Basel Committee Publishes 7 Principles for Operational Resilience
A Summary of Principles for Operational Resilience from the Basel Committee on Banking Supervision, March 2021
The Basel Committee on Banking Supervision recognizes seven categories of principles concerning operational resilience and how it is best managed within an organization—especially regarding banking and financial services. This guidance has been built upon existing approaches to operational risks that have become exacerbated by the COVID-19 pandemic.
The Basel Committee has published the principles to help strengthen banks’ ability to absorb operational risk-related events such as pandemics, cyber incidents, technology failures and natural disasters. Increasing resilience would provide additional safeguards to the financial system. The seven principles are:
- Operational risk management
- Business continuity planning & testing
- Mapping of interconnections & interdependencies of critical operations
- Third-party party dependency management
- Incident management
- Resilient information & communication technology (ICT), including cybersecurity
The committee outlines that existing structures of governance within organizations should carry out effective operational resilience practices, and have the ability to adapt to, recover and learn from disruptive events in order to lessen the impact that those events may have on operations. These practices should be heavily involved in and led by the organization’s board of directors and senior management. Effective governance will also improve the organization’s ability to work through those disruptive events with minimal compromise, downtime or any other operational issue.
Operational risk management
Operational risk management involves the identification and remediation of both external and internal threats to an organization, as well as human and/or technological errors that may occur. Effective operational risk management leverages change management capabilities and has sufficient controls and procedures in place to identify and assess threats and vulnerabilities quickly.
Business continuity planning & testing
Effective business continuity planning and testing frameworks should involve the regular simulation of severe, but plausible disruptions to an organization’s operations. Identifying key internal and external operations as well as key personnel, and simulating disruptive events including these variables, will help organizations plan for a variety of scenarios.
Mapping interconnections & interdependencies
Mapping interconnections & interdependencies involves tracing and documenting operational aspects of an organization that are necessary in order to perform critical operations. That includes things like people, technology, processes, information and facilities.
Third-party dependency management
This principle highlights the importance of managing relationships with third parties or intragroup entities. This includes assessing risk before establishing a relationship and ensuring that any third party or intragroup entity has an equivalent or higher operational resilience approach in place.
Proper incident management ensures effective response and recovery plans to manage incidents that could disrupt an organization’s critical operations. Key facets include:
- Maintaining an inventory of incident response
- Classification of incident severity
- Response and recovery procedures
- Communications plans
ICT including cyber security
ICT policies and cyber security measures should effectively support and facilitate an organization’s critical operations while staying in-line with legal requirements concerning the protection of data and confidentiality. These systems should be tested regularly alongside other processes and systems within the organization to ensure optimal security, performance and ability to overcome disruptions.