On 6 August 2020 the Basel Committee on Banking Supervision (BCBS) issued two consultation documents. The first sets out the Principles for operational resilience and the second introduces Revisions to the principles for the sound management of operational risk. The deadline for responding to these is 6 November 2020. Just over a month after the October deadline for responding to the various FCA, PRA, BOE consultation papers on operational resilience (FCA CP19/32, PRA 29/19, BOE – CCPs, BOE – payments, BOE – CSDs).

As policy and risk experts turn their attention to finalising their responses to these various consultations, there are a few bear traps to look out for.

For example, in reference to the UK regime, the challenge arising from identifying important business services (IBSs) and arriving at a level of granularity that supports the remaining elements of a resilience framework should not be overlooked. It is significant. Business heads, will tend to look at the question from a commercial perspective, while operational risk experts may focus on a particular source of risk (e.g. Cyber) rather than the impact of a disruption on consumers and markets, or the chain of activities essential to the delivery of a business service.

The difficulty of responding to these consultations is not helped by the BCBS consultation papers which appear to: (i) deploy a slightly different language than the UK authorities, and (ii) locate the responsibility for operational resilience with the management of operational risk. This question of location is tricky, particularly as the BCBS also remarks that operational resilience is advanced when considering a number of elements (including business continuity and outsourcing), frequently refers to the bank recovery and resolution framework, and acknowledges significant shortcomings in bank operational risk frameworks.

This issue of language may initially seem pedantic, but it can also obscure fundamental conceptual differences. The UK authorities refer to IBSs and impact tolerances – a metric that presumes a disruption has crystallised (under a severe but plausible scenario) and determines the maximum duration of a disruption (to an important business service). 

Presumably the UK adopted the term – IBSs – so not to avoid any possible confusion with, for example, “critical business functions” defined for CCPs in relation to EMIR (Article 17(2) of RTS 153/2013). Nonetheless, the relationship and overlap between these concepts will need to be teased out and well understood.

The BCBS has added to this new terminology by embedding the term “critical operations” in its definition of operational resilience.  Where “critical operations” is intended to encompass “critical functions” as defined by the Financial Stability Board in its 2013 guidance on recovery and resolution. However, is an “operation” or “function” a “service” or “multiple services”?  Then there is the issue that the BCBS refers to a “risk tolerance for disruption”. A concept that would appear to allow for some variation in a chosen tolerance level.

For firms operating solely operating in the UK, it may be sufficient to focus on the UK framework. However, firms with a cross-border footprint will be looking for consistency. Nonetheless, firms operating in the UK should avoid developing an internal terminology that is at odds with that already adopted by the UK regulator.

If you are planning to formally respond to any of these consultations and/or would like help developing your operational resilience framework, please contact Anita Millar. We can work alongside your teams and/or bring in a project team that meets your requirements (by partnering with specialist consultancies such as illuminet).