Integrated Compliance Approach on Operational Resilience

At a glance:

• There are 2 key regulatory initiatives: Digital Operational Resilience Act (DORA) (approved as a regulation) and Operational Continuity in Resolution (OCIR) which are the key guidance published by the SRB as an official paper. Both are the most important regulatory initiatives on operational resilience for Banks & Insurance firms.
• DORA will require firms to adopt a broader business view of resilience during BAU mode, with accountability clearly established at the senior management level. It applies to the vast majority of FS firms operating in the EU and establishes binding rules for ICT risk management, incident reporting, resilience testing and third-party risk management (TPRM).
• The OCIR requires firms to adopt to a broader business view of resilience during resolution period, which provides the ability to effectively implement the resolution strategy and, consequently, to stabilize and restructure the bank.
• We believe both regulatory initiatives to be the game changer for how FS firms approach operational resilience, as it will push them to take a broader view of resilience and develop sophisticated new capabilities during BAU as well as in stress situations.The focus of both OCIR and DORA are the same with only difference in the phase where they will be applied to the firms.
• Firms should now prepare an integrated and aligned approach for both regulatory initiatives to generate efficiency as the groundwork required for both is interlinked and similar in multiple aspects.
• In this analysis, produced with Deloitte’s expert colleagues, we suggest the areas of interconnectedness between Resilience and Resolution and describe the potential synergies between DORA and OCIR. A high-level overview of an integrated approach a firm consider in order to prepare for both regulatory initiatives is also provided for better understanding.

Intended audience: CROs, COOs, CISOs, Heads of operational resilience, Compliance teams, ICT risk teams, TPRM teams in financial services firms with EU operations.

What is DORA?

DORA^[1] is EU wide Digital Operational Resilience Act defined by the supervisory authorities as ‘the ability of firms and Financial Market Infrastructures and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.’ Disruption could be caused by a variety of different factors including, for example, a cyber-attack or a third-party failure to perform a service.

What is Resolution Planning and Resolution Objectives?

Resolution is the restructuring of a bank by a resolution authority through the use of resolution tools in order to safeguard public interests, including the continuity of the bank’s critical functions, financial stability and minimal costs to taxpayers.

In view of the critical intermediary role that banks play in our economies, financial difficulties in banks need to be resolved in an orderly, quick and efficient manner, avoiding undue disruption to the bank's activities and to the rest of the financial system.

The BRRD and the SRMR set the following resolution objectives^[2]:

• to ensure the continuity of critical functions
• to avoid significant adverse effects on financial stability, in particular by preventing contagion, including to market infrastructures, and by maintaining market discipline.
• to protect public funds by minimising reliance on extraordinary public financial support.
• to protect depositors covered by the Deposit Guarantee Scheme Directive (DGSD) and investors covered by the Investor Compensation Scheme Directive (ICSD).
• to protect client funds and client assets. The SRB and, where relevant, NRAs will seek to minimise the cost of resolution and avoid destruction of value.

What is the role of Resolution Planning Master Playbook?

Since the adoption of the BRRD in 2015, resolution authorities have made significant progress on resolution planning and are progressively increasing their focus towards testing resolvability^[3]. EBA has prepared draft guidelines which introduces a Master Playbook and has also prepared Resolvability testing guidelines.

OCIR is considered as one of the critical components of Master Playbook as the primary objective is continuity of critical functions by putting measures to ensure financial resilience and maintain staff/roles.

What is OCIR?

Operational continuity in resolution (OCIR) refers to the ability to effectively implement, from an operational point of view, the resolution strategy and, consequently, to stabilize and restructure the bank[4].

What is the linkage between DORA & OCIR?

DORA is designed to ensure the 'normal' operation (BAU mode) of a set of critical or important services all the time including 3rd party providers. OCIR is one of the 7 dimensions of resolvability and was originally designed to ensure the continuity of a set of activities critical as well as core to the economy when the firm has moved into recovery and resolution. There will be significant overlap in those activities (from preparation point of view) deemed important for operational resilience and critical for OCIR.

Based upon our analysis, here is the high-level linkage between DORA and OCIR requirements:

Which Domain / Entities are Impacted by DORA & OCIR?

Note:

• Credit Institutions, Payment Institution and Investment firms are included under Article 1.1 of the BRRD^[5].
• *There are similar guidelines on resolvability and cooperation arrangements for Central Securities Depositors by ESMA^[6].
• #The IRRD directives^[7] provides a framework for authorities to manage Insurance failures effectively.

Which characteristics to leverage to be well prepared?

As we mentioned, the EBA’s guidelines (EBA/GL/2022/01 on improving resolvability for institutions and resolution authorities) have clear link with DORA’s requirements. It, also, clarifies that there is a clear narrative between a firm’s critical and essential services under the OCIR regime and critical (or important) functions under the Operational Resilience regime. However, based upon our observations, there are few possible areas where the opportunities for alignment between OCIR and DORA exists:

Glossary with aligned Terminology & Taxonomies: OCIR and DORA have number of similar terms. A common definition would help the firm long way in bringing clear and consistent terminology. This will generate alignment among different services and enable consistency between both regulatory initiatives. As a result, this will help in consistency of communication to internal as well as external parties.

Reconciled Operational Mapping: ICT Asset Management mapping, functions, inventories, service list, vendor list, technology etc. which is already available either as part of existing OCIR projects or as part of existing BCP can be leveraged to accomplish both DORA & OCIR by creating an operational mapping between the 2 regulatory initiatives.

Leveraging Framework of Resolvability Testing for DORA compliance: EBA’s recently published detailed framework for resolvability testing can be customized and used as an indicative framework for firms to perform their compliance against DORA regulations on regular basis.

Harmonization of the key contractual elements of the service and relationship with ICT third-party providers:

• OCIR provides detailed guidelines on managing 3rd Party providers using resolution resilient features. This can be customized and contextually used in the case of Digital operational resilience.
• DORA focuses on detailed assessment while initiating outsourcing and establishes clear guidelines for exit criteria. This can be customized and used in case of resolution resilience E.g: rights of access, inspection and audit by the financial entity, clear termination rights and dedicated exit strategies… EBA/GL/2019/02, EBA/GL/2019/04.

Conclusion

Both, OCIR guidelines and DORA as a single regulatory and supervisory rulebook for ICT operational resilience in the financial sector, clearly specifies that firms need to begin to plan seriously for the task of implementing these regulatory initiatives using an integrated and aligned approach to ensure complementary and mutually beneficial implementation programmes.

As we have said earlier in this analysis, we believe DORA to be a game changer for how FS firms approach operational resilience, as it will push them to take a broader view of resilience and develop sophisticated new capabilities in areas such as CIF identification, reporting, impact measurement and testing. The OCIR guidelines also focus on similar areas and establishes the ability to effectively implement, from an operational point of view, the resolution strategy and, consequently, to stabilize and restructure the bank.

The focus of both OCIR and DORA are same with only difference in the phase where they will help the firm.

DORA should be seen as a catalyst for firms to accelerate strategic change in how they manage digital risks, and how effectively senior management and boards are able to evaluate the business impact of operational disruptions and understand the mitigants at their disposal. The OCIR should be seen as strong backbone of the firm, especially, ICT capabilities, in how they manage operational continuity and 3rd party providers when things go wrong from financial perspective.

There are clear benefits to firms in investing time and effort early to align DORA and OCIR:

1. Stakeholder and Regulatory Transparency: The integrated compliance approach will generate alignment among different services and enable consistency between DORA & OCIR. This will additionally, help in consistency of communication to internal as well as external parties.
2. Generating efficiency by leveraging potential synergies: OCIR suggests that Banks can leverage on the work carried out for the business continuity plans (“BCP”) developed for supervisory purposes.
   • It could be used as a basis for the identification of relevant roles. Key roles identified as a result of the BCP business impact analysis may also be considered relevant for operational continuity in resolution. However, the specific scope criteria above will need to be met. The link must be made between relevant roles and critical and essential services.
   • Additionally, the bank can leverage on existing risk and regulatory requirements. For example, in relation to the requirement in EBA Guidelines on ICT and security risk management, banks establish and maintain updated mapping of staff, in order to manage the information assets supporting their critical business functions and processes.
     OCIR provides “Actions to mitigate risks to operational continuity and measures to improve preparedness for”. This can be easily customized for operational resilience cases and can be useful while implementing DORA.
   • Both OCIR and DORA should draw upon a single source of data (Golden source) to help distinguish those services which may be critical / essential / important and the maps which outline their delivery. This approach can improve data quality and make maintenance simpler.
3. Reduction of effort by generating full understanding of each firm’s interconnectedness and operational complexity: Common Glossary, operational mapping and reconciled definition between OCIR and DORA would lead to increased understanding on the interconnectedness of entities, business units, services, products, technology, team, 3rd parties etc. This is increasingly challenging to fully understand given the complexity of firms and is particularly important to ensure that firms’ internal governance frameworks can fully support OCIR and DORA through implementation and into BAU.
4. Ease of managing 3rd Party Service Providers’ Contracts and Resilience: OCIR provides guidelines on managing 3rd Party providers using resolution resilient features. This can be customized and contextually used in the case of Digital operational resilience.
   • DORA focuses on detailed assessment while initiating outsourcing and establishes clear guidelines for exit criteria. This can be customized and used in case of resolution resilience.

Abbreviations:

BAU - Business As Usual (normal condition)
BRRD - Bank Recovery and Resolution Directive
CIF - Critical and Important Functions
DORA - Digital Operational Resilience Act
EBA - European Banking Authority
EU - European Union
FS - Financial Services
MIS - Management Information System
NRA - National Resolution Authority
OCIR - Operational Continuity in Resolution
SRB - Single Resolution Board
SRMR - Single Resolution Mechanism Regulation

Links:

[1] Provisional agreement resulting from Interinstitutional negotiations (published on 24th June 2022)Subject: Proposal for a regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014 (COM2020(0595) – C9-0304/2020 – 2020/0266(COD))[2] https://www.srb.europa.eu/system/files/media/document/intro_resplanning.pdf
[3] Guidelines amending Guidelines EBA/GL/2022/01 on improving resolvability for institutions and resolution authorities under articles 15 and 16 of Directive 2014/59/EU (Resolvability Guidelines) to introduce a new section on resolvability testing
[4] https://www.srb.europa.eu/system/files/media/document/2021-11-29_SRB-Operational-Guidance-for-Operational-Continuity-in-Resolution.pdf
[5] https://www.eba.europa.eu/regulation-and-policy/single-rulebook/interactive-single-rulebook/100556
[6] https://www.esma.europa.eu/press-news/esma-news/esma-publishes-guidelines-resolvability-and-cooperation-arrangements-central
[7] https://finance.ec.europa.eu/insurance-and-pension-funds/insurance/insurance-recovery-and-resolution_en

*This webpage is not optimized for mobile view.