On April 9th 2021, the Central Bank of Ireland (“CBI”) published a cross industry consultation paper on operational resilience, CP140. Operational resilience is the ability of a CBI regulated firm, and the financial services sector, to identify, prepare for, respond to, adapt to, recover from and learn from an operational disruption.
The CBI recognises that all firms will have established risk management processes and governance arrangements underpinned by sectoral legislation, regulatory requirements, and guidance. However, the CBI also recognises that not all potential hazards can be prevented, and that a flexible, pragmatic and proportionate approach to operational resilience will strengthen the financial services industry’s ability to respond to and recover from such events. CP140 includes proposed operational resilience guidelines for all financial service providers regulated by the CBI (the “Guidance”).
The Guidance is split into three pillars, and there are fifteen specific guidelines spread across the three pillars. These guidelines set out the steps required to achieve and continuously enhance a firm’s operational resilience.
Pillar 1 Identify and Prepare
1. The Board of Directors (the “Board”) has ultimate responsibility for the operational resilience of a firm.
2. The operational resilience framework should be embedded within a firm’s overall governance and risk management frameworks.
3. The Board should review and approve the criteria for critical or important business services.
4. A firm should identify its critical or important business services.
5. Impact tolerances should be approved for each critical or important business service.
6. A firm should develop clear impact tolerance metrics.
7. A firm should understand and map out how its critical or important business services are delivered.
8. A firm should capture third party dependencies in the mapping of critical or important business services.
9. A firm should have Information and Communications Technology (“ICT”) and cyber resilience strategies that are integral to the operational resilience of its critical or important business services.
10. A firm should document and test its ability to remain within impact tolerances through severe but plausible scenarios.
Pillar 2 Respond and Adapt
11. The incident management strategy should be fully integrated into the overarching operational resilience framework.
12. Business continuity management should be fully integrated into the overarching operational resilience framework and linked to a firm’s risk appetite.
13. Internal and external crisis communication plans should be fully integrated into the overarching operational resilience framework.
Pillar 3 Recover and Learn
14. A lessons-learned exercise should be conducted after a disruption to a critical or important business service to enhance a firm’s capabilities to adapt and respond to future operational events.
15. A firm should promote an effective culture of learning and continuous improvement as operational resilience evolves.
Key Considerations for Firms
Ultimate responsibility for operational resilience and implementing the framework rests with the Board. Boards must be informed, trained and accountable for the operational reliance of their firms. Boards cannot afford to delegate or overlook this responsibility.
Firms need to ensure that appropriate reporting structures along with escalation procedures are in place, to enable them to have oversight of both the operational framework itself and potentially disruptive events.
Alignment with existing procedures
Operational resilience relies on the effectiveness of existing policies and procedures within a firm, including governance, risk, business continuity management, ICT and cyber security. Operational resilience should be factored into the existing frameworks, policies, and responsibilities, rather than set apart from existing structures/functions.
Self-assessment and continuous improvement
CP140 aims to guide firms on the steps they need to take to achieve an adequate level of resilience, rather than being prescriptive about the outcomes and parameters of each step. There are suggestions within the Guidance of what to consider, which decisions need to be made, and the specific governance checks to challenge and ratify. The Guidance gives firms enough flexibility to determine their own decision-making processes. Firms should undertake a self-assessment with sufficient detail to enable decision-making to meet the desired outcome of CP140. Firms should note that the third pillar of the Guidance emphasises the importance of ensuring there is continuous learning and improvement within the firm as its operational resilience evolves.
This is a key area of focus, with the outsourcing consultation paper (CP138) being published just weeks prior to CP140. Each firms’ dependencies on third parties need to be fully understood and considered before entering any outsourcing arrangements. The CBI calls for firms to ensure that for any third parties for which a critical dependency exists, the operational resilience of that party must be of equal standard to that of the firm.
Consultation on CP140 is open until July 9th 2021 and the finalised operational resilience guidance is expected to be published in the later part of this year. Firms should reflect on CP140 to determine its potential impact. The CBI expects firms to be actively and promptly addressing operational resilience vulnerabilities and to be able to evidence actions/plans to apply the Guidance, at the latest, within two years of its formal issuance.
Download your copy of CBI Consultation Paper 140: Cross Industry Guidance on Operational Resilience here
KB Associates’ Services
KB Associates provides a range of services to investment funds including:
- The provision of UCITS management company/AIFM services
- The provision of designated persons to perform UCITS business plan/AIFMD programme of activity functions.
- The provision of operational and compliance services to both UCITS and AIFMD compliant structures.
If you would like to discuss this note or KB Associates’ services in general, please contact:
- Mike Kirby (+353 1 667 1980), email@example.com
- Andrew Kehoe (+353 1 613 6396), firstname.lastname@example.org