The Regulatory Lens of Business Resilience for Financial Institutions

While every industry may be regulated differently, all aspects of business resilience aren't always considered holistically. A traditional approach to business continuity planning has always been centered around disaster recovery (physical location, telecommunications, data and IT systems). Regulatory standards on operational risk and resilience typically mention the response to and recovery from business interruptions. These days, we are witnessing an industry-wide shift towards the continuity of business operations. And even though the supervisory emphasis is still placed on operational risk, the change is evident. 

Real Life Examples

No matter the size of the company, disruption may take any form and take your business by surprise.

• CEO Tim Sloan said the recovery from the outage was not as fast as the company or its customers expected. 

• Contact centers were up and running but customers face longer wait times if they are phoning in. 

• Complaints piled up that paychecks and direct deposits weren’t reflected in customer balances, but the bank says it fixed the issue. 

The problem: 
It took too long for the company to recover from system issues, causing customer concern and complaints. 

In March 2019, Facebook experienced its most prolonged outage, affecting the social network and other platforms owned by the company. The company blamed a “server configuration change” for the outage, meaning that even a pro-tech company like Facebook was not prepared to maintain its critical service during a server change. 

Regulation of Operational Resilience in the U.S.

In the US, business resilience is a top priority for regulators in the financial industry. The Federal Reserve and the Office of the Comptroller of the Currency (OCC) initiated a series of examinations for some of the largest banks in 2019. This focus remains unchanged in 2020, with an emphasis on operational resilience.  

The OCC's Supervisory strategies for 2020 focuses on cybersecurity and operational resiliency, with emphasis on threat vulnerability and detection, access controls and data management, and managing third-party connections. 

Another objective is technological innovation and implementation, including the use of cloud computing, artificial intelligence, digitalization in risk management processes, new products and services, and strategic plans.  

The Federal Reserve listed cybersecurity management, risk identification and assessment, along with technological innovation as priority areas for their 2020-2023 strategic plan.  

• Improve forward-looking risk-identification and assessment capabilities to inform policy and support timely and effective risk mitigation through supervision. 

• Expand risk-identification capabilities to increase agility in identifying and responding to changing conditions. 

• Evolve policy and supervisory capabilities to keep pace with financial technology innovation and operational vulnerabilities, including cybersecurity, for supervised firms. 

• Enhance cybersecurity and data privacy programs and maintain a secure technology environment that fosters collaboration, continuous improvement, and innovation. 

The FFIEC has also revised its Business Continuity Management Booklet to highlight the importance of operational resilience. The updated booklet focuses on enterprise-wide approaches that address technology, business operations, testing, and communication strategies integral to continuity of business operations. The examination procedures now will help examiners assess whether management includes business continuity as part of the risk management cycle of a company’s processes and operations, and if a BC program itself is adequate.