Operational resilience

If a bank in Hong Kong were to suffer severe disruption to its operations for any length of time, there could be a catastrophic impact on businesses in the city as well as on the reputation of the bank itself.

Operational resilience enables banks to continue to serve their customers during potential disruptions resulting from incidents including cyberattacks, technology failures, health epidemics or climate events.

To ensure banks in Hong Kong are prepared against the evolving threats to stability, the HKMA introduced the Operational Resilience 2 (OR-2) module of its Supervisory Policy Manual in May 2022. To meet OR-2 requirements, banks will need to demonstrate that they are operationally resilient by May 2026.

The first of the OR-2 milestones was in May 2023, which was the deadline for banks to share their OR-2 frameworks with the HKMA, which include banks’ plans to deal with severe but plausible scenarios, crisis management and incident preparation.

Banks are now implementing their OR-2 frameworks, which includes considering how to deal with severe disruption, ongoing maintenance to protect against different types of threats, and considering how to manage third-party risk. As banks embed operational resilience principals across their day-to-day operations, they should also ensure that staff across the business understand the concept and how it impacts their roles.

The requirements of OR-2 also include engagement of management at the highest level. Boards should actively participate in setting and reviewing the OR-2 parameters, such as the list of the bank’s critical operations. The board has ultimate responsibility and should proactively address any issues that arise.

With less than two years until the final deadline, banks should now be implementing their frameworks. Key actions that should be progressing at present include:

• preparing crisis management procedures to deal with acute situations
• continuity planning to ensure a full understanding of evolving risks
• identifying areas of reliance on third parties, and planning the response if a third party were to suffer disruption
• allocating responsibility for reporting on operational resilience within departments

Being well prepared for the 2026 OR-2 deadline will not just fulfil banks’ regulatory obligations. Embedding operational resilience throughout their organisation will ensure that banks are ready to deal with evolving threats to stability as cyberattacks intensify and the global climate becomes more unpredictable, and ultimately helps to reinforce the stability of Hong Kong’s financial ecosystem.