The Basel Committee on Banking Supervision is seeking comment from the financial services industry on its proposed principles for operational resilience that aim to enhance banks’ ability to withstand, adapt to, and recover from potentially severe adverse events.

The Basel Committee is the primary global standard setter for the prudential regulation of banks and provides a forum for cooperation on banking supervisory matters. Its mandate is to strengthen the regulation, supervision, and practices of banks worldwide with the purpose of enhancing financial stability.

“In recent years, the growth of technology-related threats has increased the importance of banks’ operational resilience,” the Committee said. “The Covid-19 pandemic has made the need to address these threats even more pressing.”

The Committee added that, given the critical role banks play in the global financial system, “increasing banks’ resilience to absorb shocks from operational risks—such as those arising from pandemics, cyber incidents, technology failures, or natural disasters—will provide additional safeguards to the financial system as a whole.”

The Committee defines “operational resilience” as “the ability of a bank to deliver critical operations through disruption” and believes operational resilience is an outcome of effective operational risk management. Activities such as risk identification and assessment, risk mitigation, and ongoing monitoring complement one another to minimize operational disruptions and their effects when they materialize, the Committee said.

Proposals explained

The Committee said it’s proposing the updates to its “Principles for the Sound Management of Operational Risk” guidance to (i) align the guidance with the recently finalized Basel III operational risk framework; (ii) update the guidance where needed in the areas of change management and information and communication technology (ICT); and (iii) to enhance the overall clarity of the principles document.

The proposed principles for operational resilience set forth in the consultative documents not only build upon the proposed updates to the guidance, but also largely derive from existing guidance on outsourcing, business continuity, and risk management-related guidance issued by the Committee or national supervisors over the last several years. By building upon existing guidance and current practices, the Committee said it’s “seeking to develop a coherent framework and avoid duplication.”

At a high level, the proposed operational resilience principles focus on seven key principles: governance; operational risk management; business continuity planning and testing; mapping interconnections and interdependencies; third-party dependency management; incident management; and resilient cyber-security and ICT.

Comment sought

Regarding the operational resilience principles, the Committee requests feedback on the following questions:

  • Has the Committee appropriately captured the necessary requirements of an effective operational resilience approach for banks? Are there any aspects that the Committee could consider further?
  • Do you have any comments on the individual principles and supporting commentary?
  • Are there any specific lessons resulting from the COVID-19 pandemic, including relevant containment measures, that the proposed principles for operational resilience should reflect?
  • Do you see merit in further consolidation of the Committee’s relevant principles on operational risk and resilience?

Additionally, the Committee said it “recognizes that measuring a bank’s operational resilience is in a nascent stage and further work is required to develop a reliable set of metrics that both banks and supervisors can use to assess whether resilience expectations are being met.” The Committee seeks specific feedback on the following measurement-related question: “What kind of metrics does your organization find useful for measuring operational resilience? What data are used to produce these metrics?”

Comments to the consultative documents should be submitted by Nov. 6. All comments may be published unless a respondent specifically requests confidential treatment.