Ten key points from the regulatory agencies’ operational resilience paper

On October 30, the Federal Reserve (Fed), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC, and together, the Agencies) published a joint paper outlining sound practices to strengthen operational resilience. The paper encompasses a wide variety of resilience-related topics such as operational risk management, cybersecurity, and scenario development. It is targeted to US banks with more than $250 billion in total consolidated assets or more than $100 billion in total assets and other risk characteristics. While it does not constitute new regulation or supervisory guidance, it synthesizes existing resiliency-related standards, indicates continued regulatory interest in this area and constitutes a signal to look at these practices as a board-level, general management topic.

Operational resilience has been a focus area for the industry and regulators alike over the past several years, with high-profile cybersecurity incidents, natural disasters, and a global pandemic highlighting the importance of being able to continue and quickly restore business services. This need has been amplified by the global, interconnected nature of financial services, where outages at one firm or third party service provider could have ripple effects across the entire sector. In response, regulators have begun to provide guidance on the issue, with UK regulators releasing an operational resilience discussion paper, US federal regulators updating their business continuity management handbook to include operational resilience principles, and the Basel Committee on Banking Supervision (BCBS) releasing its own set of principles.

Although financial institutions have had access to previous guidance, some have not yet integrated it into a single framework and approach. As such, we recommend that they closely review the practices outlined in the paper against their existing operational resilience strategy and make enhancements before the agencies take the next step to formalize new requirements.

Key Takeaways:

1. Tone from the top on resilience related risks and impacts.
2. Tight relationship between operational resilience and operational risk management. 
3. Continued focus on safety and soundness.
4. Limited development of “impact tolerance” related thinking. 
5. Cyber continuing as a top-of-mind source of risk.
6. Maturing thinking on scenario development and planning. 
7. Importance of surveillance and monitoring.
8. Reemphasis of third party risk management.
9. Acknowledgement of technology innovation as both an opportunity and a risk.
10. What’s next?

First take

A publication of PwC's financial services regulatory practice