Читать книгу Non-financial Risk Management in the Financial Industry - Группа авторов - Страница 56

Financial institutions always face the risk of operational disruption, due to, but not limited to, increased financial system interconnectedness, evolution of infrastructure complexity and potential impact from technology-related threats.

Operational resilience is defined by the BCBS as

“the ability of a bank to deliver critical operations through disruption. This ability enables a bank to identify and protect itself from threats and potential failures, respond and adapt to, as well as recover and learn from disruptive events in order to minimise their impact on the delivery of critical operations through disruption.”[86]

We define resilience risk as the risk of losses from unexpected events leading to disruptions of business operations. It can be caused by poor identification of potential disruptive events and a failure to anticipate potential consequences from such events on the operations of a bank. In other words, the impact of this risk is strongly dependent on how well prepared the bank is, and how quickly and effectively its important business services are able to recover after a disruption, given the assumption that disruption cannot be prevented entirely.

Regulators are adopting a more structured approach towards operational resilience. Over the past approximately 15 years, there has been a visible expansion of the definition of operational resilience. In the years before 2008, it covered several rather heterogeneous risk elements, including operational risk, business continuity, information security, technological system integrity as well as physical security and safety.

After the global financial crisis, an evolution of the definition towards new and emerging risks could be observed. It was acknowledged that financial system and bank stability are a function of emergent risks. One example of such a risk is the topic of data privacy, as formalised and regulated by the GDPR in Europe and CCPA in the US. Other examples are cybersecurity and IT risks.

The next phase, which led to the current integrated view of operational resilience, started around 2017. At that time regulators across the globe, covering financial authorities in the UK, US, EU and Singapore, started to set structured expectations for a more comprehensive operational resilience framework. Now the focus is not only on the resilience of banks themselves but also on the effects of incidents on customers and other stakeholders. Regulators require a comprehensive understanding of business services, including the contributions and roles of third and fourth parties. The resilience of these business services now requires an analysis under low probability scenarios with a significant impact. Finally, regulators now expect an ongoing and holistic pressure testing and evolution of a bank’s operational resilience framework.

UK regulators have led the pack with their comprehensive regulatory frameworks on operational resilience. The FCA issued detailed guidance on how to build operational resilience in a series of consultative documents in 2019.[87] The FED, in collaboration with the OCC and the FDIC, published an interagency paper with recommendations on sound practices to strengthen operational resilience in 2020.[88] The BCBS issued a set of seven guiding principles for operational resilience in March 2021.[89] Also in March 2021, the MAS, together with the Association of Banks in Singapore, published a paper on risk management and operational resilience in a remote working environment.[90]