The expanding scope of operational resilience regulatory requirements

In part four of our ABCs of Operational Resilience series, we look at how operational resilience regulatory requirements are undergoing expansion on a global scale, how this will impact your organization, and what you can expect over the next decade.

By AnsaradaWed Jan 10 2024Industry news and trends, CEO-CFO, Audits and compliance, Security and risk management, Governance Risk and Compliance, Environmental Social and Governance

Operational resilience can be defined as a company’s ability to prevent, withstand, and respond to disruptions. Learn more: What is operational resilience in 5 key insights
Financial services firms are particularly vulnerable to disruption because the potential operational risks they could face are significant, and could be enormously detrimental to our global economy and society. It’s why the financial services industry operates in a highly regulated environment, and why recent operational resilience compliance mandates centre on these firms.
In today’s landscape of fast-paced transformation, building operational resilience is crucial for all companies, regardless of size, industry, or revenue. Financial services may be the first to undergo operational resilience regulation, but they will by no means be the last.
A proactive approach to compliance is essential for navigating the web of mandates that vary across regions, which we explore below.

Understanding operational resilience mandates around the globe

Operational resilience mandates are taking root in various parts of the world, and financial institutions need a comprehensive understanding of the regulatory landscape. Key jurisdictions include:
  • Globally, the Basel Principles for Operational Resilience build on existing operational risk principles ‘to strengthen banks' ability to withstand operational risk-related events that could cause significant operational failures or wide-scale disruptions in financial markets.’

What all these regulatory requirements have in common

Despite regional variations, these operational resilience regulations share common themes, including:
  • Standardization and compliance: Each jurisdiction emphasizes the need for financial entities to adhere to standardized frameworks and guidelines, promoting consistency and compliance across the industry.
  • Risk mitigation: The regulations aim to strengthen operational resilience by addressing and mitigating various operational risks, including those related to technology, cybersecurity, and business continuity.
  • Adaptability: Regulations acknowledge the evolving nature of operational risks and the financial landscape, emphasizing the importance of adaptable frameworks to effectively respond to emerging challenges.
  • Holistic approach: Whether through directives, frameworks, or guidelines, the regulations collectively advocate for a comprehensive and integrated approach to operational resilience, recognizing its multifaceted nature across all aspects of risk management and governance.

How did we get here? The journey to an outcomes-based approach

Heidi Richards, Regulatory Strategy and Compliance Advisor for CPS230 discusses APRA’s recent Operational Resilience mandates as a natural evolution and restating of existing requirements:
“Operational resilience may be the latest buzzword that regulated financial institutions need to learn, but it’s not a new concept. The emphasis on resilience to operational disruptions is just the flip side of the management of operational risks. But the shift in language reflects an important evolution in regulatory philosophy - toward targeting good outcomes for companies and their customers, with accountability on the company to achieve those outcomes.
This shift in thinking results from decades of regulatory experience with enforcing more and more standards, checklists and processes, which have not resulted in any obvious reduction in operational failures among regulated financial institutions.
APRA’s new standard CPS 230 is, in fact, largely a restatement and to some extent a streamlining of existing prudential requirements. What’s new is the expectation of a more comprehensive and outcomes-focused approach to operational risk management across business units and across the traditional risk and compliance silos of business continuity planning, outsourcing and information security.
The outcomes focus is evident in the requirement that financial institutions set their own risk tolerances for resilience outcomes, and demonstrate that they are managing to those tolerances. To do this, the operational resilience mindset starts with the critical business processes and product/service operations, rather than risk management teams, processes and controls.”


Future expectations over the next decade

Operational resilience regulations, while currently focused on the financial services sector, are poised to expand in scope globally. Businesses are urged to act proactively now to fortify their organizations against future disruptions. Anticipated developments over the next decade include:
  • Broadening geographical reach: Other countries are likely to adopt similar frameworks, extending the regulatory landscape.
  • Deepening risk management programs: Current risk management programs must evolve to meet the heightened demands of operational resilience regulations.
  • Cybersecurity and data breaches: Increasingly common disruptions, such as cybersecurity issues and data breaches, will continue to expand the need for enhanced resilience and drive increased regulatory requirements.

Operational resilience goes well beyond regulatory requirements

Operational resilience is much more than a regulatory requirement; it is a strategic imperative for businesses. Organizations should recognize the broader significance and act promptly to proactively build resilience. This encompasses preparing for unforeseen challenges to ensure sustained operational integrity.
As operational resilience regulations continue to evolve globally, financial services firms must not view compliance as a mere checkbox exercise. Instead, they should perceive it as an opportunity to enhance overall organizational resilience and navigate the uncertainties of the future. The time to act is now.

Build a resilient organization

Ansarada GRC delivers a world-first Operational Resilience solution with modules designed to help you ensure you are operating within acceptable impact tolerances. Discover the simplest way to meet regulatory compliance standards for operational resilience with confidence.
Book a demo


You may also be interested in