Banks across Europe need to get better at mapping dependencies that could threaten their critical operations if they unravel, according to an update from the Basel Committee this week – which also highlights worrying gaps in business continuity plans around third-party failures.
The warning came in an update on how banks are doing when it comes to meeting operational resilience and risk rules laid down in 2021.
The committee (a global standard setter for the regulation of banks, with 45 members including central banks from 28 jurisdictions) also emphasised that board responsibilities for operational resilience are not nearly as mature as those for operational risk and require improvement.
The Basel Committee published its operational risk management principles, “POR” and “PSMOR”, in March 2021 to “promote banks' ability to withstand operational risk-related events that could cause significant operational failures or wide-scale disruptions in financial markets.”
The Committee said in a supervisory newsletter that “the mapping of interconnections and interdependencies for critical operations, and the definition of tolerances for disruption to these operations are the most common challenges that banks face when adopting the Principles.”
“For some banks, there is still work to do on developing appropriate business continuity and contingency plans and exit procedures where third parties provide critical operations” it added – emphasising that “banks should establish and maintain accurate data at an appropriate level of granularity on critical operations and recognise the foundational role of mapping interconnections and interdependencies…”
The update comes after the Bank of England raised fresh concerns at the possibility of “systemic concentration risks” arising from the migration of financial market infrastructure (FMI) to the cloud in a 2023 consultation that suggested a significantly more robust set of demands to ensure IT resilience is coming soon for financial services providers. In that
It called on boards to "approve, regularly review, and implement a written third party risk management policy" spanning cybersecurity, operational resilience and data protection and ensure that firms have a "formalised contractual agreement to be in place for all outsourcing arrangements".
This should span "provisions for full access and unrestricted rights for audit and information" including "the results of security penetration testing carried out by the outsourced third party, or on its behalf, on its applications, data, and systems to assess... cyber and internal IT security measures and processes” – "We expect [operational resilience] to become a major consideration in their [banks] investment programmes” said the BoE’s supervisory risk chief last year: “Designing services to be resilient is often easier than reverse engineering resilience into fragile services…"