Supervisory newsletter on the adoption of POR and PSMOR

This version

BCBS  | 
Newsletters
 | 
27 November 2023
 | 
Status:  Current

This newsletter provides information on the Committee's assessment of the adoption of the Principles for Operational Resilience and the revised Principles for the Sound Management of Operational Risk. The Committee believes the information provided may be useful for both supervisors and banks in their day-to-day activities. This document is for informational purposes only and does not constitute new supervisory guidance or expectations.

  • The Committee assessed the adoption of the Principles for Operational Resilience (POR) and the revised Principles for the Sound Management of Operational Risk (PSMOR, or collectively, "the Principles") published in March 2021. The assessment is meant to promote the adequate and timely adoption of the Principles.
  • The assessment found that the effectiveness and maturity of POR and PSMOR adoption vary across banks and jurisdictions.
  • The mapping of interconnections and interdependencies for critical operations, and the definition of tolerances for disruption to these operations are the most common challenges that banks face when adopting the Principles.
  • Full adoption of the Principles will require adequate resourcing and prioritisation. The Committee strongly encourages full adoption and will continue to support adoption by carefully monitoring progress.

The Basel Committee published the POR and the revised PSMOR in March 2021 to promote banks' ability to withstand operational risk-related events that could cause significant operational failures or wide-scale disruptions in financial markets; and banks' effectiveness of operational risk management. To evaluate the adoption of the Principles, the Committee carried out an assessment among its members in early 2023. The results indicate that the effectiveness and maturity of POR and PSMOR1 adoption vary between banks:

  • While banks' operational risk management governance (PSMOR 3, 4, 5) is well established, board members' roles and responsibilities and capabilities for operational resilience are still under development (POR 1).
  • Banks have leveraged Risk and Control Self-Assessments (RCSAs) to identify threats and vulnerabilities to the delivery of critical operations (POR 2), but there are gaps in capabilities and effectiveness.
  • In most jurisdictions, banks' mapping of interconnections and interdependencies (POR 4) does not provide a sufficiently granular end-to-end view of critical operations, their complexity, and supporting people, processes and systems.
  • Business continuity practices and frameworks are generally well established in most banks, which is reflected in the level of adoption of the PSMOR on business continuity (PSMOR 11) and Information and Communication Technologies (ICT) (PSMOR 10). For the corresponding POR on business continuity and testing (POR 3) and ICT (POR 7), however, banks are still facing challenges (eg consideration of end-to-end delivery of critical operations, and the plausibility and severity of scenarios). Some banks have started to incorporate operational resilience into existing ICT risk management frameworks.
  • The Principles on the management of third parties and dependencies, as well as the alignment of third parties with resilience expectations (POR 5 and PSMOR 9), are considered to be among the most significant challenges for banks. For some banks, there is still work to do on developing appropriate business continuity and contingency plans and exit procedures where third parties provide critical operations.
  • The continuous growth of operational risk-related events that could cause significant operational failures or wide-scale disruptions in recent years (such as those arising from pandemics, cyber incidents, technology failures or natural disasters) has heightened the necessity for banks to identify and respond to these incidents and crises, resulting in generally well established incident management practices (POR 6) in nearly all jurisdictions.

Despite progress in adopting the Principles, further effort is needed by banks to enhance practices, which will require adequate resourcing and prioritisation. In some jurisdictions, full adoption of the POR and revised PSMOR may take until at least 2025. The challenges that banks in all jurisdictions face when adopting the Principles include the mapping of interconnections and interdependencies for critical operations, and the definition of tolerances for disruption to these critical operations. If mapping and tolerances are not defined and implemented effectively, the reliability of other activities such as risk management and testing is called into question, potentially compromising operational resilience. This is further exacerbated by deficiencies in capturing, structuring and using data on critical operations that may have originally been collected for resolution and recovery planning, business continuity or some other purpose.

The assessment also revealed several themes that have proved to be particularly relevant for the adoption of the Principles. First, it is crucial for banks to leverage all aspects of operational risk management to achieve operational resilience and to recognise its importance alongside financial resilience. Furthermore, banks should acknowledge that operational resilience is more than just business continuity. A key differentiator is the critical operations lens, in conjunction with the end-to-end view, the focus on impact, the use of the tolerance for disruption to drive decisions about resilience investment, and the consideration of third parties' resilience. Finally, banks should establish and maintain accurate data at an appropriate level of granularity on critical operations and recognise the foundational role of mapping interconnections and interdependencies for successfully adopting the Principles.

The Committee strongly encourages the full adoption of the POR and PSMOR into banks' operational risk management practices and regulatory and supervisory frameworks in order to strengthen their ability to withstand operational risk-related events and enhance operational resilience. New guidance and regulations issued by national authorities will contribute to the adoption of the Principles. The Committee will continue to support the adoption of the POR and PSMOR by carefully monitoring progress.

1      The assessment of banks' adoption of the revised PSMOR focused on Principles 9,10 and 11.