Cross Industry Guidance on Operational Resilience

Editor's note:

The day after this Guidance on Operational Resilience was issued, the Central Bank of Ireland fined Bank of Ireland €24.5mn for significant IT control failures.  In the statement released by the CBI it said the following on operational resilience:

1) "Firms and their boards are responsible for having an effective IT service continuity framework and associated internal controls. These are core parts of a firm’s operational resilience and will continue to be an area of focus as part of the Central Bank’s and the European Central Bank’s supervisory strategy."

2) "This case is an example of robust enforcement action where failures expose consumers and the financial system to serious potential risk. The Central Bank expects boards and senior management of firms to implement and operate robust risk and control frameworks which recognise and address risk issues in a timely way as part of an effective risk culture. This is a core element of operational resilience designed to protect consumers and ensure financial stability.”

The Central Bank published the Cross Industry Guidance on Operational Resilience in December 2021 following consultation where responses were received from a wide number of industry bodies and regulated entities. The objective of this Guidance is to communicate to industry how to prepare for, respond to, recover and learn from an operational disruption that affects the delivery of critical or important business services.

The Guidance aims to enhance operational resilience and recognise the interconnections and interdependencies, within the financial system, that result from the complex and dynamic environment in which firms operate.

More specifically, the purpose of the Guidance is to:
​

• Communicate to the boards and senior management of Regulated Financial Service Providers (RFSPs), the Central Bank’s expectations with respect to the design and management of operational resilience;
• Emphasise board and senior management responsibilities when considering operational resilience as part of their risk management and investment decisions; and
• Require that the boards and senior management take appropriate action to ensure that their operational resilience frameworks are well designed, are operating effectively, and are sufficiently robust. This should ensure that the risks to the firm’s operational continuity do not transmit into the financial markets and that the interests of the customers and market participants are safeguarded during business disruptions.

​Three Pillar of Operational Resilience

The Cross Industry Guidance on Operational Resilience is built around three pillars of Operational Resilience:

1. Identify and Prepare
2. Respond and Adapt
3. Recover and Learn
   

​
​These three pillars support a holistic approach to the management of operational resilience and related risks and create a feedback loop that fosters the perpetual embedding of lessons learned into a firm’s preparation for operational disruptions.

LinkedIN post at https://www.linkedin.com/posts/peteroakes_operationalresilience-activity-6872218356611723266-rib5