On November 2, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (collectively, the Agencies) published a paper, “ Sound Practices to Strengthen Operational Resilience,” to provide banks and their holding companies (collectively, institutions) with ways to minimize operational risks to institutions’ resiliency that can cause extensive disruptions. Operational resilience, as defined in the paper, means “the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard. It is the outcome of effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruption.”
Although the paper targets the largest regulated institutions [1], over time, sound practices for large institutions frequently become sound practices for regional and community-based institutions. The second paragraph of the paper stresses the importance for firms of all sizes to strengthen operational resilience. Leadership at a smaller institution may wish to review the paper with an eye toward implementing those practices that are relevant to, and practical for, that institution.
While the paper does not set forth new guidance or regulations, it describes existing regulations and guidance in one place. This combination of information from a number of sources in one document aligns with the Agencies’ recently announced intention ( Proposed Rule Clarifies Role of Supervisory Guidance for Financial Institutions). Strengthening operational resilience, the paper states, can be achieved by adopting sound practices in the areas of governance, operational risk management, business continuity management, third-party risk management, scenario analysis, secure and resilient information system management, and surveillance and reporting. Two examples follow: governance and third-party risk management. In an appendix, the paper also addresses sound practices for cyber risk management, a significant operational risk.
Governance. To improve operational resilience through governance, the paper enumerates seven practices that promote effective governance. Among other things, an institution’s board of directors should approve and routinely review its risk appetite for weathering disruption at the institutional level, as well as its critical operations and core business lines, and ensure that senior management responsible for operational resilience have sufficient and relevant experience in the areas for which they are responsible. The final practice listed in the governance section notes that the internal (or external) audit function is responsible for independently assessing the design and ongoing effectiveness of the firm’s operations resilience efforts.
Third-Party Risk Management. Institutions have increasingly engaged third parties to deliver services to clients across a spectrum of areas. In addition to third-party access to information systems, the provision of services by third parties present additional operational resiliency risks that must be managed by institutions. Contractual formalization of relationships with third parties, routine identification and analysis of third-party risks to operations, and the establishment of processes and benchmarks to consistently monitor third-party performance are amongst the sound practices identified in the paper. Additionally, a sound practice is to identify replacement third parties and assess whether critical operations and core business lines may be brought in-house.
The paper sets forth risks that could lead to wide scale disruption and an inability to continue operations, stating that an institution operating in a safe and sound manner can deliver critical operations, core business lines, and other operations services and functions through a disruption. The implication is that it could be an unsafe or unsound practice to be unable to do so. While many of the practices listed in the paper provide guidance rather than come from regulation, leadership at all institutions would do well to implement all practices described in the paper.
[1] Banks, savings associations, and their holding companies that have average total consolidated assets greater than or equal to (a) $250 billion or (b) $100 billion and have $75 billion or more in average cross-jurisdictional activity, average weighted short-term wholesale funding, average nonbank assets, or average off-balance-sheet exposure.