Operational resilience - the new ECB focus topic 2020

The Bank of England defines operational resilience as follows: “The ability of firms and the financial system as a whole to absorb and adapt to shocks, rather than contribute to them.”

What does this mean for financial service providers? Financial service providers are encouraged to develop an approach that goes beyond previous approaches, such as traditional contingency planning or cybersecurity. The challenge is to maintain the business entity’s ability to do business as well as key business services in the event of disruptive events, regardless of their cause, especially when disruptions can lead to instability in the financial system.

The ECB has declared the topic a priority for 2020 and announced new guidelines. This brings the topic of operational resilience into the focus of future supervisory audits.

Through the bank regulatory IT requirements (BAIT), the supervisory authority sought to strengthen financial institutions by regulating disciplines such as business and IT service continuity management, cybersecurity management and vendor management more closely.

Despite the immense expenditures already made by financial institutions, the number and diversity of external attacks on the services of financial institutions is constantly increasing. External threats such as hacker attacks, natural disasters (climate change) and pandemics threaten not only the individual financial service provider, but the entire financial system.

The aim of the operational resilience requirements is therefore to strengthen the entire financial industry by integrating a new and broader perspective, namely on the services of a bank to be protected, into the existing structures.

1. Operational resilience is driven and managed top-down from an overall company and financial system perspective more strongly than all previous standards and specifications (including BCM, ITSCM, cybersecurity management etc.).
2. Operational resilience requires, much more than previous standards, the external front-to-back view of key business services. The influence of the services on the entire financial system is also always considered.
3. The new standard requires the definition of measurable KPIs and tolerance limits, the exceedance of which triggers defined measures. Regular reporting of measured deviations and active action planning and implementation must be established.

Important areas of activity for the implementation of operational resilience lie at the level of leadership and strategy. The operational resilience strategy must be approved by management and support or influence future corporate strategy and investment decisions.

Another level of action concerns corporate guidelines and frameworks. The defined KPIs/tolerance limits as well as the corresponding measures must be integrated into existing structures and anchored in the corporate culture.

At the level of the business model, the prioritised business services must be identified and their dependencies presented. The associated resources (IT, data, people, suppliers, buildings and processes) must be assigned to the business services in order to define concrete measures at this level in the event of measured exceedances of tolerance limits.

KPMG has defined the following guiding principles that should be observed and constantly reflected upon when implementing operational resilience:

1. Top-down: Operational resilience must be driven by and be the responsibility of the management level. The measures and the approach must also be synchronised and coordinated with the overarching strategic agenda.
2. Measurable: Management must define clear KPIs and tolerance levels and ensure that these are systematically managed. Regular measurement and integrated reporting must be ensured.
3. Front-to-back: Operational resilience must be understood and implemented front-to-back. In this context, business services to external users (customers, suppliers, regulators, etc.) are the starting point of the considerations.
4. Resilient: Operational resilience should be an essential criterion of all management decisions and business activities – firmly anchored in the corporate culture.
5. Versatile: Operational resilience requires the development of a broad spectrum of strategies in order to be able to respond to a wide range of events and contingencies. This diversification minimises the risk of versatile attack possibilities.

KPMG has developed an approach to implementing operational resilience requirements, drawing on a wealth of experience from operational resilience implementation projects in the UK.

1. Maturity assessment: We benefit from our experience from other regulatory projects and can identify significant gaps and quick wins in a few days, even before we start with an extensive implementation project. This step can also be carried out alone and is optional in the overall project approach.
2. Definition of top-down principles and strategy: The first step involves setting top-down guidelines and aligning and anchoring them with the overall corporate strategy.
3. Identification of the business service framework and prioritisation: Successful completion of the first step is followed by documentation of the business service framework and prioritisation of services from an operational resilience perspective.
4. Resource mapping: In this further step, the IT resources, data, people, suppliers, buildings and processes are allocated to the prioritised business services.
5. Definition of KPIs, tolerance limits, scenarios and measures: Once resources have been allocated to business services, measurable KPIs and associated tolerance levels are defined. This is followed by the definition of scenarios and mitigation measures.
6. Implementation, integration and reporting; cultural anchoring: Now comes the final step, namely the implementation and integration of the defined measures into existing company guidelines. Regular reporting must be set up and anchored in the corporate culture.
7. Test: To ensure that the implementation of the operational resilience requirements has been successful, test scenarios must be defined and the defined measures tested.

From our point of view, there are particular challenges that need to be considered and overcome during implementation, including:

• There is often a lack of clear responsibilities at management level for regulatory safety issues.
• Building a clear business service framework can be difficult. Often this clear external front-to-back view with clear responsibilities does not exist.
• The definition of clear, unambiguous service responsibilities (single ownership) for the identified and prioritised business services must be found.
• Identifying critical business services and mapping them to existing processes, applications, IT infrastructures and service providers is often complex.
• The definition of practicable and measurable KPIs, especially the definition of measurable tolerance limits, as well as the implementation of a corresponding reporting, is a challenge, taking into account existing capacities.
• Operational resilience is not implemented on a greenfield basis, but must be linked and coordinated with existing disciplines (BCM, ITSCM, cybersecurity, IKK, etc.).

KPMG supports you with a lot of experience, know-how and a structured approach to meet these challenges and successfully implement the new requirement.