Central Bank of Ireland sharpens focus on operational resilience
In December 2021, the Central Bank of Ireland (the “CBI”) published its finalised cross industry guidance on operational resilience (the “Guidance”) for regulated financial service providers (“RFSPs”). The Guidance is designed to help advance the CBI’s strategic commitment of strengthening its ability to maintain the resilience of the financial system. The CBI also expects that the boards and senior management of RFSPs will review the Guidance and adopt appropriate measures to strengthen and improve their operational resilience frameworks and their effective management of operational resilience.
What is operational resilience and why is it currently in focus?
Operational resilience is the ability of a firm, and the financial services sector as a whole, to identify and prepare for, respond and adapt to, recover and learn from operational disruption. In effect, an operationally resilient firm should be able to recover its critical or important business services from a significant unplanned disruption (e.g. cyber-attacks, insider threats, natural disasters and systems failures) while minimising impact and protecting its customers and the integrity of the financial system.
Effective operational resilience firstly requires a firm to accept that operational disruption will occur and that it needs to be prepared to respond accordingly and have measures in place to limit disruptive impacts. With this shift in mind-set, a firm can then look to supplement its existing processes and measures designed to prevent risks from occurring (typically called an operational risk management framework) with operational resilience capabilities that deal with risks and minimise their impact when they do actually occur.
The Guidance identifies a number of factors that are contributing to the increasing importance of operational resilience. One factor is that firms are becoming increasingly dependent on technology and the pace of technological change is continuing to accelerate (this is particularly true in light of the COVID-19 pandemic and its impact on the ways of working). Another factor is the increasingly complex outsourcing structures utilised by many firms to operate their business. The CBI notes that these and other factors have led to a rise in operational incidents affecting firms and contributed to the heightened importance of firms implementing and maintaining a robust operational resilience framework.
The sharp focus and importance that the CBI is placing on operational resilience is also evident from the fine of €24.5 million that the CBI imposed on Bank of Ireland in November 2021 for regulatory failings relating to Bank of Ireland’s service continuity framework and related internal controls. This fine was the second highest fine ever imposed by the CBI and it is noteworthy that a fine of this scale related to failings around service continuity and operational resilience.
Core principles and pillars of the Guidance
The core principles underpinning the Guidance are:
- Board and senior management must take ownership of the firm’s operational resilience framework;
- The firm must identify its critical or important business services along with the activities, people, processes, information, technologies and third parties (e.g. outsourced service providers) involved in the delivery of these services;
- The firm must set impact tolerances for each of its critical or important business services so as to quantify the maximum level of disruption that can be accepted to such services, and the firm must test its ability to stay within those tolerances during a severe but plausible operational disruption scenario; and
- The firm must continually review how it responded to disruptive events so that lessons can be learned and incorporated so as to continually enhance the operational resilience of the firm.
To support the application of these core principles, the Guidance identifies three pillars of operational resilience and outlines key guidelines under each of these pillars. These pillars are:
- Identify & Prepare – there are ten guidelines under this pillar which focus on: enshrining board responsibility for, and approval of, operational resilience within the firm; identifying the firm’s business critical services; developing impact tolerances for these services (including clear metrics to help the firm monitor that it stays within these tolerances); testing the firm’s ability to remain within these impact tolerances; identifying third party dependencies for critical or important business services (e.g. outsourced service providers); and maintaining a technology and cyber strategy that supports operational resilience.
- Respond & Adapt – there are three guidelines under this pillar which focus on integrating other aspects of the firm’s risk management strategy and processes into the operational resilience framework, namely the firm’s business continuity management processes, incident management strategy and internal/external crisis communication plan.
- Recover & Learn – there are two guidelines under this pillar which focus on conducting a lessons learned exercise after a disruptive event to enhance the firm’s ability to respond to future events and promoting a culture of learning and continuous improvement as ‘good’ operational resilience evolves.
The CBI expects firms to be able to demonstrate that they have applied the Guidance within an “appropriate timeframe”. What constitutes an “appropriate timeframe” will depend on a range of factors including the nature, scale and complexity of the firm’s business and the firm’s overall impact on customers and the wider economy. Nonetheless, the CBI expects firms to be “actively and promptly” addressing operational resilience vulnerabilities within their organisation and to be in a position to evidence actions/plans to apply the Guidance at the latest within two years of the Guidance’s publication.
Our team at Arthur Cox has extensive experience and expertise in advising regulated firms on operational resilience, digital transformation, cyber security and the associated regulatory requirements. For more information, please contact the authors of this briefing.