Stand the resilience test – OSFI adds to the operational resilience conversation

As the saying goes – if you fail to plan, you are planning to fail. Whether it be taking an exam, going to a job interview – or in this case – defending against risks and establishing an operational resilience strategy, having a plan for any situation helps avoid unexpected incidents and identify top priorities. 

While there are many benefits of today’s increasingly sophisticated cyber landscape, there are equally precarious challenges it poses that can drastically impact the integrity and functionality of a financial firm. From elaborate cyberattacks threatening to compromise sensitive data to technological system failures that can disrupt critical operations, operational resilience is the safety net that catches a firm’s fall in the case that something goes awry.

Ready, set, resilience

On August 22, the Office of the Superintendent of Financial Institutions (OSFI) released final Guideline E-21 on operational risk and resilience after a consultation draft period initiated in July 2021. While E-21 first came into effect in 2016, it has undergone updates based on industry feedback. The Guideline now further accentuates “operational resilience while maintaining operational risk management expectations.”

These final guidelines have been updated with straightforward and streamlined steps that firms can follow in response to disruptive events impacting business operations. Alongside greater expectations, the final guidelines speak to business continuity risk management, crisis management, change management, and data risk management. 

The changes also include modifications based on firms’ feedback, such as clarification on terms like “business and central functions,” amends to the expected frequency of scenario-testing, and adjusted flexibility to scale change management activities.

Within the original Guideline, OSFI defines operational risk as the “risk of loss resulting from people, inadequate or failed internal processes and systems, or from external events.” To mitigate disruptive events, the Guideline details the framework that firms should build in preparation, the multiple lines of defense to have in place, and the utilization of tools to identify potential risks.

The Guideline emphasizes the value of an inclusive framework to manage operational risk, stating that it “provides a mechanism for discussion and effective escalation of issues leading to better risk management over time and increased institutional resilience.”

OSFI isn’t the only regulator enhancing standards on operational resilience – in the U.S., the Office of the Comptroller of the Currency (OCC) released a proposed rule on recovery planning guidelines in July. Within this rule, the regulator offers guidance that large banks can utilize to properly prepare for “financial effects of severe stress” that can impact operations, especially considering the possible resulting contagion and systemic effects.

Repel risk and revamp recovery practices

OSFI identified multiple areas that could pose risks to a firm’s operations, including internal control failures, technology failures, third-party disruptions, cyber and geopolitical incidents, and pandemics.

The mention of technological failures and third-party disruptions is particularly pertinent, as an incident involving both matters occurred recently. The faulty CrowdStrike software update that triggered a worldwide disruption impacting countless businesses reliant on the security provider directly correlates to the importance of a comprehensive operational resilience strategy.

Tolga Yalkin, Assistant Superintendent at OSFI, reinforced this notion in a comment on how non-financial risk can lead to financial risk:

“When they’re not being monitored and managed, non-financial risks like technology, cyber, geopolitical, and third-party can become financial risks.”

Similarly, OCC’s recovery planning proposed rule highlighted non-financial risks as a key area to hone in on:

“Focusing a recovery plan exclusively on financial risks while neglecting non-financial risks overlooks the very real threats that non-financial risks can pose to a bank’s financial strength and viability.”

OCC’s proposed rule goes on to state that the risks formed from the increasingly complex strategic environment mean that firms are undergoing momentous changes in attempt to “innovate, digitize, and meet rising consumer demands.” Efforts to meet these demands, optimize risk management, and respond to external uncertainties and financial pressures can result in non-financial stress that can influence a firm’s operations.

It’s just as important to factor risks like cyberattacks into operational resilience plans as well – as stated in an April 2024 Global Financial Stability Report from the International Monetary Fund which cited the size of extreme losses resulting from cyberattacks has quadrupled since 2017 to $2.5 billion. Cybercriminals are targeting firms in a variety of ways, such as by disrupting their websites and applications, underscoring the scope of threats firms need to defend against.

Relating to a similar theme that regulators across jurisdictions have been striving for, Yalkin also mentioned that OSFI’s new approach is meant to present additional transparency in what it expects from regulated firms:

“This new standardized approach supports critical financial and non-financial risks to financial institutions…It will also allow us to be more predictable and transparent in the way we inform our stakeholders and the Canadian public about our work.”

This follows aspirations for increased transparency from regulators like the Securities and Exchange Commission (SEC) regarding topics like cooperation with investigations and trigger factors that would lead to actions against compliance functions. By offering expanded clarity on these topics, regulators hope to increase deterrence and offer firms knowledge to prepare and position themselves for success.

Onward with operations resilience

Operational resilience only continues to gain relevance, especially as technologies further transform the way that firms conduct business. In conjunction with frameworks like the Digital Operational Resilience Act (DORA) – the European Union regulation detailing rules for risk management – it’s clear that regulators’ ongoing commitment to clarifying expectations around operational resilience is increasing.

Firms would be remiss not to begin seriously considering their approach to recovery planning if they haven’t done so already to minimize the impact of disruptions and have established lines of defense. It’s important that all business functions recognize their role in contributing to operational resilience. By educating personnel, identifying and remedying gaps, testing the strength of current systems, and investing in solutions that can consolidate compliance, firms can be assured that they are ready for anything.