Basel Committee issues principles for operational resilience and risk
- Principles for operational resilience aim to increase banks' capacity to withstand disruptions due to potentially severe events.
- Revised principles on operational risk focus on change management and information and communication technologies (ICT).
- Covid-19 has made operational resilience and mitigating operational risk even more important.
The Basel Committee on Banking Supervision today issued Principles for operational resilience, which aim to make banks better able to withstand, adapt to and recover from severe adverse events.
In addition to the principles for operational resilience, the Committee is also issuing revisions to its Principles for the sound management of operational risk (PSMOR) reflecting the natural relationship between operational resilience and operational risk. This follows a consultation on both documents in August 2020.
Given the critical role played by banks in the global financial system, increasing banks' resilience to absorb shocks from operational risks, such as those arising from pandemics, cyber incidents, technology failures or natural disasters, will provide additional safeguards to the financial system as a whole.
In recent years, the growth of technology-related threats has increased the importance of banks' operational resilience. The Covid-19 pandemic has made the need to address these threats even more pressing.
With respect to operational risk, the Committee has made a limited number of technical revisions to:
- align the PSMOR with the recently finalised Basel III operational risk framework;
- update the guidance where needed in the areas of change management and ICT; and
- improve the overall clarity of the principles document.
The principles for operational resilience build upon the PSMOR, and are largely derived and adapted from existing guidance on outsourcing-, business continuity- and risk management-related guidance issued by the Committee or national supervisors over a number of years.
By building upon existing guidance and current practices, the Committee is seeking to develop a coherent framework and avoid duplication. The operational resilience principles focus on governance; operational risk management; business continuity planning and testing; mapping interconnections and interdependencies; third-party dependency management; incident management; and resilient cyber security and ICT.