US Agencies Outline Practices to Strengthen Operational Resilience

The following are the key highlights of practices presented in the paper:

• Governance—As a best practice, the board of directors of a firm should approve and periodically review its risk appetite for weathering disruption from operational risks at the enterprise level and for the firm’s critical operations and core business lines. Senior management must be held accountable for developing, implementing, and managing effective and resilient information systems and controls, as appropriate, to maintain critical operations and core business lines consistent with the firm’s tolerance for disruption.
• Operational risk management—By identifying, managing, and mitigating operational risk exposures related to internal processes, people, systems, external threats, and third parties, a firm should be able to strengthen its operational resilience. Effective operational risk management involves close engagement by the firm’s senior management, business line operations, independent operational risk management function, and independent internal (or external) audit function.
• Business continuity management—The business continuity management should incorporate business impact analysis; testing, training, and awareness programs; and communication and crisis management policies. A firm should periodically review its business continuity plan to ensure contingency strategies remain consistent with current operations, risks and threats, its tolerance for disruption, and recovery priorities. The firm should leverage information contained in its recovery or resolution plans, where applicable, to identify options to respond to a wide range of severe but plausible internal and external stress scenarios.
• Third-party risk management—Firm should identify and analyze third-party risk of critical operations and core business lines. Firm should periodically review reports of systems and controls and summaries of test results or other equivalent assessments of third parties. It should verify that third parties have sound risk management practices and controls in place that serve to identify and mitigate hazards to operations and are consistent with the firm’s tolerance for disruption. It should also identify other third parties that may be available to assist in the event its current third parties are unable to continue delivering services.
• Scenario analysis—As a sound practice, scenario analysis helps a firm to develop, validate, and calibrate a firm’s tolerance for disruption. Firms may integrate the analysis with disaster recovery and business continuity management for use in assessing operational resilience. In designing scenarios, a firm should leverage both the mapped interconnections and interdependencies of its critical operations and the core business lines, including the third-party risks set forth in its recovery or resolution plans, as well as relevant business impact analyses.
• Secure and resilient information system management—Secure and resilient information systems underpin the operational resilience of a firm’s critical operations and core business lines. The appropriate implementation, use, and protection of information systems can help a firm to identify and detect risks to operational resilience. A firm should routinely apple and evaluate the effectiveness of processes and controls to protect the confidentiality, integrity, availability, and overall security of its data and information systems. A firm should review information systems and controls on a regular basis, against common industry standards and best practices. 
• Surveillance and reporting—A firm should identify and monitor ongoing exposure to operational risk relative to its risk appetite and tolerance for disruption. Anomalous activity should be detected in a timely manner to avoid or mitigate a disruption in the firm’s critical operations and core business lines. A firm must conduct continuous surveillance and report to senior management and the board of directors, providing sufficient data and information for timely and appropriate decisions regarding measures to respond to a disruption.

Given the significance and technical nature of cybersecurity risk, which is one of the most important types of operational risk, the US Agencies have presented, in Appendix A, a separate collection of sound practices for the management of cyber risk. The sound practices for cyber risk management are aligned to the National Institute of Standards and Technology Cybersecurity Framework (NIST) and augmented to emphasize governance and third-party risk management.  In the coming months, the US Agencies intend to convene discussions with the public on further steps to improve operational resilience. Given that many of the firms have extensive cross-border activities, the agencies will seek to minimize the potential for market fragmentation and to align best practices for operational resilience. The agencies may update these sound practices to reflect input from such discussions.

Related Links

• Press Release
• Explanatory Note (PDF)
• Interagency Paper (PDF)

Keywords: Americas, US, Banking, Operational Resilience, Operational Risk, Cyber Risk, Governance, Third-Party Risk, Sound Practices, Large Banks, Scenario Analysis, US Agencies