Disaster Recovery Journal Summer 2023

In 2021, the Office of the Superintendent of Financial Institutions announced its intent to review E-21 to focus more on operational resilience. There have been no changes released to date. U.S. Board of Governors of the Federal Reserve System In the U.S., the Board of Governors of the Federal Reserve System’s guidance is less explicit than others and is not a direct regulation. The board guides the Federal Reserve System and calls on organizations to use sound practices, existing regulation, and common industry standards for opera tional resilience, with additional guidance about critical operations and market con siderations. EU’s Digital Operational Resilience Act (DORA) The Digital Operational Resilience Act (DORA) is designed to ensure the finan cial sector is able to remain resilient when faced with a severe operational disruption or ICT-related incidents. It covers five core areas of governance, third-party risk mitigation, incident reporting, resilience testing, and information sharing. The guidelines promote a broader, strategic perspective for organizations through its intent to standardize and evolve existing practices. Once DORA becomes law in each of the integrated states, other technical require ments will be developed and released. Full implementation is expected by 2024. Central Bank of Ireland The Central Bank of Ireland’s Cross Industry Guidance on Operational Resilience is designed to help organiza tions prepare for, respond to, recover, and learn from operational disruptions that affect delivery of important busi ness services. As such, organizations are expected to begin the process of mapping all important business services. Provided in these guidelines is a 15-point list out lining what goes into a successful opera tional resilience program. There is an expectation that organizations develop action/plans to address operational vul nerabilities aligning with the guidance by December 2023.

Monetary Authority of Singapore (MAS) The updated MAS guidelines focus more on business continuity than opera tional resilience. These guidelines require financial institutions to “take an end-to end service-centric view in ensuring the continuous delivery of critical business services to their customers.” The updates to existing guidelines speak to an approach of having business continuity address emerging resilience best practices rather than creating new operational resilience requirements. In 2021, MAS released guidelines for technology risk management. These guide lines outline risk management principles and best practices standards, which should be commensurate to the organization’s risk level and service-offering complexities. The updated business continuity guide lines should come into effect in June 2023. v

Australian Prudential Regulatory Authority (APRA) In July 2022, the Australian Prudential Regulatory Authority (APRA) proposed new operational risk management stan dards for all of its regulated entities. Among the requirements, organizations will have to demonstrate effective internal controls, be prepared to continue delivery of critical services during a disruption, and manage risks associated with service pro viders. Once finalized, APRA will develop and release an action plan for standard imple mentation. Hong Kong Monetary Authority The HKMA released its supervisory policy manual outlining guidance for its Banking Authorized Institutions (AIs) in 2022. It offers step-by-step guidance to develop an operational resilience frame work and determine parameters, including identifying critical operations, setting dis ruption tolerances, and identifying severe but plausible scenarios. All AIs are expected to have devel oped their frameworks and established an implementation timeline by May 31, 2023, and have the framework implemented no later than May 31, 2026.

Michael Bratton is the principal consultant for Riskonnect. Bratton has consulted with a diverse range of clients spanning numerous industry verticals and sizes. He specializes in translating business and organizational

requirements into recovery strategies and response frameworks that help organizations effectively respond to disruptions. For a closer look at operational resilience reg ulations, download Riskonnect’s white paper, “Operational Resilience: Navigating the Global Regulatory Landscape.”

DISASTER RECOVERY JOURNAL | SUMMER 2023 29