Operational Resilience in the Financial Sector

Operational Resilience in the Financial Sector

Operational resilience is the ability of financial institutions to continue to operate effectively and provide essential services in the event of a disruption. This includes disruptions caused by natural disasters, cyber attacks, IT outages, or human error.

There are many different definitions of operational resilience, but they all share the same basic idea: the ability to withstand and recover from disruptions. The following are some examples of definitions from UK subject matter experts:

• The Financial Conduct Authority (FCA) defines operational resilience as "the ability of a firm to continue to operate effectively and provide essential services in the event of a disruption."
• The Bank of England defines operational resilience as "the ability of firms, and the financial sector as a whole, to absorb and adapt to shocks and disruptions, rather than contribute to them."
•  PwC defines operational resilience as "the ability of an organization to continue to deliver its critical products and services to its customers in the event of a disruption."

Technology resilience is a key component of operational resilience. It refers to the ability of technology systems to withstand and recover from disruptions. This includes disruptions caused by hardware failures, software bugs, or network outages.

There are many different aspects of technology resilience that financial institutions need to consider, including:

• Data security: Financial institutions need to protect their data from unauthorized access, modification, or destruction.
• IT infrastructure: Financial institutions need to have robust IT infrastructure that can withstand disruptions.
• Business continuity planning: Financial institutions need to have a plan in place to continue to operate in the event of a disruption.
• Disaster recovery: Financial institutions need to have a plan in place to recover their data and systems in the event of a disaster.

The regulatory landscape for operational resilience is constantly evolving. In the US, the Securities and Exchange Commission (SEC) and the Federal Deposit Insurance Corporation (FDIC) have both issued guidance on operational resilience. In the UK, the FCA has published a number of policies and guidance on operational resilience, including PS21/3: Building Operational Resilience.

In the EU, the European Banking Authority (EBA) has published a number of guidelines on operational resilience, including EBA/GL/2021/05: Guidelines on Operational Resilience. And in Asia, the Monetary Authority of Singapore (MAS) has published a number of guidelines on operational resilience, including MAS Notice 654: Guidelines on Technology Risk Management for Financial Institutions.

The following table summarizes the key regulators, regulations, and timescales for implementation for operational resilience in the US, UK, EU, and Asia:

Operational resilience is an important topic for financial institutions of all sizes. By understanding the risks to their operational resilience and implementing appropriate controls, financial institutions can help to protect their customers, their reputation, and their financial stability.

References

1. Financial Conduct Authority (FCA): https://www.fca.org.uk/
2. Bank of England: https://www.bankofengland.co.uk/
3. PwC: https://www.pwc.com/uk/en/industries/financial-services/operational-resilience-time-to-act.html
4. Securities and Exchange Commission (SEC): https://www.sec.gov/
5. Federal Deposit Insurance Corporation (FDIC): https://www.fdic.gov/
6. European Banking Authority (EBA): https://www.eba.europa.eu/
7. Monetary Authority of Singapore (MAS): https://www.mas.gov.sg/