Operational Resilience: A new SPM module from HKMA

Publish Date: 1 September 2022

On 31 May 2022, the HKMA released the new Supervisory Policy Manual (SPM) module OR-2 on Operational Resilience. SPM OR-2 aims to set out HKMA’s approach and supervisory expectations on operational resilience by providing guidance on the general principles that authorized institutions (AIs) should consider when building their operational resilience. 

According to the HKMA, “Operational disruptions (including those due to pandemics, cyber incidents, technology failures and natural disasters) can affect the viability of individual financial institutions, and in turn, the stability of the wider financial system". This underscores the significance of operational resilience as a supervisory focus.

We are here to help – Deloitte believes the development and implementation of an operational resilience framework will strengthen your broader business proposition in addition to aligning with HKMA’s expectations and supervisory approach, which are based on the relevant work of The Principles for Operational Resilience (POR) issued by the Basel Committee on Banking Supervision (BCBS) and are Deloitte’s key areas of expertise. 

HKMA expects all AIs to be compliant with requirements relating to the development of its operational resilience framework by 31 May 2023, and those relating to the implementation of the framework no later than 31 May 2026. At a minimum, the HKMA expects AIs to include the following components within its operational resilience framework: 

Operational Resilience Parameters
Mechanism for determining operational resilience parameters, namely identifying critical operations, setting tolerance for disruption for critical operations, and identifying severe but plausible scenarios.

Mapping Exercises 
Identify and document: (i) the people, processes, technology, information, and facilities; and (ii) the interconnections and interdependencies among these factors that are necessary for the AI to deliver its critical operations.

Risk Management Policies and Frameworks
Leverage different risk management frameworks, as appropriate, to offer holistic and comprehensive support to the critical operation, and be prepared to manage all risks with the potential to affect critical operations delivery.

Scenario Testing
Regular testing of the operational resilience framework to ensure the ability to continue delivering critical operations through disruptions, including under severe but plausible scenarios

Incident Management
Establish an effective incident management programme to manage all incidents, especially those that may impact critical operations.

Did you find this useful?