Operational Resilience

Overview: 

Operational resilience is the ability of a firm to identify and prepare for, respond and adapt to, recover and learn from an operational disruption. It is expected to be a key regulatory focus over the coming years. Regulators aim to bring about change in how the finance industry thinks about operational resilience in order to build a more resilient financial system. Specific issues include (i) poor governance and oversight of outsourced functions and third-party service providers, (ii) insufficiently resilient legacy IT systems with poor cyber security, and (iii) a lack of contingency plans for business disruptions.

Current work: 

On 11 April 2022, AIMA filed its response to the SEC's proposed new rules on cyber security, affecting registered investment advisers, registered investment companies and business development companies. The proposed rules would require written cyber security policies and procedures, reporting significant cyber incidents to the SEC, enhanced public disclosures regarding cyber incidents and risks, fund board approval of the fund's policies and procedures and specific recordkeeping.  AIMA prepared a more detailed summary of this proposed rule which is available here.

The European Commission published a draft regulation on digital operational resilience for the financial sector (DORA). It aims to enable a comprehensive framework at EU level with consistent rules addressing the digital operational resilience needs of all regulated financial entities and establishing an oversight framework for critical ICT third-party providers. DORA is currently being scrutinised by the European Parliament and Council. On 11 May 2022, the Council presidency and the European Parliament reached a provisional agreement on DORA. Once the DORA proposal is formally adopted, it will be passed into law by each EU member state. The relevant European Supervisory Authorities (ESAs) will then develop technical standards. DORA is expected to become operational in 2024.

The European Securities and Markets Authority (ESMA) issued guidelines on outsourcing to cloud service providers. The ESMA guidelines, which came into force on 31 July 2021, aim to help firms identify, address and monitor the risks arising from cloud outsourcing arrangements. The guidelines will apply from 31 December 2022 to any cloud outsourcing arrangement already entered into prior to 31 July 2021.

The Central Bank of Ireland (CBI) published cross industry guidance on operational resilience. The guidance aims to assist firms in preparing for, responding to, recovering and learning from an operational disruption that affects the delivery of critical or important business services.

The UK Financial Conduct Authority (FCA) published new rules designed to increase and enhance firms’ operational resilience. Requirements include identifying important business services, setting impact tolerances for the maximum tolerable disruption and carrying out mapping and testing. Firms must also have identified any vulnerabilities in their operational resilience. The FCA's rules came into force on 31 March 2022.

Upcoming actions:

31 December 2022, ESMA guidelines apply to any cloud outsourcing arrangement entered into prior to 31 July 2021.

2024, the EU's Digital Operational Resilience Act (DORA) is expected to come into effect.

(Last updated: 11 July 2022)


Other related workstreams

Outsourcing

The increasing use of outsourcing by regulated entities is of growing importance to a number of supervisory authorities.

Cyber and Technology

In recent years, cyber security has increasingly become the top global risk for business, with regulators and policy-makers also paying increased attention to financial institutions’ cyber security planning.