The Basel Committee views operational resilience as a critical practice for successful firms to maintain business continuity. The documents emphasize existing guidance and current practices, such as principles-based guidance on corporate governance, business continuity, and outsourcing, ultimately aiming at developing an overarching, cohesive framework.

Principles for operational resilience

The Basel Committee defines operational resilience as “the ability to deliver critical operations through disruption.” Within the last few years, COVID-19, inflation and market fluctuations have tested financial firms’ ability to withstand disruptions. While capital and liquidity requirements have bolstered banks’ ability to absorb financial shocks, more must be done to improve the banks’ ability to absorb, respond and adapt to operational risks. Banks need to focus on the threats that could cause the most harm from operational failures. These risks can include, but are not limited to, pandemics, technology failures, personnel oversights or cyber incidents. BCBS has crafted the Principles of Operational Resilience as a response to these possible events, and to provide strategies to anticipate, mitigate and respond to these potential incidents. Operational Resilience

This principles-based approach to operational resilience offers the following seven categories as a guideline.

 

  1. Governance
    1. The Board of directors is ultimately responsible for the review and approval of the bank’s operational risk expectations, as well as its risk appetite, risk capacity, and risk profile. They should also assess “severe but plausible” scenarios when formulating the bank’s risk tolerance for disturbances to its critical operations.
  2. Operational risk management
    1. This function uses business continuity planning to create controls and procedures to identify external and internal threats and vulnerabilities regarding people, processes, and systems sufficiently.
  3. Business continuity planning and testing
    1. This principle involves putting strategies in place to mitigate impacts of disruptions and test controls to ensure they function within an acceptable limit. Business continuity plans should routinely exercise responses to “severe but plausible scenarios” that impact critical daily operations. It should also be data and analytics driven to offer the most accurate information. This step should also address the most extreme cases of disruption to ensure action is taken among the worst disasters.
  4. Mapping interconnections and interdependencies
    1. This principle must outline all vulnerabilities and test risk tolerance levels. These vulnerabilities should reflect all areas of operations and interdependencies, whether internal or external – including people, technology, processes, information, and facilities involved in delivering critical operations.
  5. Third-party dependency management
    1. All third parties must be thoroughly vetted prior to onboarding and regularly throughout the partnership. The third party’s operational resilience conditions,