Historically, countries have issued broad regulation on resilience to ensure organisations have a business and IT continuity framework in place, without strong requirements. In recent years, we have observed increasing threats to financial institutions and organisations in general. As a result, regulators across the world have pushed and released stronger and more precise requirements to ensure organisations actively integrate the topic into their agenda and improve their true resilience to those threats.
In parallel, technical standard organisations and institutes have released operational guidelines to help companies take concrete action to meet these new requirements. To help you navigate more easily, we have reviewed new regulations and operational frameworks focusing on resilience released in the last 2 years and organised them along the topics they address and the type of guidance they provide, all the way from strategic principles to operational requirements.
This will allow you to identify which frameworks to use depending on your specific needs, whether it is to set up an Operational Resilience governance framework, to improve your outsourcing policies to increase resilience of your supply chain, or to assess the maturity of your cyber defence capabilities.
A wide range of resilience frameworks and standards to choose from, combine and adapt depending on your specific needs
Glossary of Acronyms
BCI: Business Continuity Institute (global)
EBA: European Banking Authority (EU)
ECB: European Central Bank (EU)
ENISA: European Union Agency for Cybersecurity (EU)
FCA: Financial Conduct Authority (UK)
FFIEC: Federal Financial Institutions Examination Council (USA)
FSB: Financial Stability Board (global)
ISO: International Organisation for Standardisation (global)
MAS: Monetary Authority of Singapore (Singapore)
NIST: National Institute of Standards and Technology (USA)
PRA: Prudential Regulation Authority (UK)
1. Wide Operational Resilience strategy and frameworks: The Mindset Shift
- These frameworks define the key principles and building blocks of Operational Resilience as a new discipline, defining it widely and end-to-end, covering multiple threats and requiring all parts of the organisation to work together
- The UK consultation papers (FCA, PRA) are a pioneer in the financial industry, with key principles and requirements aiming to change the way companies address resilience
- ISO 22316 provides a wider set of principles and attributes applicable across sectors to help companies “future proof their business”, with a strong focus on behaviours and people
- Wide coverage of disciplines and threats
- Adapts to the organisation: requirements are designed to be applied “proportionately”
- Focus on what really matters: delivery of critical services to customers / market integrity / firm safety and soundness
- Focus on actions: resilience is not achieved through tick-box exercise but rather continuously
- Mindset change: principles to change the way organisations operate, the business culture, leadership and senior accountability – use as a guide to influence best practices and embed resilience by design
- ISO 22316 only provides high-level principles, and the FCA/PRA papers provide a step-by-step approach to take to set up resilience but leave companies free to design their methodology for implementation as they want, meaning those frameworks cannot be used as-is operationally
- In particular, they provide very little detail and advice on MI, even though having the right controls in place is deemed critical
2. Legal frameworks and requirements on key domains of resilience
- Financial institutions regulators have recently released legally-binding frameworks and operational requirements to increase companies’ resilience on specific topics and improve consistency in market practices
- In particular, we observe a stronger and stronger position on how organisations should address cyber threats and adapt their technology to be more cyber-resilient
- Most of them address two levels:
- Core principles aligned to Operational Resilience strategy to set up resilient functions on a smaller scope (e.g. identification of critical services or infrastructure, mapping of assets, continuous testing, governance; specifically for cyber defence, or 3rd party resilience, etc.)
- Operational requirements on controls that should be in place to protect organisations (e.g. documentation, maturity assessment and testing scenarios)
- Pragmatic detail on methodologies and artifacts expected, allowing for easy compliance
- Address concrete challenges related to specific areas (e.g. cloud for third party outsourcing and specific cyber attacks for cyber defence)
- Especially strong guidelines on how to set up cyber resilience
- By definition, these frameworks are narrow and focus on one discipline, which prevents companies from taking a holistic approach for resilience
- They focus more on risk management and preventing disruption than on maintaining critical activity and recovering within an acceptable timeframe
3. Operational guidelines to deploy resilience from the operational level
- In order to help organisations improve their resilience in different key domains, some standards and best practice guidelines were recently updated to match requirements from regulators
- These contain checklists, concrete actions and exercises to help build a bottom-up resilience, starting at the operational level
- They apply wider than Financial Services, across the globe
- Step-by-step checklists of actions to take in one specific domain to increase resilience
- These standards can accelerate deployment of resilience as they contain a lot of templates and ready-to-use artefacts
- Companies can get certified with some of these standards and leverage this to demonstrate compliance with regulatory requirements
- These standards are designed as a tick box exercise for operational use – they don’t enable the organisation to change from the top or give specific controls or areas to look at
- They must therefore be used to complement principles derived from strategic frameworks to achieve resilience by design
Key Takeaways
- We observe a correlation between the increase in the volume of crises that occur and the number of regulations published. For example, the rising volume of cyber attacks has led to more and more regulation on the topic. In light of this year’s events, it therefore looks very likely that regulators will increase and precise resilience requirements beyond IT and cyber defence.
- The UK is a pioneer as it considers resilience holistically, bringing together all disciplines and all threats. Other regulators have placed Operational Resilience on their agenda and are expected to follow with similar principles. All organisations should therefore take action now to deploy resilience principles and frameworks.
- To achieve true Resilience by Design, organisations should follow a top-down approach to deploy frameworks, starting by embedding the core principles of resilience at the very top of the organisation, and operationalising them into strategies and action plans for key domains of resilience (crisis management, business & IT continuity, cyber defence, IT recovery and 3rd party resilience).
- Operational guidelines are useful tools for teams involved on the ground to accelerate deployment of resilience methodologies, but should only be used to complement principles derived from strategic frameworks to ensure the mindset does change.
Mathieu Couturier
Manager
Cybersecurity and Operational Resilience
To start your operational resilience by design journey, you need to consider these frameworks as guidance and inspiration, take the best elements from them and tailor them to your organisation.
Related Insights
Gerome Billois
Sleh-Eddine Choura
Henri du Périer
Nathalie Balabhadra
Aurelia de Maleissye
Nicolas Gauchard
Hugo Bérard