Basel Committee on Banking Supervision Proposes Principles for Operational Risk08/06/2020The Basel Committee on Banking Supervision has opened a consultation on proposed principles for operational resilience and updated Principles for the Sound Management of Operational Risk (PSMOR). The consultation closes on November 6, 2020.
The Basel Committee is proposing new principles for operational resilience with the aim of enhancing banks' capacity to absorb operational risk-related events, including a pandemic, cyber incidents, technology failures or natural disasters, all of which have the potential to lead to significant operational failures or wide-scale disruptions in financial markets. Operational resilience is defined by the Committee as "the ability of a bank to deliver critical operations through disruption". The Basel Committee's objective is to encourage a principles-based approach to improving operational resilience, elaborating on the PSMORs as well as previously issued principles on corporate governance, outsourcing and business continuity. The proposed principles for operational resilience are:
Principle 1: Banks should utilize their existing governance structure to establish, oversee and implement an effective operational resilience approach that enables them to respond and adapt to, as well as recover and learn from, disruptive events in order to minimize their impact on delivering critical operations through disruption.
Principle 2: Banks should leverage their respective functions for the management of operational risk to identify external and internal threats and potential failures in people, processes and systems on an ongoing basis, promptly assess the vulnerabilities of critical operations and manage the resulting risks in accordance with their operational resilience expectations.
Principle 3: Banks should have business continuity plans in place and conduct business continuity exercises under a range of severe, but plausible, scenarios in order to test their ability to deliver critical operations through disruption.
Principle 4: Once a bank has identified its critical operations, the bank should map the relevant internal and external interconnections and interdependencies to set operational resilience expectations that are necessary for the delivery of critical operations.
Principle 5: Banks should manage their dependencies on relationships, including those of, but not limited to, third parties or intra-group entities, for the delivery of critical operations.
Principle 6: Banks should develop and implement response and recovery plans to manage incidents that could disrupt the delivery of critical operations in line with the bank's risk tolerance for disruption considering the bank's risk appetite, risk capacity and risk profile. Banks should continuously improve their incident response and recovery plans by incorporating the lessons learned from previous incidents.
Principle 7: Banks should ensure resilient ICT, including cyber security that is subject to protection, detection, response and recovery programs that are regularly tested, incorporate appropriate situational awareness and convey relevant information to users on a timely basis in order to fully support and facilitate the delivery of the bank's critical operations.
In addition, the Basel Committee is asking for information on how banks measure operational resilience.
The second consultation paper concerns proposed updates to the PSMORs to: (i) bring the PSMORs into line with the finalized Basel III operational risk framework, due to come into effect in January 2022; (ii) provide updated guidance on change management and ICT; and (iii) improve the clarity of the PSMORs.
View the consultation on proposed principles for operational risk.
View the consultation on proposed updates to the PSMORs.
View details of the final Basel III standards.
Return to main website.
Financial Regulatory Developments Focus