ORX to respond to BCBS resilience & PSMOR consultations

BCBS launches consultation on resilience principles and releases a long-awaited update to the PSMOR

On 6 August the Basel Committee on Banking Supervision (BCBS) published a consultation on principles for operational resilience and the long-awaited revisions to the principles for the sound management of operational risk (PSMOR). These represent the first formal consultations on operational risk supervision for several years.

ORX to respond to BCBS consultation

From our position as a global operational risk association, we can bring together the thoughts of our members to create a group response to consultations such as this. The ORX Board agrees that this is a very important part of our role to support our community and that it helps us meet our mission to continually progress the operational and non-financial risk discipline.

To capture input from our members, we will be asking representatives from each banking organisation to feedback on both the principles for operational resilience and the revised PSMOR. We are interested in how well suited the consultations are for operational risk today and how well they will accommodate future innovation. 

What's in the consultation documents?

Operational resilience

The consultation on resilience signals the increasing regulatory shift from financial to operational resilience and is particularly timely given the operational impacts that coronavirus (Covid-19) continues to have. ORX has published guidance for financial institutions on how best to capture the costs of coronavirus, which we've made freely available outside of our membership.

The influence of the pandemic is clearly stated in the document and expands its original focus – which was on technology and natural disasters – to include pandemics. Furthermore, in the formal questions, coronavirus is used as an event from which we can learn lessons about resilience. You can read more about the impact of coronavirus on operational risk profiles in the results of Covid Risk Review survey.

Areas for consultation & comment

The consultation document sets out the following seven principles on which it is looking for feedback:

1. Governance

Banks should utilise their existing governance structure to establish, oversee and implement an effective operational resilience approach that enables them to respond and adapt to, as well as recover and learn from, disruptive events in order to minimise their impact on delivering critical operations through disruption.

2. Operational risk management

Banks should leverage their respective functions for the management of operational risk to:

• Identify external and internal threats and potential failures in people, processes and systems on an ongoing basis
• Promptly assess the vulnerabilities of critical operations
• Manage the resulting risks in accordance with their operational resilience expectations

3. Business continuity planning and testing

Banks should have business continuity plans in place and conduct business continuity exercises under a range of severe but plausible scenarios in order to test their ability to deliver critical operations through disruption

4. Mapping interconnections and interdependencies

Once a bank has identified its critical operations, the bank should map the relevant internal and external interconnections and interdependencies to set operational resilience expectations that are necessary for the delivery of critical operations.

5. Third-party dependency management

Banks should manage their dependencies on relationships, including those of, but not limited to, third parties or intra-group entities, for the delivery of critical operations.

6. Incident management

Banks should develop and implement response and recovery plans to manage incidents that could disrupt the delivery of critical operations in line with the bank’s risk tolerance for disruption considering the bank’s risk appetite, risk capacity and risk profile. Banks should continuously improve their incident response and recovery plans by incorporating the lessons learned from previous incidents.

7. ICT, including cybersecurity

Banks should ensure resilient ICT, including cybersecurity, that is subject to protection, detection, response and recovery programmes that are regularly tested, incorporate appropriate situational awareness and convey relevant information to users on a timely basis in order to fully support and facilitate the delivery of the bank’s critical operations.

Defining operational resilience

The paper also includes useful and clear definitions of operational resilience, and important supporting concepts such as critical operations and critical functions. A particularly interesting part of the consultation focuses on measuring operational resilience, where it seeks to identify reliable metrics which can be used to monitor the resilience of an organisation.

Update to the PSMOR

The second consultation is an update to the long-standing principles for the sound management of operational risk (PSMOR), first published in 2003 and subsequently updated in 2011. An update to the PSMOR had been expected for several years and was expected to contain introduction of guidance on ICT risks.

As anticipated, the biggest change is the addition of a new principle – principle number 10 – which focuses on ICT governance and expands the list from 11 to 12:

“Banks should implement robust ICT governance that is consistent with their risk appetite and tolerance statement for operational risk and ensures that their ICT fully supports and facilitates their operations. ICT should be subject to appropriate risk identification, protection, detection, response and recovery programmes that are regularly tested, incorporate appropriate situational awareness, and convey relevant information to users on a timely basis.”

There are other smaller changes which give the paper a more contemporary tone, from incorporating change management to broadening of what is considered an operational risk impact (e.g. monitoring of exposures, a change from just monitoring of exposure to loss).

Why are these changes being made?

The committee stated its changes were motivated by a desire to:

1. Align the principles with the recently finalised Basel III operational risk framework
2. Update the guidance where needed in the areas of change management and information and communication technologies
3. Enhance the overall clarity of the principles

Areas for change were informed by the 2014 review of the PSMOR and included:

1. Risk identification and assessment tools, including risk and control self-assessments (RCSA), key risk indicators, external loss data, business process mapping, comparative analysis, and the monitoring of action plans generated from various operational risk management tools
2. Change management programmes and processes (and their effective monitoring)
3. Implementation of the three lines of defence, especially by refining the assignment of roles and responsibilities
4. Board of directors and senior management oversight
5. Articulation of operational risk appetite and tolerance statements
6. Risk disclosures

Next steps for the op risk industry

Both consultations have a submission date of Friday, 6 November 2020. ORX recently published a report on the first industry lessons learnt from coronavirus, which is based on the experiences of our more than 100 member organisations. This study could be useful for institutions responding to the consultation.

Furthermore, we will support our members by facilitating discussions and helping to coordinate industry responses to each consultation if requested by our members. Our recently formed specialist resilience working group and cyber programme will be especially useful in doing this.