The expanding scope of operational resilience regulatory requirements
In part four of our ABCs of Operational Resilience series, we look at how operational resilience regulatory requirements are undergoing expansion on a global scale, how this will impact your organization, and what you can expect over the next decade.
By AnsaradaWed Jan 10 2024Industry news and trends, CEO-CFO, Audits and compliance, Security and risk management, Governance Risk and Compliance, Environmental Social and Governance
Operational resilience can be defined as a company’s ability to prevent, withstand, and respond to disruptions. Learn more: What is operational resilience in 5 key insights
Financial services firms are particularly vulnerable to disruption because the potential operational risks they could face are significant, and could be enormously detrimental to our global economy and society. It’s why the financial services industry operates in a highly regulated environment, and why recent operational resilience compliance mandates centre on these firms.
In today’s landscape of fast-paced transformation, building operational resilience is crucial for all companies, regardless of size, industry, or revenue. Financial services may be the first to undergo operational resilience regulation, but they will by no means be the last.
A proactive approach to compliance is essential for navigating the web of mandates that vary across regions, which we explore below.
Operational resilience mandates are taking root in various parts of the world, and financial institutions need a comprehensive understanding of the regulatory landscape. Key jurisdictions include:
Despite regional variations, these operational resilience regulations share common themes, including:
Heidi Richards, Regulatory Strategy and Compliance Advisor for CPS230 discusses APRA’s recent Operational Resilience mandates as a natural evolution and restating of existing requirements:
“Operational resilience may be the latest buzzword that regulated financial institutions need to learn, but it’s not a new concept. The emphasis on resilience to operational disruptions is just the flip side of the management of operational risks. But the shift in language reflects an important evolution in regulatory philosophy - toward targeting good outcomes for companies and their customers, with accountability on the company to achieve those outcomes.
This shift in thinking results from decades of regulatory experience with enforcing more and more standards, checklists and processes, which have not resulted in any obvious reduction in operational failures among regulated financial institutions.
APRA’s new standard CPS 230 is, in fact, largely a restatement and to some extent a streamlining of existing prudential requirements. What’s new is the expectation of a more comprehensive and outcomes-focused approach to operational risk management across business units and across the traditional risk and compliance silos of business continuity planning, outsourcing and information security.
The outcomes focus is evident in the requirement that financial institutions set their own risk tolerances for resilience outcomes, and demonstrate that they are managing to those tolerances. To do this, the operational resilience mindset starts with the critical business processes and product/service operations, rather than risk management teams, processes and controls.”
Operational resilience regulations, while currently focused on the financial services sector, are poised to expand in scope globally. Businesses are urged to act proactively now to fortify their organizations against future disruptions. Anticipated developments over the next decade include:
Operational resilience is much more than a regulatory requirement; it is a strategic imperative for businesses. Organizations should recognize the broader significance and act promptly to proactively build resilience. This encompasses preparing for unforeseen challenges to ensure sustained operational integrity.
As operational resilience regulations continue to evolve globally, financial services firms must not view compliance as a mere checkbox exercise. Instead, they should perceive it as an opportunity to enhance overall organizational resilience and navigate the uncertainties of the future. The time to act is now.
Financial services firms are particularly vulnerable to disruption because the potential operational risks they could face are significant, and could be enormously detrimental to our global economy and society. It’s why the financial services industry operates in a highly regulated environment, and why recent operational resilience compliance mandates centre on these firms.
In today’s landscape of fast-paced transformation, building operational resilience is crucial for all companies, regardless of size, industry, or revenue. Financial services may be the first to undergo operational resilience regulation, but they will by no means be the last.
A proactive approach to compliance is essential for navigating the web of mandates that vary across regions, which we explore below.
Understanding operational resilience mandates around the globe
Operational resilience mandates are taking root in various parts of the world, and financial institutions need a comprehensive understanding of the regulatory landscape. Key jurisdictions include:
- The UK’s Financial Conduct Authority (FCA) is pioneering efforts in operational resilience regulations with the PS21/3 Building operational resilience standard.
- The Australian Prudential Regulation Authority (APRA) has established a robust framework for operational resilience with CPS 230 Operational Risk Management.
- Europe’s Digital Operational Resilience Act (DORA) forms a regulatory framework specific to digital operational resilience for financial entities.
- The Central Bank of Ireland's Cross Industry Guidance on Operational Resilience aligns with the UK’s FCA standards to ensure a cohesive approach.
- In Asia, the Hong Kong Monetary Authority (HKMA) has launched OR-2 Supervisory Policy Manual (SPM), aligning with the Basel Committee’s ‘Principles for Operational Resilience’, while Singapore has incorporated operational resilience into its existing Business Continuity Management Guidelines.
- In the United States, while new regulation has not yet been formally established, the Board of Governors of the Federal Reserve System has published a regulatory paper on Sound Practices to Strengthen Operational Resilience.
- Globally, the Basel Principles for Operational Resilience build on existing operational risk principles ‘to strengthen banks' ability to withstand operational risk-related events that could cause significant operational failures or wide-scale disruptions in financial markets.’
What all these regulatory requirements have in common
Despite regional variations, these operational resilience regulations share common themes, including:
- Standardization and compliance: Each jurisdiction emphasizes the need for financial entities to adhere to standardized frameworks and guidelines, promoting consistency and compliance across the industry.
- Risk mitigation: The regulations aim to strengthen operational resilience by addressing and mitigating various operational risks, including those related to technology, cybersecurity, and business continuity.
- Adaptability: Regulations acknowledge the evolving nature of operational risks and the financial landscape, emphasizing the importance of adaptable frameworks to effectively respond to emerging challenges.
- Holistic approach: Whether through directives, frameworks, or guidelines, the regulations collectively advocate for a comprehensive and integrated approach to operational resilience, recognizing its multifaceted nature across all aspects of risk management and governance.
How did we get here? The journey to an outcomes-based approach
Heidi Richards, Regulatory Strategy and Compliance Advisor for CPS230 discusses APRA’s recent Operational Resilience mandates as a natural evolution and restating of existing requirements:
“Operational resilience may be the latest buzzword that regulated financial institutions need to learn, but it’s not a new concept. The emphasis on resilience to operational disruptions is just the flip side of the management of operational risks. But the shift in language reflects an important evolution in regulatory philosophy - toward targeting good outcomes for companies and their customers, with accountability on the company to achieve those outcomes.
This shift in thinking results from decades of regulatory experience with enforcing more and more standards, checklists and processes, which have not resulted in any obvious reduction in operational failures among regulated financial institutions.
APRA’s new standard CPS 230 is, in fact, largely a restatement and to some extent a streamlining of existing prudential requirements. What’s new is the expectation of a more comprehensive and outcomes-focused approach to operational risk management across business units and across the traditional risk and compliance silos of business continuity planning, outsourcing and information security.
The outcomes focus is evident in the requirement that financial institutions set their own risk tolerances for resilience outcomes, and demonstrate that they are managing to those tolerances. To do this, the operational resilience mindset starts with the critical business processes and product/service operations, rather than risk management teams, processes and controls.”
Future expectations over the next decade
Operational resilience regulations, while currently focused on the financial services sector, are poised to expand in scope globally. Businesses are urged to act proactively now to fortify their organizations against future disruptions. Anticipated developments over the next decade include:
- Broadening geographical reach: Other countries are likely to adopt similar frameworks, extending the regulatory landscape.
- Deepening risk management programs: Current risk management programs must evolve to meet the heightened demands of operational resilience regulations.
- Cybersecurity and data breaches: Increasingly common disruptions, such as cybersecurity issues and data breaches, will continue to expand the need for enhanced resilience and drive increased regulatory requirements.
Operational resilience goes well beyond regulatory requirements
Operational resilience is much more than a regulatory requirement; it is a strategic imperative for businesses. Organizations should recognize the broader significance and act promptly to proactively build resilience. This encompasses preparing for unforeseen challenges to ensure sustained operational integrity.
As operational resilience regulations continue to evolve globally, financial services firms must not view compliance as a mere checkbox exercise. Instead, they should perceive it as an opportunity to enhance overall organizational resilience and navigate the uncertainties of the future. The time to act is now.
Build a resilient organization
Ansarada GRC delivers a world-first Operational Resilience solution with modules designed to help you ensure you are operating within acceptable impact tolerances. Discover the simplest way to meet regulatory compliance standards for operational resilience with confidence.
Book a demo
