On October 30, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation issued an interagency paper titled “Sound Practices to Strengthen Operational Resilience” to describe standards for operational resilience set forth in the aforementioned agencies’ existing rules and guidance for domestic banking organizations.
The guidance applies to banking organizations that have average total consolidated assets greater than or equal to (1) $250 billion or (2) $100 billion and have $75 billion or more in average cross-jurisdictional activity, average weighted short-term wholesale funding, average nonbank assets or average off-balance sheet exposure.
Although this interagency paper is directed to the largest and most complex domestic banking organizations, small community banks can utilize this guidance to assess operational resilience, which is important for all banking organizations irrespective of their asset size.
The guidance comes at a time of unprecedented disruption which include technology-based failures, cyber incidents, pandemics, and natural disasters. These disruptions, combined with growing reliance on third-party service providers, expose banks to operation risk.
This interagency paper brings together existing regulations, guidance, and common industry standards to provide a comprehensive approach that banks can use to strengthen and maintain operational resilience.
Operational resilience is the ability to deliver operations, including critical operations and core business lines, through disruption from any hazard.
Critical operations are those operations of the banking organization including associated services, functions, and support the failure of which would pose a threat to the financial stability of the United States.
Core business lines are those business lines of the banking organization including associated services, functions, and support that in view of the organization upon failure would result in a material loss of revenue, profit, or franchise value.
The interagency paper highlights the key components that can be aligned to provide a comprehensive approach that banks can use to strengthen and maintain operational resilience. The primary components are strong governance combined with robust operational risk and business continuity planning to anchor the sound practices of the bank which are informed by rigorous scenario analyses and consideration of third-party risks.
Below are highlights from the interagency paper for each of these components.
- The bank’s board of directors approves and periodically reviews risk appetite, which is defined in 12 CFR part 30 Appending D as the aggregate level and types of risks the board and senior management are willing to assume to achieve the banks strategic business objectives.
- The board works with senior management to ensure that operational resilience practices are led and staffed by individuals with the relevant expertise with adequate budgets and resources.
- Finally, senior management is accountable for developing, implementing, and managing effective and resilient information systems and controls to maintain critical operations and core business lines consistent with the bank’s tolerance for disruption.
Operational Risk Management
- The bank's senior management oversees the implementation of operational risk management processes, systems, and controls to identify and contain the scope of a disruption, mitigate its effects, and resolve the disruption consistent with the bank's tolerance for disruption.
- The bank's business line operations management identifies and mitigates operational risk exposures in alignment with the bank's tolerance for disruption.
- The bank's operational risk management function regularly reviews, tests, and updates internal controls relevant to the bank's critical operations and core business lines including those performed by third parties.
- The bank's operational risk management function works closely with its business continuity management and recovery or resolution planning functions with respect to operational resilience efforts.
Business Continuity Management
- The bank's business continuity management incorporates business impact analysis, testing, training, and awareness programs, as well as communication and crisis management policies.
- The bank tests business continuity plans, reviews the execution of tests, and improves plans by incorporating lessons learned. Business continuity tests and exercises incorporate dependencies of critical operations and core business lines of third parties. When possible, the bank participates in disaster recovery and business continuity testing with third parties associated with critical operations and core business lines.
- The bank trains essential personnel who have responsibility for executing critical operations and core business lines to perform back-up roles should a disruption occur. The bank implements an operational resilience training and awareness program to evaluate the effectiveness of personnel-related business continuity arrangements and the program is improved as shortcomings are identified.
Third-Party Risk Management
- The bank identifies and analyzes third-party risk of critical operations and core business lines. It prioritizes third-party dependencies that are most significant to the bank and understands, manages, and mitigates its risks.
- The bank establishes relationships with third parties through formal agreements. The bank manages and monitors the performance of third parties against its service requirements and its tolerance for disruption.
- The bank addresses key third-party concerns to the extent that these concerns affect the bank's operational resilience, g., through due diligence, contract negotiations, ongoing monitoring, and termination of contracts.
- The bank maintains a robust governance framework and independent review function to oversee the integrity and consistency of the scenario development process.
- The bank identifies potential risk transmission channels, concentrations, and vulnerabilities by analyzing the interconnections and interdependencies within and across its critical operations and core business lines considering third-party risks. The information that is obtained from these analyses informs the bank's tolerance for disruption.
Secure and Resilient Information System Management
- The bank routinely applies and evaluates the effectiveness of processes and controls to protect the confidentiality, integrity, availability, and overall security of the bank's data and information systems.
- The bank establishes controls to safeguard the integrity and availability of critical data against the impact of destructive malware, including ransomware, or other similar threats. Recovery from such incidents may include use of protocols for secure, immutable, offline storage of critical data.
- The bank reviews information systems and controls on a regular basis against common industry standards and best practices. The bank also regularly reviews and updates its systems and controls for security against evolving threats including cyber threats and emerging or new technologies.
Surveillance and Reporting
- The bank detects in a timely manner anomalous activity that could lead to a disruption affecting the bank's critical operations and core business lines, and it assesses the potential impact of the activity together with the effectiveness of protective measures.
- The bank conducts continuous surveillance and reporting to senior management and the board of directors that provides sufficient data and information for timely and appropriate decisions regarding measures to respond to a disruption.
- Scrutinize incident response and business continuity plans to ensure they adequately address unprecedented disruption, which includes technology-based failures, cyber incidents, pandemics, and natural disasters. If the plans don’t comprehensively address such topics, they should be updated and amended as soon as possible.
- Boards of directors may consider authorizing an external risk assessment and audit of the recommended sound practices to determine how effectively the bank has implemented a comprehensive approach to strengthen and maintain operational resilience.
- Senior management may consider conducting an audit of all third-party vendor relationships and reviewing each contractual agreement to determine if adequate provisions exist to address operational risk and operational resilience under the terms of the agreement.