On 1 December 2021, the Central Bank of Ireland (the
"Central Bank") issued its operational resilience
guidance paper (the "Guidance").
The publication follows its consultation seeking stakeholders'
views on a draft form of the guidance ("CP140").
For further details see our previous client update CP140: Consultation on
New Cross-Industry Operational Resilience.
The Guidance is accompanied by a feedback
statement (the "Feedback Statement") summarising
the feedback received from CP140, providing commentary on industry
views and explaining changes made to the Guidance in its final
form.
Scope and Purpose
The Guidance applies to all regulated financial service providers
("RFSPs"), as defined in Section 2 of the Central Bank
Act 1942.
Consistent with the Central Bank's strategic commitment of
strengthening resilience throughout the financial system, the
Guidance's objective is to communicate how firms should
prepare for; respond to; and recover and learn from an
operational disruption that affects the delivery of critical or
important business services.
The Guidance is not prescriptive and is designed to be flexible and
applicable proportionately based on the nature, scale and
complexity of each firm's business.
In brief, the Guidance:
- Outlines the Central Bank's expectations on the design and management of operational resilience frameworks;
- Emphasises board and senior management responsibilities when considering operational resilience as part of their risk management and investment decisions; and
- Requires appropriate action to ensure that operational resilience frameworks are well designed, operating effectively and sufficiently robust.
Three Pillars
Designed to support a holistic approach to the management of operational resilience and related risks, the Guidance is structured around three pillars:
- Identify and Prepare;
- Respond and Adapt; and
- Recover and Learn.
The three pillars contain 15 guidelines.
Guidelines 1-10 relate to measures under Identify and
Prepare.
Under this pillar, the Guidance sets out guidelines on governance,
identification of critical or important business services, impact
tolerances, mapping of interconnections and interdependencies, ICT
and cyber resilience and scenario testing.
Guidelines 11-13 relate to measures under Respond and
Adapt.
Under this pillar, expectations for business continuity management,
incident management strategy and crisis communication plans are set
out.
Guidelines 14 and 15 relate to measures under
Recovery and Learn.
This pillar specifically requires that RFSPs conduct a lessons
learned exercise after any disruption to a critical or important
business service. RFSPs should also document and update
written self-assessments addressing how it meets its operational
resilience framework at least annually.
CP140 Feedback
In the Feedback Statement, the Central Bank notes that sixteen
responses were received and that a significant proportion of the
comments related to the need for proportionality given the wide
range of firms operating in the Irish financial sector.
While some adjustments have been made, the Central Bank notes that
the final Guidance remains largely unchanged from the draft set out
in CP140.
On proportionality, the Central Bank confirms in that "the
Guidance is designed to be flexible and should be applied by firms
in a proportionate manner based on the nature, scale and complexity
of their business".
Role of the Board
The Feedback Statement addressed some of the responses around
Guideline 1 and the concept of the board taking ultimate
responsibility for a firm's operational resilience.
Notably, in terms of the respective roles of the board and senior
management, the Guidance notes that "the board needs to be
ultimately responsible for reviewing and approving the firm's
strategic approach to operational resilience" and that
"senior management are responsible for implementing the
operational resilience strategy".
Required Actions and Timing
Boards and senior management are expected to review the Guidance
and adopt appropriate measures to strengthen and improve their
governance and risk frameworks and their effective management of
operational resilience within an "appropriate
timeframe".
While the nature, scale and complexity of a RFSP's business and
its overall impact on customers and the wider economy will be taken
into account, the Central Bank expects RFSPs to demonstrate that
they have considered the supervisory expectations in the Guidance
and evidence action / plans to address the requirements within two
years of its publication (i.e. 1 December 2021) at the
latest.
Firms can expect the Central Bank to assess actions taken to comply
with the Guidance in due course - the Guidance states that the
Central Bank "will utilise risk-based supervisory
engagement to assess the core principles of operational resilience
in firms and to drive enhanced and mature operational resilience
across the financial system".
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.