Featured Product

    US Agencies Outline Practices to Strengthen Operational Resilience

    October 30, 2020

    US Agencies (FDIC, FED, and OCC) published an interagency paper that outlines sound practices designed to help large banks enhance operational resilience. These practices bring together the existing regulations, guidance, statements, and common industry standards to provide a comprehensive approach that firms may use to strengthen and maintain their operational resilience. The paper details practices in areas such as governance, operational risk management, business, continuity management, third-party risk management, scenario analysis, secure and resilient information system management, and surveillance and reporting. The paper does not revise the agencies' existing rules or guidance. These practices are intended for domestic banks with more than USD 250 billion in consolidated assets or banks with more than USD 100 billion in total assets and other risk characteristics.

    The following are the key highlights of practices presented in the paper:

    • Governance—As a best practice, the board of directors of a firm should approve and periodically review its risk appetite for weathering disruption from operational risks at the enterprise level and for the firm’s critical operations and core business lines. Senior management must be held accountable for developing, implementing, and managing effective and resilient information systems and controls, as appropriate, to maintain critical operations and core business lines consistent with the firm’s tolerance for disruption.
    • Operational risk management—By identifying, managing, and mitigating operational risk exposures related to internal processes, people, systems, external threats, and third parties, a firm should be able to strengthen its operational resilience. Effective operational risk management involves close engagement by the firm’s senior management, business line operations, independent operational risk management function, and independent internal (or external) audit function.
    • Business continuity management—The business continuity management should incorporate business impact analysis; testing, training, and awareness programs; and communication and crisis management policies. A firm should periodically review its business continuity plan to ensure contingency strategies remain consistent with current operations, risks and threats, its tolerance for disruption, and recovery priorities. The firm should leverage information contained in its recovery or resolution plans, where applicable, to identify options to respond to a wide range of severe but plausible internal and external stress scenarios.
    • Third-party risk management—Firm should identify and analyze third-party risk of critical operations and core business lines. Firm should periodically review reports of systems and controls and summaries of test results or other equivalent assessments of third parties. It should verify that third parties have sound risk management practices and controls in place that serve to identify and mitigate hazards to operations and are consistent with the firm’s tolerance for disruption. It should also identify other third parties that may be available to assist in the event its current third parties are unable to continue delivering services.
    • Scenario analysis—As a sound practice, scenario analysis helps a firm to develop, validate, and calibrate a firm’s tolerance for disruption. Firms may integrate the analysis with disaster recovery and business continuity management for use in assessing operational resilience. In designing scenarios, a firm should leverage both the mapped interconnections and interdependencies of its critical operations and the core business lines, including the third-party risks set forth in its recovery or resolution plans, as well as relevant business impact analyses.
    • Secure and resilient information system management—Secure and resilient information systems underpin the operational resilience of a firm’s critical operations and core business lines. The appropriate implementation, use, and protection of information systems can help a firm to identify and detect risks to operational resilience. A firm should routinely apple and evaluate the effectiveness of processes and controls to protect the confidentiality, integrity, availability, and overall security of its data and information systems. A firm should review information systems and controls on a regular basis, against common industry standards and best practices. 
    • Surveillance and reporting—A firm should identify and monitor ongoing exposure to operational risk relative to its risk appetite and tolerance for disruption. Anomalous activity should be detected in a timely manner to avoid or mitigate a disruption in the firm’s critical operations and core business lines. A firm must conduct continuous surveillance and report to senior management and the board of directors, providing sufficient data and information for timely and appropriate decisions regarding measures to respond to a disruption.

    Given the significance and technical nature of cybersecurity risk, which is one of the most important types of operational risk, the US Agencies have presented, in Appendix A, a separate collection of sound practices for the management of cyber risk. The sound practices for cyber risk management are aligned to the National Institute of Standards and Technology Cybersecurity Framework (NIST) and augmented to emphasize governance and third-party risk management.  In the coming months, the US Agencies intend to convene discussions with the public on further steps to improve operational resilience. Given that many of the firms have extensive cross-border activities, the agencies will seek to minimize the potential for market fragmentation and to align best practices for operational resilience. The agencies may update these sound practices to reflect input from such discussions.

     

    Related Links

    Keywords: Americas, US, Banking, Operational Resilience, Operational Risk, Cyber Risk, Governance, Third-Party Risk, Sound Practices, Large Banks, Scenario Analysis, US Agencies

    Related Articles
    News

    OSFI Finalizes on Climate Risk Guideline, Issues Other Updates

    The Office of the Superintendent of Financial Institutions (OSFI) is seeking comments, until May 31, 2023, on the draft guideline on culture and behavior risk, with final guideline expected by the end of 2023.

    March 12, 2023 WebPage Regulatory News
    News

    BIS Paper Examines Impact of Greenhouse Gas Emissions on Lending

    BIS issued a paper that investigates the effect of the greenhouse gas, or GHG, emissions of firms on bank loans using bank–firm matched data of Japanese listed firms from 2006 to 2018.

    March 03, 2023 WebPage Regulatory News
    News

    HMT Mulls Alignment of Ring-Fencing and Resolution Regimes for Banks

    The HM Treasury (HMT) is seeking evidence, until May 07, 2023, on practicalities of aligning the ring-fencing and the banking resolution regimes for banks.

    March 02, 2023 WebPage Regulatory News
    News

    BCBS Report Examines Impact of Basel III Framework for Banks

    The Basel Committee on Banking Supervision (BCBS) published results of the Basel III monitoring exercise based on the June 30, 2022 data.

    February 28, 2023 WebPage Regulatory News
    News

    PRA Consults on Prudential Rules for "Simpler-Regime" Firms

    Among the recent regulatory updates from UK authorities, a key development is the first-phase consultation, from the Prudential Regulation Authority (PRA), on simplifications to the prudential framework that would apply to the simpler-regime firms.

    February 28, 2023 WebPage Regulatory News
    News

    DNB Publishes Multiple Reporting Updates for Banks

    DNB, the central bank of Netherlands, updated the list of additional reporting requests and published additional data quality checks and XBRL-Formula linkbase documents for the first quarter of 2023.

    February 28, 2023 WebPage Regulatory News
    News

    NBB Sets Out Climate Risk Expectations, Issues Reporting Updates

    The National Bank of Belgium (NBB) published a communication on climate-related and environmental risks, issued an update on XBRL reporting

    February 24, 2023 WebPage Regulatory News
    News

    EBA Updates Address Securitization Standards and DGS Guidelines

    The European Banking Authority (EBA) published the final draft of the regulatory technical standards that set out conditions for assessment of homogeneity of the underlying exposures in simple, transparent, and standardized (STS) securitizations.

    February 21, 2023 WebPage Regulatory News
    News

    FSB Publishes Letter to G20, Sets Out Work Priorities for 2023

    The Financial Stability Board (FSB) published a letter intended for the G20 Finance Ministers and Central Bank Governors, highlighting the work that FSB will take forward under the Indian G20 Presidency in 2023

    February 20, 2023 WebPage Regulatory News
    News

    ISSB Standards May Become Effective from January 2024

    The International Organization of Securities Commissions (IOSCO) welcomed the confirmation statement by the International Sustainability Standards Board (ISSB) setting out its progress in the development of its first sustainability-related corporate disclosure standards.

    February 17, 2023 WebPage Regulatory News
    RESULTS 1 - 10 OF 8792