Regulators are taking increased measures to prevent incidents that could have a severe impact on the industry and the broader economy. The recently released FINMA circular 2023/1 sets out the principles for managing operational risks and resilience. The circular is intentionally not prescriptive, which means that organisations need to interpret the principles set out in the circular and tailor the implementation of the regulation to their particular circumstances.
The new regulation highlights the need for in-scope financial institutions to ensure that their level of operational resilience is adequate, and that the organisation can deliver the required, minimum business services outcomes in times of ‘severe, but plausible’ disruptions.
We propose a five-pillar approach to meeting the heightened requirements and managing the organisation’s own level of operational resilience effectively:
By 1 January 2026, FINMA requires organisations to fully comply with the circular and therefore to be operationally resilient. At this point in time, organisations should have addressed existing vulnerabilities and implemented additional required measures that will assist in remaining within the tolerances of disruption of their critical functions in such occasions of severe but plausible disruptive events.
However, FINMA’s first transition tollgate of 1 January 2024 already expects organisations to have an initial inventory of its critical functions approved by the Board of Directors. The inventory must contain the tolerances for disruption of the critical functions, as well as identified connections and dependencies between the critical processes and the resources that provide the identified critical functions.
Therefore, the time for action is now. To ensure compliance, organisations should be in the process of addressing the first pillars of Operational Resilience. The two main challenges from an Operational Resilience perspective that organisations will be confronted with throughout the remainder of 2023 are:
In addition, the required remediation work on long known vulnerabilities difficult and complex to address will likely trigger bigger efforts spread across multiple years. As a consequence, organisations should consider to already kick off some of this work in 2023 in order to meet the final deadline by 1 January 2026.
Financial institutions need to prioritise the initial identification of the organisation’s critical functions as well as their related tolerances for disruption, as FINMA’s first transition tollgate on 1 January 2024 is quickly approaching. In addition, the required remediation work on long known vulnerabilities that will likely require significant efforts should kick off now to meet the final deadline by 1 January 2026.
The initial definition of critical functions and their tolerances of disruption will likely be a more complex task than initially thought. This process requires an iterative approach with the involvement of senior stakeholders of multiple business areas in the organisation. Once defined, they will ultimately be a reflection of senior management’s top business priorities during crisis times.
Our team has successfully supported and continues to support numerous institutions in addressing the same challenges and we would be delighted to assist your organisation in achieving compliance with this new regulation.