Operational Resilience

Operational resilience has been top of the agenda for banks in Hong Kong in recent months as they have worked to meet the deadline for compliance with the first part of the Operational Resilience 2 (OR-2) regime in May. The OR-2 framework ensures that banks are prepared for disruption to services, including those provided by third parties, and also requires increased accountability from senior executives regarding operational resilience.

One of the key demands from the regulator as part of OR-2 is that banks understand where the vulnerabilities are in terms of delivering their services and are prepared to deal with potential disruptions. These vulnerabilities are across areas including people, facilities, technology, information and dependencies on third parties or intragroup entities.

One of the vulnerabilities that the regulator is specifically looking at under OR-2 is risks carried by third parties. Banks are being asked to first of all identify where they are relying on critical third parties, and ensure that they know their vendors and the processes involved, so that using third parties is not a case of “out of sight, out of mind”.

As part of their operational resilience preparations, banks need to select a range of “severe but plausible” scenarios that could cause disruption to their critical operations, including scenarios related to disruptions at a third party or within the third party’s supply chain. Banks will need to model the impact if a third party cannot provide the expected service and how long it will take to recover.

For example, if a bank is relying on one third party for a particular service, it could back this up by using a second service provider. The same with location: banks should consider having their service centres based in two or more locations to split the risk if one centre is disrupted. Using multiple service centres means that even if one centre is shut own, the others in the region can work together to provide full coverage.

Beyond the deadline

Now that the first OR-2 deadline has passed, we expect regulators to review the results of the initial framework development and implementation work and give feedback on the decisions that banks have made in areas including the selection of critical operations, severe but plausible scenarios and tolerance thresholds. The regulator will also review banks’ operational capabilities under the banks’ selected range of severe but plausible scenarios that would affect their critical operations following severe disruption given the infrastructure they have in place.

With their oversight of the entire sector, regulators will also be able to compare parameters across the industry and may have further insights to share. For example, outsourcing could present a concentration risk. Looking at the whole market, the regulator may find that a number of banks are using the same material third parties to provide the same service to customers. This would have a significant impact on the whole Hong Kong banking service capability or to the banks’ viability if this vendor was disrupted. In such a scenario, further diversification of third party vendors would be needed.

We expect regulators to use their insights to provide feedback to banks and play an active role in shaping the industry’s response to the new requirements.

Lanis Lam

Partner, Technology Risk, Hong Kong SAR

KPMG China

mail
call

Cara Moey

Director, Advisory, Management Consulting, Hong Kong SAR

KPMG China

mail

Ongoing process

Now that the OR-2 deadline has been met, banks are moving to the implementation phase. In some respects, the work has only just begun, as banks now have to execute the framework and carry out testing to demonstrate the validity of the framework they created to address service resilience.

This will involve more effort to align enterprise-wide roles and responsibilities. Operational resilience practices will need to become embedded in day-to-day operations, and all employees will need to think about their roles and how they contribute to the bank’s connected operational resilience model with stability.

Moving forward, banks will need to carry out regular monitoring of their capabilities including an annual exercise to challenge their operational resilience framework. They will also need to continually invest in and upgrade their infrastructure under the OR-2 guidelines.

While the need to fulfil the regulatory requirements of OR-2 has been a major incentive, banks in Hong Kong also recognise that being able to deliver their critical operations through disruption is fundamental to their viability and vital for market stability.

Disruption is becoming a new normal: for example, some leading social media platforms have seen significant interruptions to their service in recent times. And while the demise of Silicon Valley Bank in the US was not directly related to operational resilience, this crisis serves as a reminder of the need for banks to prepare for disruptive situations, such as a lot of customers wanting to make withdrawals at the same time, and the banks’ trading systems are more likely to come under stress.

Banks should look at operational resilience from the perspective of both acute disruption and ongoing maintenance and proactively think about what investment to make:

Crisis management is number 1:

preparing for acute situations within the organisation where the bank has to react quickly.

Incident management programme

is established to manage all incidents, especially those that may impact critical operations.

Continuity planning

focuses on the ongoing mitigation of risk, including ensuring that the banks know what the risks are.

Operational risk management

is identifying the risks, and putting in place an understanding of tolerance levels.

Technology and related architecture

in the background must be prepared to run the business through severe disruption within the tolerance thresholds.

Another potential issue for banks is regulatory risk, as regulators will sometimes need to respond quickly to external events, which will impact how banks operate.

Understanding and accountability

An important element of OR-2 is that it requires the board and senior management to have increased understanding and accountability regarding the bank’s performance (financial resilience) from an operational resilience perspective. Essentially, the OR-2 framework sets the expectation that senior management will be able to make key decisions around improving the structure from an operational resilience perspective, including identifying vulnerabilities and the remedial actions and plans that will be taken.

For additional assurance, boards can ask a third party service provider to help them review their list of critical operations, severe but possible scenarios and tolerance thresholds, before submitting to the regulator, as well as more general operational resilience advice and support.

From a global perspective, Hong Kong is among the most advanced jurisdictions in having a strong and comprehensive operational resilience regulatory framework in place. While these regulatory requirements add complexity and demand effort from the banks, they have considerable benefits.

When a large company has interruptions to its services it often makes global headlines and can be disastrous for the company’s reputation. For banks, it is particularly important that disruptions are dealt with swiftly. A strong operational resilience system means that banks can recover quickly from any disruption and avoid having a detrimental impact on their clients, from retail customers to major global corporates.

Ultimately, operational resilience not only benefits banks and protects all their customers, but also plays a crucial role in strengthening the foundations of Hong Kong as a stable and secure global finance hub.