CP140: Central Bank of Ireland Publishes Operational Resilience Guidance
01 Dec 2021
On 1 December 2021, the Central Bank of Ireland (the "Central Bank") issued its operational resilience guidance paper (the "Guidance").
The publication follows its consultation seeking stakeholders' views on a draft form of the guidance ("CP140"). For further details see our previous client update CP140: Consultation on New Cross-Industry Operational Resilience.
The Guidance is accompanied by a feedback statement (the "Feedback Statement") summarising the feedback received from CP140, providing commentary on industry views and explaining changes made to the Guidance in its final form.
Scope and Purpose
The Guidance applies to all regulated financial service providers ("RFSPs"), as defined in Section 2 of the Central Bank Act 1942.
Consistent with the Central Bank's strategic commitment of strengthening resilience throughout the financial system, the Guidance's objective is to communicate how firms should prepare for; respond to; and recover and learn from an operational disruption that affects the delivery of critical or important business services.
The Guidance is not prescriptive and is designed to be flexible and applicable proportionately based on the nature, scale and complexity of each firm's business.
In brief, the Guidance:
- Outlines the Central Bank's expectations on the design and management of operational resilience frameworks;
- Emphasises board and senior management responsibilities when considering operational resilience as part of their risk management and investment decisions; and
- Requires appropriate action to ensure that operational resilience frameworks are well designed, operating effectively and sufficiently robust.
Designed to support a holistic approach to the management of operational resilience and related risks, the Guidance is structured around three pillars:
- Identify and Prepare;
- Respond and Adapt; and
- Recover and Learn.
The three pillars contain 15 guidelines.
Guidelines 1-10 relate to measures under Identify and Prepare.
Under this pillar, the Guidance sets out guidelines on governance, identification of critical or important business services, impact tolerances, mapping of interconnections and interdependencies, ICT and cyber resilience and scenario testing.
Guidelines 11-13 relate to measures under Respond and Adapt.
Under this pillar, expectations for business continuity management, incident management strategy and crisis communication plans are set out.
Guidelines 14 and 15 relate to measures under Recovery and Learn.
This pillar specifically requires that RFSPs conduct a lessons learned exercise after any disruption to a critical or important business service. RFSPs should also document and update written self-assessments addressing how it meets its operational resilience framework at least annually.
In the Feedback Statement, the Central Bank notes that sixteen responses were received and that a significant proportion of the comments related to the need for proportionality given the wide range of firms operating in the Irish financial sector.
While some adjustments have been made, the Central Bank notes that the final Guidance remains largely unchanged from the draft set out in CP140.
On proportionality, the Central Bank confirms in that "the Guidance is designed to be flexible and should be applied by firms in a proportionate manner based on the nature, scale and complexity of their business".
Role of the Board
The Feedback Statement addressed some of the responses around Guideline 1 and the concept of the board taking ultimate responsibility for a firm's operational resilience.
Notably, in terms of the respective roles of the board and senior management, the Guidance notes that "the board needs to be ultimately responsible for reviewing and approving the firm’s strategic approach to operational resilience" and that "senior management are responsible for implementing the operational resilience strategy".
Required Actions and Timing
Boards and senior management are expected to review the Guidance and adopt appropriate measures to strengthen and improve their governance and risk frameworks and their effective management of operational resilience within an "appropriate timeframe".
While the nature, scale and complexity of a RFSP's business and its overall impact on customers and the wider economy will be taken into account, the Central Bank expects RFSPs to demonstrate that they have considered the supervisory expectations in the Guidance and evidence action / plans to address the requirements within two years of its publication (i.e. 1 December 2021) at the latest.
Firms can expect the Central Bank to assess actions taken to comply with the Guidance in due course - the Guidance states that the Central Bank "will utilise risk-based supervisory engagement to assess the core principles of operational resilience in firms and to drive enhanced and mature operational resilience across the financial system".
Further information on our Irish Financial Services Regulatory Group, and the services we provide is available on our website page and in our brochure.
If you would like further information, please liaise with the below or your usual Maples Group, Dublin contact.
Our Financial Services Regulatory group in Ireland comprises of leading lawyers and experienced industry professionals with a wealth of experience in advising clients on regulatory requirements and how to manage regulatory risk within their business. Our highly technical team deliver pragmatic and solutions-focused advice to our clients.
T: +353 1 619 2023
T: +353 1 619 2125
T: +353 1 619 2122
Senior Regulatory Executive Dublin
T: +353 1 619 2158