top of page

The expanding scope of operational resilience regulatory requirements

Writer's picture: Andrew LingleyAndrew Lingley

Updated: Nov 25, 2024

We look at how operational resilience regulatory requirements are undergoing expansion on a global scale, how this will impact your organisation, and what you can expect over the next decade.


Operational resilience can be defined as a company’s ability to prevent, withstand, and respond to disruptions.

 

Financial services firms are particularly vulnerable to disruption because the potential operational risks they could face are significant, and could be enormously detrimental to our global economy and society. It’s why the financial services industry operates in a highly regulated environment, and why recent operational resilience compliance mandates centre on these firms.

  

In today’s landscape of fast-paced transformation, building operational resilience is crucial for all companies, regardless of size, industry, or revenue. Financial services may be the first to undergo operational resilience regulation, but they will by no means be the last.

 

A proactive approach to compliance is essential for navigating the web of mandates that vary across regions, which we explore below.

 

Understanding operational resilience mandates around the globe

 

Operational resilience mandates are taking root in various parts of the world, and financial institutions need a comprehensive understanding of the regulatory landscape. Key jurisdictions include:

 


What all these regulatory requirements have in common

 

Despite regional variations, these operational resilience regulations share common themes, including:

 

  • Standardisation and compliance: Each jurisdiction emphasises the need for financial entities to adhere to standardised frameworks and guidelines, promoting consistency and compliance across the industry.

  • Risk mitigation: The regulations aim to strengthen operational resilience by addressing and mitigating various operational risks, including those related to technology, cybersecurity, and business continuity.

  • Adaptability: Regulations acknowledge the evolving nature of operational risks and the financial landscape, emphasising the importance of adaptable frameworks to effectively respond to emerging challenges.

  • Holistic approach: Whether through directives, frameworks, or guidelines, the regulations collectively advocate for a comprehensive and integrated approach to operational resilience, recognising its multifaceted nature across all aspects of risk management and governance.


How did we get here? The journey to an outcomes-based approach

 

Heidi Richards, Regulatory Strategy and Compliance Advisor for CPS230 discusses APRA’s recent Operational Resilience mandates as a natural evolution and restating of existing requirements:

 

“Operational resilience may be the latest buzzword that regulated financial institutions need to learn, but it’s not a new concept. The emphasis on resilience to operational disruptions is just the flip side of the management of operational risks. But the shift in language reflects an important evolution in regulatory philosophy - toward targeting good outcomes for companies and their customers, with accountability on the company to achieve those outcomes.

 

This shift in thinking results from decades of regulatory experience with enforcing more and more standards, checklists and processes, which have not resulted in any obvious reduction in operational failures among regulated financial institutions.

 

APRA’s new standard CPS 230 is, in fact, largely a restatement and to some extent a streamlining of existing prudential requirements. What’s new is the expectation of a more comprehensive and outcomes-focused approach to operational risk management across business units and across the traditional risk and compliance silos of business continuity planning, outsourcing and information security.

 

The outcomes focus is evident in the requirement that financial institutions set their own risk tolerances for resilience outcomes, and demonstrate that they are managing to those tolerances. To do this, the operational resilience mindset starts with the critical business processes and product/service operations, rather than risk management teams, processes and controls.”

 

Future expectations over the next decade

 

Operational resilience regulations, while currently focused on the financial services sector, are poised to expand in scope globally. Businesses are urged to act proactively now to fortify their organisations against future disruptions. Anticipated developments over the next decade include:

 

  • Broadening geographical reach: Other countries are likely to adopt similar frameworks, extending the regulatory landscape.

  • Deepening risk management programs: Current risk management programs must evolve to meet the heightened demands of operational resilience regulations.

  • Cybersecurity and data breaches: Increasingly common disruptions, such as cybersecurity issues and data breaches, will continue to expand the need for enhanced resilience and drive increased regulatory requirements.


Operational resilience goes well beyond regulatory requirements

 

Operational resilience is much more than a regulatory requirement; it is a strategic imperative for businesses. organisations should recognise the broader significance and act promptly to proactively build resilience. This encompasses preparing for unforeseen challenges to ensure sustained operational integrity.

 

As operational resilience regulations continue to evolve globally, financial services firms must not view compliance as a mere checkbox exercise. Instead, they should perceive it as an opportunity to enhance overall organisational resilience and navigate the uncertainties of the future. The time to act is now.




Read more

Subscribe to our newsletter

© 2024 Drova Pty Ltd. All rights reserved.

  • Instagram
  • Facebook
  • X
  • LinkedIn
  • YouTube
  • TikTok
bottom of page