CBDC) pilots.

    November 03, 2022 WebPage Regulatory News
    News

    ECB Sets Deadline for Banks to Meet Its Climate Risk Expectations

    The European Central Bank (ECB) published the results of its thematic review, which shows that banks are still far from adequately managing climate and environmental risks.

    November 02, 2022 WebPage Regulatory News
    News

    ESAs, ECB, & EC Issue Multiple Regulatory Updates for Financial Sector

    Among its recent publications, the European Banking Authority (EBA) published the final standards and guidelines on interest rate risk arising from non-trading book activities (IRRBB)

    October 31, 2022 WebPage Regulatory News
    News

    EC Adopts Final Rules Under CRR, BRRD, and Crowdfunding Regulation

    The European Commission (EC) recently adopted regulations with respect to the calculation of own funds requirements for market risk, the prudential treatment of global systemically important institutions (G-SIIs)

    October 26, 2022 WebPage Regulatory News
    RESULTS 1 - 10 OF 8582