On 1 December 2021, the Central Bank of Ireland (the “Central Bank”) published its cross industry guidance on Operational Resilience (the “Guidelines”), together with a feedback statement ("Feedback Statement") setting out the Central Bank’s views on the responses received following its engagement with industry bodies and regulated entities, on consultation paper (“CP140”) which contained draft guidelines on Operational Resilience (the “Draft Guidelines”).
The Feedback Statement noted that a significant proportion of the comments that the Central Bank received related to the need for proportionality given the wide range of firms operating in the Irish financial sector, and the need to ensure that, as international regulation evolves in this space, the Central Bank is able to adopt accordingly.
The Guidelines remains largely unchanged from those contained within the Draft Guidelines published earlier this year. The Central Bank has confirmed that where changes have been made, they do not alter the intent or purpose of the Draft Guidelines but rather provide additional context and clarity on how the Guidelines should be applied.
The Central Bank recognises that not all hazards can be prevented, the key is that firms and the whole sector should be able to identify and prepare for, respond and adapt to, and then recover and learn from an operational disruption. The 15 Guidelines are framed around these three pillars of operational resilience; (1) Identify and Prepare (2) Respond and Adapt; and (3) Recover and Learn and their objective is to communicate to industry on the key elements necessary to achieve effective operational resilience.
What has changed?
Guideline 2 of the Draft Guidelines addressed the relationship between a firm’s operational risk and operational resilience frameworks. In response to a request from industry requesting clarity between the relationship between the operational risk and operational resilience framework, the Central Bank recognised in its Feedback Statement that a firm’s approach to operational resilience should align with its approach to operational risk and business continuity management. However, the Central Bank recognised that firms need flexibility in how they structure their management of these different but related activities. Therefore, after considering the feedback received, additional context has been added to Guideline 2 to emphasise their aligned objectives.
Guideline 4 of the Draft Guidelines provided that a firm should identify its critical or important business services based on criteria approved by the board. The Central Bank has amended Guideline 4 to reflect that it agrees with industry feedback that the size of a firm might not always be indicative of the number of critical or important business services. As such, where the consultation paper stated that ‘It is likely that larger firms will identify a larger number of critical or important business services than smaller firms’, the Guidelines have removed that statement and now provides that ‘a firm should consider whether the number of critical or important business services is proportionate to the nature, scale and complexity of its business’.
Guideline 5 & 6
Guideline 5 of the Draft Guidelines set out the Central Bank’s expectations that a firm should develop impact tolerances for each of its critical or important business services. Guideline 6 of the Draft Guidelines set out the Central Bank’s expectations for firms to develop clear impact tolerance metrics for each of their critical or important business services. In response to a clarification from industry on how to apply the Central Bank’s expectations in respect of impact tolerances, Guideline 5 & 6 have been updated to clarify that impact tolerance metrics can be both qualitative and quantitative and that firms may leverage appropriate existing approved processes as part of its development of impact tolerances.
Guideline 8 of the Draft Guidelines set out the Central Bank’s expectations to document third party dependencies in the mapping of critical or important business services. In its Feedback Statement, the Central Bank identified that respondents expressed challenges in ensuring that Outsourced Service Providers (“OSPs”) would have “at least equivalent” levels of operational resilience.. The Central Bank has added additional context to Guideline 8 to provide that ‘a firm should undertake due diligence in respect of its OSPs prior to entering into an outsourcing arrangement, to ensure that third party arrangements have appropriate operational resilience conditions that enable the firm to remain within its impact tolerances’.
The Central Bank outlined in its Feedback Statement that this change reinforces a flexible approach and enables boards to use its judgement in determining whether the level of operational resilience of an OSP is appropriate to enable the firm to remain within its impact tolerances.
The Guidelines set out what the Central Bank’s expectations are of firms in terms of implementing an effective operational resilience framework. Firms would be advised to actively and promptly identify gaps in documentation, processes and procedures in order to ensure that they are in a position to deliver on the Central Bank’s expectations of applying the Guidelines at the latest within two years of its being issued.
This article was co-authored by partners Joe Beashel, Darren Maher, Gráinne Callanan, Karen Reynolds and Shay Lydon, consultant Niamh Mulholland and senior associates Elaine Long and Ian O’Mara. For further information, please contact any one of them or your usual Matheson contact.