Article
FINMA Circular 2023/1 – Chapter V: Ensuring operational resilience – Part 1
Managing operational continuity risks of business processes and ICT systems has been a key focus for many institutions in recent years. However, focusing on ensuring end-to-end operational resilience along the full value chain – rather than single processes and ICT systems of it in isolation – will represent a major shift for most current business continuity management systems.
Regulators are taking increased measures to prevent incidents that could have a severe impact on the industry and the broader economy. The recently released FINMA circular 2023/1 sets out the principles for managing operational risks and resilience. The circular is intentionally not prescriptive, which means that organisations need to interpret the principles set out in the circular and tailor the implementation of the regulation to their particular circumstances.
Five pillars to strategic implementation of operational resilience
The new regulation highlights the need for in-scope financial institutions to ensure that their level of operational resilience is adequate, and that the organisation can deliver the required, minimum business services outcomes in times of ‘severe, but plausible’ disruptions.
We propose a five-pillar approach to meeting the heightened requirements and managing the organisation’s own level of operational resilience effectively:
Critiacal Data Definition
By 1 January 2026, FINMA requires organisations to fully comply with the circular and therefore to be operationally resilient. At this point in time, organisations should have addressed existing vulnerabilities and implemented additional required measures that will assist in remaining within the tolerances of disruption of their critical functions in such occasions of severe but plausible disruptive events.
However, FINMA’s first transition tollgate of 1 January 2024 already expects organisations to have an initial inventory of its critical functions approved by the Board of Directors. The inventory must contain the tolerances for disruption of the critical functions, as well as identified connections and dependencies between the critical processes and the resources that provide the identified critical functions.
Therefore, the time for action is now. To ensure compliance, organisations should be in the process of addressing the first pillars of Operational Resilience. The two main challenges from an Operational Resilience perspective that organisations will be confronted with throughout the remainder of 2023 are:
- How to initially identify the organisation’s critical functions; and
- How to define tolerance(s) for disruption per critical function
In addition, the required remediation work on long known vulnerabilities difficult and complex to address will likely trigger bigger efforts spread across multiple years. As a consequence, organisations should consider to already kick off some of this work in 2023 in order to meet the final deadline by 1 January 2026.
According to FINMA’s definition, critical functions include:
- the activities, processes and services – including the underlying resources necessary for their provision – whose disruption would jeopardise the organisation’s continuation or its role in the financial market and thus the proper functioning of the financial markets; and
- the systemically important functions under article 8 in the Swiss Federal Act on Banks and Savings Banks (Banking Act; BA).
Our assumption is that FINMA does not expect organisations to identify a large number of critical functions. The primary goal of the exercise will be to focus on the critical end-to-end value chains absolutely required to ensure that a minimum tolerable level of critical services and business outputs can be delivered at any point in time – even when facing a ‘severe but plausible’ disruption scenario (a major crisis).
Some examples of the typical candidates that may also qualify as critical functions for select organisations include the domestic deposit and lending business, as well as payment transactions. However, to identify the critical functions is a task that each organisation needs to tackle individually and that is highly dependent on the organisation’s business model. Whilst an asset manager may likely include portfolio management as a critical function, while a retail bank on the other hand might rather identify serving client credits as a critical function of their business.
To evaluate if a function in an organisation is deemed ‘critical’, a qualitative assessment approach should take primacy. The following outlines some examples of a comprehensive ‘aide memoire’ to be individually developed by organisations that supports the qualitative assessment process:
Whether a function is deemed as ‘critical’ within the organisation is ultimately an executive management and board decision. Diligently preparing and documenting the rationale based on which a critical function was identified and to then support the rationale with additional data evidence will help a) to receive the required senior management endorsement, and b) to ensure defensibility and auditability at a later stage.
Traditional Business Continuity Management (BCM) activities focus on identifying recovery time objectives (RTOs) for the critical processes of an organisation. RTOs define the desired recovery time, i.e., by when a process should be fully back to normal operations. Even with the new operational resilience requirements, BCM remains important and required by the regulator (refer also to FINMA circular 2023/1 – chapter IV E).
However, past crises have demonstrated that in severe but plausible disruption scenarios such as a large-scale cyber-attack and complete loss of ICT, multiple processes will typically fail in parallel, rendering traditional BCM measures ineffective since they address isolated failures. Therefore, achieving the desired recovery times for all processes to be back to normal operations within defined RTOs will be unlikely. The organisation will need to prioritise in such scenarios and successfully navigate the crisis.
This is where the newly introduced tolerances for disruption of critical functions will come into play. The tolerance for disruption is the extent – the duration or expected damage – of the disruption of a critical function that the organisation is willing to accept. The tolerances will therefore need to define the minimum level of service and outputs required from a critical function to operate during a crisis, whilst normal operations cannot be achieved for a longer period.
When defining tolerances for disruption of critical functions, organisations should consider the following steps:
- Formulate the minimum service and outputs of the function required to avoid any intolerable harm for the organisation, its clients and the wider financial market.
To note: As an initial starting point, the organisation may leverage the rationales previously developed defining why the function is deemed ‘critical’. In addition, the already defined RTO targets of the underlying processes from a BCM perspective can provide orientation.
- Gather additional data/evidence to back up and rationalise the minimum service and outputs defined.
- Document the tolerance for disruption in the form of an outcome-based objective statement. In addition, document the rationales and additional data/evidence why the respective tolerance for disruption was chosen.
Conclusion
Financial institutions need to prioritise the initial identification of the organisation’s critical functions as well as their related tolerances for disruption, as FINMA’s first transition tollgate on 1 January 2024 is quickly approaching. In addition, the required remediation work on long known vulnerabilities that will likely require significant efforts should kick off now to meet the final deadline by 1 January 2026.
The initial definition of critical functions and their tolerances of disruption will likely be a more complex task than initially thought. This process requires an iterative approach with the involvement of senior stakeholders of multiple business areas in the organisation. Once defined, they will ultimately be a reflection of senior management’s top business priorities during crisis times.
Our team has successfully supported and continues to support numerous institutions in addressing the same challenges and we would be delighted to assist your organisation in achieving compliance with this new regulation.