No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

Preparing for Enhanced Regulatory Supervision of Operational Resilience

Regulatory Oversight for Financial Institutions in the Near Term

by Ron Lefferts
October 8, 2019
in Featured, Financial Services
illustration of businessman on mountain peak with sword and shield

What might be among the largest regulatory and compliance burdens organizations face in the near future? Operational Resilience. Protiviti’s Ron Lefferts discusses the need for financial institutions to achieve better standards in order to achieve it. 

Operational disruptions are impacting the financial sector with greater frequency and severity, and with each disruptive episode, the focus on managing operational threats is changing from how financial institutions (FIs) can prevent events from happening to what they can do to minimize their impact or to restore services as quickly as possible.

While more regulators are demanding that firms and financial market infrastructures (FMIs) demonstrate greater resiliency, they are also considering regulatory approaches that are significantly different from those used to address capital, liquidity and the other financial risks. Operational resilience, which describes the ability of a firm to withstand an adverse event and continue to provide goods and services, is now at the forefront of regulatory scrutiny around the world.

Following is a framework firms can leverage to understand, prevent and recover from extreme but plausible events. The framework identifies key components firms must consider when formalizing and managing the resilience of their critical business services.

Improving the Standards of Operational Resilience

Operational risks are increasing for all FIs but remain exponentially higher for those operating in multiple jurisdictions or outsourcing a significant number of services to third parties. Depending on the jurisdiction, multinational FIs contend with varying governance structures, organizational processes, IT systems, cultural issues and regulatory obligations– factors that can complicate efforts to build operational resilience.

The key components of operational resilience, which include defining critical business services, impact tolerance and economic impact, require FIs to have a complete understanding of all business services, functions and third-party relationships. To achieve better standards of operational resilience, companies – regardless of size – should:

  • Understand and prioritize the criticality of the business lines or services they provide to various stakeholders.
  • Determine the impact tolerance of the organization for each business line and assess how a prolonged disruption will affect the organization’s various stakeholders.
  • Consider the effects of business disruptions not only on the institution’s stakeholders, but also on the financial sector at large.

The interdependency of markets and among participants creates additional vulnerabilities. For example, FIs generally rely on third-party vendors for different aspects of business-as-usual operations. These FIs should have processes in place to ensure that third-party operational resilience is part of the initial vetting and ongoing vendor relationships.

Overlapping and inconsistent regulations can also undermine FIs’ efforts to build resiliency. Specifically, inconsistent rules may cause lapses in compliance, which could result in regulatory sanctions, reputational damage and, ultimately, customer defections. Given these concerns, a number of leading financial institutions are advocating for a principles-based regulatory approach to operational resilience – one that is firm-led, flexible in design and not overly prescriptive.

The Future of Resilience Supervision

In the United Kingdom, supervisory authorities have made it clear that operational resilience of firms and FMIs is no less important than financial resilience. In the July 2018 discussion paper, “Building the U.K. Financial Sector’s Operational Resilience,” the supervisory authorities expressed concern over the potential harm to consumers and market participants from operational disruptions and signaled how they intend to hold firms accountable for these events and their ability to recover from them.

The U.K. regulators have been reexamining current supervisory approaches to operational resilience with the goal of developing a framework that aligns better with the assumption that failures are bound to happen, and companies need to be better prepared for when – not if – those adverse events occur. The regulators are reviewing existing policies, including those on risk management, outsourcing, controls and communication and business continuity plans. Where possible, they intend to build on existing supervisory approaches or supplement existing policies to improve the resilience of the financial system.

According to the Bank of England (BoE), a future supervisory approach could cover these four broad areas:

  • Sector-wide work, including any potential stress testing developed by the BoE and others.
  • Supervisory assessment of how firms and FMIs set and use impact tolerances.
  • Analysis of systems and processes that support business services.
  • Assurance that firms and FMIs have the capabilities to deliver operational resilience and follow existing rules, principles, expectations and guidance.

In the United States, the Federal Reserve has indicated its preference for a more harmonized regulatory approach that incorporates leading industry standards and best practices and reflect significantly more input from firms. The Fed is taking this approach to incentivize firms to adjust their behaviors and make investments that achieve the Fed’s safety and soundness and financial stability objectives, according to a senior Fed official.[1] Nonetheless, the Fed has not ruled out the possibility of establishing specific resiliency tolerances or a regulatory-driven approach.

In the Asia-Pacific region, regulators are also working to strengthen resilience supervision. The Monetary Authority of Singapore (MAS), for example, has proposed changes that will require financial institutions to put in place enhanced measures to strengthen operational resilience. The measures include developing business continuity plans that better account for interdependencies across operational units and linkages with external service providers. The MAS proposals also include guidance on effective cyber surveillance, secure software development, adversarial attack simulation and management of cyber risks posed by the internet of things.

MAS is one of many regulatory bodies focused on cyber risk management. The BoE is working with the G-7 Cyber Expert Group, which represents 23 financial authorities, to develop a cyber stress testing program. Also, the Basel Committee on Banking Supervision, which established the Operational Resilience Working Group (ORG), is working on integrating a cyber dimension into its broader operational resilience work.

Preparing for Enhanced Supervision

As regulators reassess their approach to resilience supervision, FIs should prepare for a future where their resilience practices are heavily scrutinized. Future regulatory regimes are likely to demand assurances that firms are setting appropriate impact tolerances – meaning being able to create metrics around the level of disruption they can tolerate if their most important business services fail due to a severe but plausible stress event.

Firms should also be prepared to demonstrate that they have identified critical business services and functions and are monitoring and testing their resilience against worst-case scenarios. They should be able to show that they have implemented systems and processes that would allow them to continue to provide services in an extreme but plausible event.

Larger firms and FMIs are likely to face greater scrutiny; in the United Kingdom, the supervisory authorities are considering reviewing the operational resilience efforts of larger firms on a regular basis and taking targeted actions if serious concerns are identified. For smaller or mid-sized firms, regulators intend to review their resilience efforts on a periodic basis.

While the growing focus on operational resilience may create burdensome obligations for some organizations, it also provides an opportunity for FIs to stay ahead of the regulatory curve. There is an opportunity to take proactive measures, such as self-assessing the resilience of back-up systems, redundancies and substitutability arrangements while working toward building a culture of resiliency throughout the enterprise.


[1] Comments by Art Lindo, Federal Reserve Board, May 1, 2019


Tags: Cyber RiskThird Party Risk Management
Previous Post

Barclays Agrees to Pay $6.3M FCPA Settlement

Next Post

PwC’s 2019 Annual Corporate Directors Survey

Ron Lefferts

Ron Lefferts

Ron Lefferts is a Protiviti managing director and leader of the firm’s global technology consulting practice. Based in the New York office of the global consulting firm, Lefferts helps CIOs and IT leaders drive performance by designing and implementing advanced solutions in IT governance, infrastructure, cloud, security, data management, applications and compliance. Prior to joining Protiviti, Ron was managing partner for the financial services sector in North America for IBM Global Business Services. During his 11-year tenure with IBM, he was also managing partner for the financial services sector in the company’s Greater China Group and a member of IBM’s Industry Academy. Earlier in his career, he served as director of Technology Strategy and Architecture for Merrill Lynch Global Wealth Management and as a strategy, operations and technology consultant for a Big Four accounting firm. Lefferts holds an MBA from Drexel University and a bachelor of arts degree from the University of Delaware. He serves on the board of directors of the Borough of Manhattan Community College Foundation.

Related Posts

castle pixel art

Building a Defense-in-Depth Culture to Combat Phishing

by Perry Carpenter
March 22, 2023

Phishing attempts are only growing more sophisticated by the day, and effective cybersecurity means defending all the vectors of attack,...

credit score gauge

Sales at All Costs? Unified Credit Risk Management Can Squash Bad Deals Before They Happen

by Matthew Debbage
March 15, 2023

The collapse of a business doesn’t usually happen all at once. There are warning signs. Late payments, legal filings and...

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

ProcessUnity Unify Third Party Risk and Cybersecurity Whitepaper-f

Unify Third Party Risk & Cybersecurity for Sustainable Resiliency

by Corporate Compliance Insights
March 14, 2023

Align risk reduction efforts by bringing together third-party and cybersecurity functions White Paper Unify Third-Party Risk & Cybersecurity for Sustainable...

Next Post
PwC annual corporate directors survey

PwC's 2019 Annual Corporate Directors Survey

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT