What U.S. Financial Services Organizations Need to Know about the Sound Practices to Strengthen Operational Resilience

Introduction

The financial services sector is routinely among the top-ten most regulated industries in the U.S. And its compliance burden has only gotten steeper.

What’s more, many of the most significant changes have been recent.

Sure, the Sarbanes-Oxley (SOX) and Dodd-Frank Acts have been on the books for over a decade now – SOX for even longer. However, federal regulators in the last few years have increasingly turned their attention to strategic agility and operational resilience.

Financial regulators pivoting to operational resilience

They’ve crafted new guidance that in the words of EY seeks to ensure that financial services organizations can:

1. Operate in a business-as-usual environment that’s far more complex
2. Implement positive changes without introducing new risks

What’s the new guidance, specifically? In the U.S., it’s the Sound Practices to Strengthen Operational Resilience.

Not sure about everything it says? You’ve come to the right place. The subsequent article provides everything you need to know about the Sound Practices to Strengthen Operational Resilience.

Who are the regulating agencies?

Who made the rules? This is an interesting question.

Where most regulations come from a single agency, this interagency paper was issued by multiple regulators. Together, the following regulators represent the “agencies” who developed the sound practices:

The Board of Governors of the Federal Reserve System

Better known as the Federal Reserve Board, the Board is the main governing body of the Federal Reserve System, tasked with guiding the operations of the Federal Reserve System to promote the goals and fulfill the responsibilities given to the Federal Reserve by the Federal Reserve Act.

The Office of the Comptroller of the Currency (OCC)

An independent bureau of the U.S. Department of the Treasury led by the Comptroller of the Currency, the OCC charters, regulates, and supervises all national banks and federal savings associations as well as federal branches and agencies of foreign banks.

The Federal Deposit Insurance Corporation (FDIC)

An independent agency created by the U.S. Congress to maintain the stability of and public confidence in the nation's financial system. The FDIC insures deposits in U.S. banks and thrifts in the event of a bank failure or run. 

To whom are the agencies speaking? Although operational resilience is important to all firms in the industry, as we’ll discuss in the next section, the sound practices themselves are principally targeted at the largest and most complex domestic firms.

Classed among this group are individual national banks, state member banks, state nonmember banks, savings associations, U.S. bank holding companies, and savings and loan holding companies that have average total consolidated assets greater than or equal to:

1. $250 billion, or
2. $100 billion and have $75 billion or more in average cross-jurisdictional activity, average weighted short-term wholesale funding, average nonbank assets, or average off-balance-sheet exposure.

Why operational resilience regulation now?

Why now, though? The agencies in question have an interest in if not a mandate to keep retail and wholesale markets open and functioning to maintain financial stability in the country.

However, any number of shocks can affect regulated entities. Those disruptions can then turn around and threaten the financial sector as a whole.

In recent times, the list of serious threats has included:

• Technology-based failures
• Cyber incidents
• Pandemic outbreaks
• Natural disasters

Add to these, advances in technology have been double edged for the industry. On the one hand, firms have benefited from increased ability to identify and recover from various types of disruptions. But on the other, increasingly sophisticated technology-based threats, i.e., cyber and growing reliance on third parties, pose a higher order of operational risk.

To that end, the agencies have sought to draw a line in the sand, taking a more active approach to promoting flexible operational resilience that can enhance the ability of firms to prepare, adapt, withstand, and recover from disruptions and continue operations.

What are the Sound Practices?

What, then, do the Sound Practices say?

For starters, they aren’t regulations in the classic sense. Rather, the paper, on the books since the beginning of the decade, brings together already-existing regulations and guidance to better assist in the development of comprehensive approaches to operational resilience in the following seven domains:

1. Governance
2. Operational risk management
3. Business continuity management
4. Third-party risk management
5. Scenario analysis
6. Secure and resilient information risk management
7. Surveillance and reporting

What should firms do before consulting the paper?

To make best use of the paper, firms should identify and address the resilience of their critical operations and core business lines. Each term is defined as follows:

• Critical operations. Those operations of the firm, including associated services, functions, and support, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
• Core business lines. Those business lines of the firm, including associated operations, services, functions, and support, that, in the view of the firm, upon failure would result in a material loss of revenue, profit, or franchise value.
• Operational resilience. The ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard. It is the outcome of effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions.

1. Governance

The first matter the paper tackles is governance. The goal of corporate governance is to manage the business to maximize long-term value while safeguarding the interests of all stakeholders.

Effective governance in the area of operational resilience, though, is meant to keep the firm operating in a safe and sound manner, ultimately in compliance with applicable laws and regulations.

Who’s responsible within the corporate structure? That would be the Board of Directors and senior management. Practices outlined for each include

2. Operational risk management

Operational risks are the risks of doing business. Only by identifying, managing, and mitigating the risk exposures related to internal processes, people, systems, external threats, and third parties will a firm be able to strengthen its operational resilience.

To promote effective operational risk management, therefore, firms must do the following:

• Senior management must oversee the implementation of operational risk management processes, systems, and controls to identify and contain the scope of a disruption, mitigate its effects, and resolve the disruption consistent with the firm’s tolerance for disruption.
• The firm’s business line operations management must identify and mitigate operational risk exposures in alignment with the firm’s tolerance for disruption.
• The firm’s independent internal (or external) audit function must provide a review and challenge of the firm’s operational risk management function and assesses whether it is appropriately operating within the firm’s tolerance for disruption.

For its part, the firm’s operational risk management function must do the following:

• Regularly review, test, and update internal controls relevant to the firm’s critical operations and core business lines including those performed by third parties.
• Implement and maintain risk identification and assessment approaches that adequately capture business processes and their associated operational risks, including technology and third-party risks.
• Work closely with its business continuity management and recovery or resolution planning functions with respect to operational resilience efforts.

3. Business continuity management

Business continuity management is often confused with operational resilience. In the financial services industry, though, business continuity plans should consider market- and enterprise-wide stresses and idiosyncratic risks that can imperil the continuity of a firm’s critical operations and core business lines.

To that end, practices to promote sound business continuity management include:

• Incorporate business impact analysis testing, training, and awareness programs, as well as communication and crisis management policies.
• Periodically review the business continuity plan to ensure contingency strategies remain consistent with current operations, risks and threats, its tolerance for disruption, and recovery priorities.
• Test business continuity plans, review the execution of tests, and improve plans by incorporating lessons learned.
• Confirm that functional testing procedures for assessing the ability of a firm’s IT systems to deliver minimum service capacity to critical operations and core business lines are consistent with the firm’s business continuity objectives.
• Identify and manage the availability of personnel who are essential to the execution of the firm’s critical operations and core business lines.
• Include remote-access contingencies that allow personnel to continue delivering the firm’s critical operations and core business lines through a disruption.
• Train essential personnel who have responsibility for executing critical operations and core business lines to perform back-up roles should a disruption occur.
• Integrate recovery and resolution planning into governance and operating processes and ensure they are a part of business-as-usual activities, including firm-wide risk management processes.
• Leverage information contained in recovery or resolution plans, where applicable, to identify options to respond to a wide range of severe but plausible internal and external stress scenarios.

4. Third-party risk management

Firms have become increasingly dependent on third parties for business-critical functions. Third parties, however, are vulnerable to disruption, disruption which can then imperil financial services organizations that are dependent on those parties, particularly cloud-service providers.

To that end, practices outlined to promote sound management of third-party risk include:

• Identify and analyze third-party risk of critical operations and core business lines. Prioritize third-party dependencies that are most significant and understand, manage, and mitigate risks.
• Establish relationships with third parties through formal agreements. Manage and monitor the performance of third parties against service requirements and tolerance for disruption.
• Periodically review reports of systems and controls and summaries of test results or other equivalent assessments of third parties.
• Verify that third parties have sound risk management practices and controls in place that serve to identify and mitigate hazards to operations and are consistent with the firm’s tolerance for disruption.
• Address key third-party concerns to the extent that these concerns affect the firm’s operational resilience.
• Identify risks of third parties that provide the firm with public and critical infrastructure services, such as energy and telecommunications.
• Identify other third parties that may be available to assist in the event current third parties are unable to continue delivering services.

5. Scenario analysis

Scenario analysis is generally understood as an assessment technique used to identify and measure the potential occurrence of operational risk events. Such an analysis helps a firm to develop, validate, and calibrate its tolerance for disruption.

For use in assessing operational resilience, firms might consider integrating the scenario analysis with disaster recovery and business continuity management. Other sound practices include:

• Operational risks identified by the firm’s operational risk management function, independent internal (or external) audit function, business continuity management, and recovery or resolution planning activities should be incorporated, as applicable, into severe but plausible scenarios affecting the firm’s critical operations and core business lines.
• Maintain a robust governance framework and independent review function to oversee the integrity and consistency of the scenario development process.
• Leverage both the mapped interconnections and interdependencies of critical operations and core business lines including third-party risks, set forth in recovery or resolution plans, as well as relevant business impact analyses.
• Use scenario analysis to back-test against past instances of severe disruptions that have arisen from various disruptions.
• Identify potential risk transmission channels, concentrations, and vulnerabilities by analyzing the interconnections and interdependencies within and across its critical operations and core business lines considering third-party risks.

6. Secure and resilient information system management

Financial services is one of the most digitized sectors in the economy. Underpinning that level of digitization are information systems. As a result, those systems must remain secure and resilient if firms are to be operationally resilient.

The following practices promote secure and resilient information systems:

• Information systems are subject to robust risk identification, protection, detection, and response and recovery programs that are regularly tested.
• Routinely apply and evaluate the effectiveness of processes and controls to protect the confidentiality, integrity, availability, and overall security of the firm’s data and information systems.
• Establish controls to safeguard the integrity and availability of critical data against the impact of destructive malware, including ransomware, or other similar threats.
• Review information systems and controls on a regular basis against common industry standards and best practices.
• Use a standardized tool that is aligned with common industry standards and best practices to assess cybersecurity preparedness.

7. Surveillance and reporting

In compliance and operational resilience, much hinges on data hygiene and availability. Operational resilience, specifically, entails ongoing surveillance and reporting of risks and dissemination of that information to relevant stakeholders across the firm.

To that end, sound practices to promote surveillance and reporting include:

• Identify and monitor ongoing exposure to operational risk relative to risk appetite and tolerance for disruption. Establish and maintain appropriate communication and coordination procedures to inform all relevant areas of ongoing exposures.
• Detect in a timely manner anomalous activity that could lead to a disruption affecting the firm’s critical operations and core business lines and assess the potential impact of the activity together with the effectiveness of protective measures.
• Conduct continuous surveillance and reporting to senior management and the board of directors that provides sufficient data and information for timely and appropriate decisions regarding measures to respond to a disruption.

Conclusion

Finally, operational resilience is here to say as a regulatory concern for agencies. For firms, it, therefore, becomes a compliance matter. And although some of the guidance above might seem like a no brainer, other elements will cause reshuffling of organizational and compliance structures.

Aiding banks in this regard will be integrated resilience management software. Not only do these solutions provide direct coverage in operational resilience, they seamlessly integrate with all other aspects of resilience management to provide a comprehensive and holistic approach to resilience, facilitate crucial collaboration and co-ordination, unlock critical insights, keep stakeholders informed, and streamline essential workflows for planning and response.