For anyone who read the draft Basel Committee on Banking Supervision (BCBS) documents, Principles for operational resilience or Revisions to the principles for the sound management of operational risk (PSMOR), they will see little that has changed in the final versions of each, published on 31 March.
This is possibly due to the high-level pitch (principles-driven) of each document, combined with the comparatively low volume of industry feedback the BCBS received on both the resilience and the PSMOR drafts. While ORX provided a short response (available to our members) to each of these consultations last year, there were just 29 responses to the resilience consultation and 15 to the PSMOR, compared to 70 for the Standardised Measurement Approach for operational risk (part of the Basel III reforms). We expect there to be more interest in these documents as they filter into national and jurisdictional regulation.
What's changed since the consultations?
Some effort has been clearly made to update the text to better align operational risk management, operational resilience, and business continuity planning. Aside from this, there are also some minor corrections, clarifications, and few slight relaxations.
Resilience
In the principles for resilience there are only a few changes of note:
- Within the definition of operational resilience, the committee clarifies what tolerance means – “In the context of operational resilience, the Committee defines tolerance for disruption as the level of disruption from any type of operational risk a bank is willing to accept given a range of severe but plausible scenarios.” Furthermore, they explain that “Banks’ tolerance for disruption should be applied at the critical operations level.”
- Banks should now align (rather than consider if they are aligned) their recovery and resolution plans with operational resilience approaches in principle 3 (business continuity planning and testing).
- There is a slight relaxation in principle 5 (third-party dependency management). The paragraph that said, “Banks should formalise their relationships with third parties and intra-group entities through written agreements which should cover how to maintain operational resilience in both normal circumstances and in the event of disruption. These written agreements should reflect: the respective functions’ due diligence; banks’ supervisory and resolution authorities access to third parties; and the bank’s operational resilience expectations” has been dropped.
Beyond this, there are several areas where minor rephrasing has occurred and the removal of some text which, on reflection, may have sounded too specific to the pandemic. For example, the removal of some specific examples of disruptive scenarios – “lockdown due to pandemics, destructive cyber security incidents, catastrophic natural disasters” – in principle 1 (governance).
A section on wide-scale remote access in principle 7 (ICT including cyber security) has been removed entirely, but now appears within the PSMOR.
PSMOR
Effort made to align with resilience
For the PSMOR, it is clear some effort has been made to ensure the alignment between this and the principles for resilience. For example, this paragraph has been added to the introduction:
“Although operational risk management and operational resilience address different goals, they are closely interconnected. An effective operational risk management system and a robust level of operational resilience work together to reduce the frequency and the impact of operational risk events."
Beyond this, principle 6 (identification and assessment) has been modified to reinforce the link with resilience, adding that risk identification and assessment are fundamental characteristics of an effective operational risk management system “and directly contribute to operational resilience capabilities”. A specific paragraph has also been added which links the whole operational risk toolset to the pursuit of operational resilience.
“These operational risk assessment tools can also directly contribute to a bank’s operational resilience approach, in particular event management, self-assessment and scenario analysis procedures, as they allow banks to identify and monitor threats and vulnerabilities to their critical operations. Banks should use the outputs of these tools to improve their operational resilience controls and procedures, as identified in the Committee’s Principles for operational resilience”.
The largest change is in principle 10 (information and communication technology), with the addition of section 62 - “Banks should develop approaches to ICT readiness for stressed scenarios from disruptive external events” but it is identical to a section removed from the principles on resilience, demonstrating the coupling between each document.
Tightening the role of the board and clarifying roles
In several places the role of the board has been clarified, and typically increased. For example:
- In principle 3 (board of directors), the board of directors should now “approve and periodically review” the operational risk management framework (ORMF), as opposed to “i” it in the draft, and regularly “evaluate” the effectiveness of the ORMF, elevation from a challenge role.
- In principle 9 (control and mitigation), controls processes and procedures are now needed to be considered from a resilience perspective, and “should address how the bank ensures operational resilience is maintained in both normal circumstances and in the event of disruption, reflecting respective functions’ due diligence, consistent with the bank’s operational resilience approach.”
- In principle 11 (business continuity planning), policies now need approval by the board of directors.
In principle 7 (change management), responsibilities are now correctly assigned with the first line taking assessment of “activities, processes and systems, including the identification and evaluation of the required change through the decision-making and planning phases” from the second line.
Minor changes in some other areas
There are also several areas where some quite specific aspects of the draft principles have been relaxed. For example:
- In principle 1 (governance), the requirement for customised training is dropped
- The need for “continuous risk and control assessments” is removed from principle 7 (change)
- The ambition of principle 8 (monitoring and reporting) has been reduced, removing the inclusion of continuous improvement and for the monitoring of key and emerging risks via metrics.
Elsewhere, some principles are slightly extended:
- In principle 9 (control and mitigation), third party risk management policies will now need to include: metrics to monitor oversight and supervisory authorities’ access to third parties.
- In principle 11 (business continuity planning), adds an explicit link between the plans and the operational risk framework.