Are you ready for 1st December?
This is the deadline set by the Central Bank of Ireland (CBI) for firms to identify vulnerabilities and take action to strengthen and improve their operational resilience.
In this blog, we look at the rising importance of operational resilience to all financial services firms in Ireland and the EU, and explain the steps companies should take to satisfy the regulator’s expectations.
Operational resilience: a growing part of the regulatory agenda
Operational resilience has become a core priority for Ireland’s financial regulator. As a result, it should be a major consideration for all regulated companies. The CBI has been looking at this area since the mid-2010s and, most recently, released cross-industry guidance in December 2021. The regulator’s overarching aim is to make firms, and the financial services industry as a whole, more resilient to disruptions to their operations.
This heightened focus responds to a number of recent trends:
- Business models have changed in the past few years, with far greater reliance on online banking and ATMs and a reduction in cash and physical bank branches. This trend, which was accelerated by COVID-19, leaves firms and consumers vulnerable if those digital services are interrupted.
- The frequency of cyber attacks has risen sharply and criminals’ tactics are becoming increasingly sophisticated. Financial services firms often outsource key functions to suppliers, and the IT vulnerabilities of these 3rd parties also needs to be recognised and managed.
- Events once regarded as ‘black swans’, such as the regional conflicts, de-globalisation and the 2020 -22 global pandemic, seem to have become more common. For example, climate change already appears to be affecting the delivery of IT services, with data centres in London unable to cool equipment and shutting down in 2022’s summer heatwaves. Firms need to be able to respond to events and in the coming years.
What do the regulators expect from firms?
Firms will have long dealt with some of the requirements in the CBI’s regulations, but the regulator has also introduced new obligations which may require a significant change to the way firms operate. In particular, companies are required to:
- Identify their important business services and map them in detail in terms of the people, processes, technology and suppliers involved. This will allow them to identify risks to their operations that are particular to their firm and its business model.
- Understand and assess these risks, and how they could cause harm to the firm, its customers and the financial markets – “impact tolerances” is the CBI’s phrase to quantify this risk and the impact it may have. Then use metrics to set the tolerances firms should stay within, to avoid those harms.
- Identify a number of plausible scenarios and then test your technical and operational responses to ensure services could be recovered quickly without harm or minimising harm to businesses, customers and the wider financial markets. These should be scenarios which would have a severe impact and could plausibly happen – and testing should be proportionate to the firm’s understanding of its vulnerabilities and risks.
- Document all of these stages and put in place the appropriate governance to oversee them effectively and maintain them through annual review.
Operational resilience requirements have also been enacted by Europe’s lawmakers and regulators, with likely changes to the CBI’s operational resilience regime and impacts on Irish firms. For example, the European Union’s Digital Operational Resilience Act (DORA) will impose requirements on companies to ensure their information systems and technology (and those of their third parties) are prepared for disruptions. The EU supervisory bodies (including the CBI) are currently consulting on the regulatory technical standards that will guide the implementation of the DORA legislation and these are expected to be finalised and published by Q1 2024. . The existing European Banking Authority’s guidelines for ICT and security risk management for firms sets out a risk framework and requirements for incident management, disaster recovery and business continuity. to assure their operational resilience.
CBI expectations for December 2023
Where should firms be on their operational resilience journey by the December deadline? The Central Bank’s cross-industry guidance said that firms should be “actively and promptly” addressing operational resilience vulnerabilities, and by the deadline they should “be in a position to evidence actions/plans to apply the guidance”.
This means that, by December, the CBI expects firms to have identify their vulnerabilities to delivery of their important business services and to have taken action to remediate them. A pre-requisite is that the firm should already have spoken to stakeholders and fully briefed and engaged their board, then made resources available and authorised certain actions.
Mapping and prioritising important business services should also be well underway or undergoing a review, and attention given to the impact tolerances set for your important business services. Firms should be thinking about testing or re-testing, even if any testing done does not yet meet the regulator’s requirements for threat scenario testing in full. Essentially, companies should be able to demonstrate to the regulator that they’ve reviewed their arrangements for operational resilience and started a cycle of continuous improvement.
Operational resilience is here to stay
The key takeaway for firms is that December must not be the end point of their engagement with operational resilience. It should become a core part of the way they do business and be given proper resource and attention by senior management.
Firms need to put in place a strategy for improving operational resilience, then build out from this a roadmap of specific activities that will take place over the next three to five years. This roadmap should be a plan for change as the firm introduces new ways of managing operational resilience risk. A key focus should be introducing increasingly sophisticated technical and procedural testing and annual reviews of the effectiveness of the firm’s operational resilience framework. In these reviews, firms should look back at any incidents that happened and analyse what they say about the firm’s vulnerabilities and how it responded. The framework should also be updated to cover any recent developments such as new services or systems being introduced.
Overall, improving your operational resilience is not simply about complying with the regulations; its objective is to make you a stronger business that is better prepared to deal with the threats and vulnerabilities that come your way.
To discuss how fscom can help with your operational resilience, contact us.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.