In a time where business disruptions and cybersecurity incidents are inevitable, operational resilience has become a prominent focus area for the Central Bank of Ireland (CBI).
As a result, the CBI released Cross Industry Guidance on Operational Resilience in December 2021 and has given those in the financial services sector a maximum of two years to implement their guidance. By December 2023, all financial institutions will need to be able to demonstrate that their operational resilience strategies are aligned to the guidance.
As Irish Credit Unions continue to strive to improve their operational resilience capabilities, understanding and implementing the guidelines set out by the CBI provides a significant opportunity for Credit Union’s to enhance the continuity of critical business services.
This article aims to breakdown the key components of operational resilience as per CBI guidelines and provides a roadmap for Credit Unions in Ireland to implement them with confidence.
What is Operational Resilience?
In the context of the CBI guidance, operational resilience refers to the ability of a financial services organisation to prepare for, respond to, and recover from operational disruptions such as cyber-attacks, natural disasters and system failures, by not only preventing risks but minimising their impact when they occur. A key component is for financial services organisations to understand that disruptions will happen and to be prepared to respond effectively, ensuring the continuity of critical business services and protecting both customers and the integrity of the financial system.
How to apply it to your Credit Union
To apply the guidelines successfully, your Credit Union, along with its board members and senior management need to buy into the development of a dynamic operational resilience strategy that is integrated into both day-to-day operations and long-term planning. Ultimately, a successful operational resilience framework is built on three core pillars.
The Pillars of Operational Resilience
1. Identify and Prepare
According to guidelines, Credit Unions are expected to ensure the following is in place:
- Governance: The Board is responsible for the Credit Union’s Operational Resilience, ensuring it aligns with internal Governance and Risk Management Frameworks.
- Identification of Critical or Important Business Service: The Board approves criteria, and the Credit Union identifies its critical or important business services.
- Impact Tolerances: For each critical or important business service, impact tolerances are approved, and clear impact tolerance metrics are developed.
- Mapping of Interconnections and Interdependencies: Credit Union’s must map the delivery of critical services, including third-party dependencies.
- ICT and Cyber Resilience: Credit Union’s need ICT and Cyber Resilience strategies, documenting and testing their ability to stay within impact tolerances under severe scenarios.
2. Respond and Adapt
According to guidelines, Credit Unions are expected to ensure the following is in place:
- Business Continuity Management: Is fully integrated into the Operational Resilience Framework and linked to the Credit Union’s risk appetite.
- Incident Management: The Incident Management Strategy needs to be fully integrated into the Operational Resilience Framework.
- Communication Plans: Internal and External Crisis Communication plans should be fully integrated into the Operational Resilience Framework.
3. Recover and Learn
According to guidelines, Credit Unions are expected to ensure the following is in place:
- Lessons Learned Exercise and Continuous Improvement: Lessons learned exercises are conducted after disruptions to enhance capabilities in adapting and responding to future events, and promote a culture of learning and continuous improvement as operational resilience evolves.
Key Steps to Operational Resilience
Step 1: Establish a Governance Framework
Establish an Operational Resilience Framework that is primarily the responsibility of the board, which oversees and approves strategies to enhance the resilience of critical business services. This top-down approach ensures that operational resilience is a fundamental aspect of strategic decision-making and resource allocation. Board members are expected to have a comprehensive understanding of the Credit Union’s operational resilience, challenging and directing senior management who are equipped with the necessary resources for this purpose. Regular and effective management information should be provided to the board, enabling informed decisions about investments and risk management.
The board also has the duty to annually review and approve all components of the Operational Resilience Framework, including critical services, impact tolerances, and scenario analyses. The framework should be integrated with existing governance and risk management structures, embracing a holistic approach that combines operational risk and business continuity. This comprehensive strategy should be implemented across various business areas, such as operations, risk, and finance, to ensure the Credit Union’s preparedness against a wide range of disruptions.
Step 2: Identification of Critical or Important Business Services
In enhancing operational resilience, defining criteria for identifying critical or important business services is a task that should be overseen and approved by the board. These criteria are designed to prioritise services during disruptions, considering their impact on customers, and overall financial stability. The board should review and approve these criteria annually or when significant business changes occur.
Once criteria are established, the Credit Union needs to identify its critical or important services. Traditionally, Credit Union’s may have focused on protecting individual systems and processes; however, operational resilience demands a broader view, emphasising the protection and continuous delivery of key business services, especially during disruptions. This process should involve leveraging knowledge from existing business functions and adopting an outcomes-based approach, acknowledging that such critical services vary across different organisations and sectors.
The board is responsible for annually reviewing and approving services deemed critical or important. These services are identified to establish clear impact tolerances, map the end-to-end delivery process (including dependencies on third parties), and conduct scenario testing for potential severe disruptions. Additionally, a Credit Union should assess whether the number of services classified as critical or important is proportionate to its business’s nature, scale, and complexity.
Step 3: Impact Tolerance
Credit Unions should develop impact tolerances for each critical or important business service, assuming disruptions will occur. Impact tolerances define the maximum acceptable level of disruption, set at a point where further disruption risks the Credit Union’s viability, safety, soundness, financial stability, or causes significant customer detriment. These tolerances are planning tools, not compliance measures, helping Credit Union’s gauge their operational resilience during unplanned disruptions. They indicate the time frame for restoring disrupted services.
Impact tolerances must be tested against severe but plausible scenarios to ensure appropriateness. The board should annually review and approve these tolerances, or reassess them after disruptions, to ensure they remain relevant. While aligned with a Credit Union’s risk appetite, impact tolerances differ in focus. Risk appetite considers the likelihood and impact of potential risks, whereas impact tolerances deal with the aftermath of a risk event occurring, implying the risk appetite has already been breached.
Impact tolerances guide operational resilience improvements. Firms have flexibility in setting these for their services, potentially incorporating criteria from Business Impact Analysis, Recovery Time/Objective Objectives, and Maximum Tolerable Outage. Each critical or important service should have at least one clear, measurable impact tolerance metric, which can be qualitative or quantitative. Metrics should specify outcomes and measurements, with a minimum time-based metric indicating the maximum disruption duration tolerable for a service.
To handle various disruption types, Credit Union’s might consider additional metrics, such as the maximum number of affected customers, transactions, or transaction values. These metrics, not exhaustive, should be tailored to each service, reflecting the organisation’s nature, scale, and complexity.
Step 4: Mapping of Interconnections and Interdependencies
To maintain critical or important business services within defined impact tolerances, Credit Union’s need a comprehensive understanding of how these services are delivered and potential disruption points. This involves mapping the entire chain of activities essential for each service, including identifying critical points of failure, dependencies, and key vulnerabilities. Firms must document and map out all necessary resources—people, processes, information, technology, facilities, and third-party service providers—involved in delivering these services. This detailed mapping should be collaborative across business units, aiming to understand how various resources combine to deliver each service, and recognising the ownership and source of each resource.
The complexity of a Credit Union’s operations, especially with increased reliance on third parties, results in a network of interconnections and interdependencies. This complexity heightens risks, as disruptions in any part of this network can impact the Credit Union, even if the disruption is external. Therefore, capturing these dependencies in the mapping process is crucial for managing operational disruptions. Firms must manage dependencies on third parties effectively, ensuring that these relationships are detailed in service mappings and that critical services can remain within impact tolerances even when reliant on Third Party Service Providers (TPSPs). This involves conducting due diligence on TPSPs, having legally binding agreements detailing service maintenance during disruptions, and considering the geographical location of the TPSPs.
Credit Union’s should be mindful of supply chain outsourcing, which can further complicate service management. Clear agreements regarding supply chain outsourcing impacts are essential. This mapping guideline complements the Central Bank’s broader guidance on outsourcing and forthcoming regulations related to ICT TPSPs, underscoring the importance of thorough and proactive management of external dependencies and interdependencies to safeguard operational resilience.
Step 5: ICT and Cyber Resilience
In the context of operational resilience, technology and information are critical components of most business models, necessitating robust and resilient information and communication technology (ICT) infrastructure and information asset protection. Credit Union’s should adhere to industry best practices in protection, detection, response, and recovery, especially for technology involved in delivering critical or important business services. This includes compliance with relevant guidelines when third-party IT systems or technology resources are used. Regular testing of identified systems against severe but plausible scenarios is essential to ensure service continuity during significant disruptions. Credit Union’s should integrate ongoing threat intelligence and situational awareness into their operational resilience programs, aligning with IT risk management, security management, incident management, and continuity/disaster recovery programs. This approach should be in line with the Central Bank’s guidance on technology and cybersecurity risks, as well as various European Supervisory Authority guidelines and forthcoming regulations like DORA and NIS2.
Penetration testing plays a pivotal role for Credit Unions in safeguarding their IT infrastructure and strengthening their Cyber Resilience. It serves as a proactive measure in identifying vulnerabilities and weaknesses in systems before malicious actors have the opportunity to do so.
By simulating real world threats, your Credit Union can gain a comprehensive view of its security posture, ensuring that critical business services are protected against potential breaches.
By embracing regular penetration testing in addition to aligning to other information security best practices, you not only protect your Credit Unions sensitive information but also demonstrate its commitment to security, and building trust with your membership.
Peter McMillan, Cybersecurity Consultant
Step 6: Testing Scenarios
Credit Union’s must conduct scenario testing to validate their capacity to stay within impact tolerances for all critical or important business services under severe but plausible scenarios. This testing, contingent on detailed service mapping, should reflect the organisation’s unique risk profile and operational complexity. It involves a range of testing methods to uncover vulnerabilities, including dependencies on third parties. The findings should inform strategic decisions to bolster weak points, adapt delivery channels, and improve overall capacity and efficiency. The board is responsible for reviewing test results, and along with senior management, must act to fortify services and allocate resources effectively. This process includes formulating and implementing remediation plans, with subsequent board review and approval, ensuring the organisation’s preparedness and adaptability in the face of operational disruptions.
Crisis management exercises are an effective tool by which robust cybersecurity strategies are formed. In a simulated crisis, teams don’t just follow protocols; they learn the art of adaptation and rapid decision-making. It’s in these moments that the theoretical becomes practical, vulnerabilities are unearthed, and true resilience is built. The best defence is not just a good offence, but a well-rehearsed one.
Sean Crowley, Director
Step 7: Business Continuity Management
Business Continuity Management (BCM) is a vital component of an organisation’s operational resilience, going beyond traditional BCM’s focus on single points of failure, such as systems, people, or processes. It involves a holistic response to disruptions, considering how these failure points can affect the delivery of critical or important business services end-to-end. When disruptions occur, the Business Continuity Plan (BCP) should be activated, aligning with the Operational Resilience Framework by including scenario testing and considering third-party interdependencies. An effective BCP integrates invocation processes, impact analyses, recovery strategies, training, and crisis management. Credit Union’s should map critical services, develop recovery plans within approved impact tolerances, and ensure key personnel are trained for contingency execution. Additionally, when third-party dependencies are involved in delivering critical services, Credit Union’s must verify that these arrangements meet operational resilience standards and are capable of maintaining impact tolerances, with annual reviews and tests, including plans for substituting dependencies in unexpected disruptions.
Step 8: Incident Management and Communication Planning
Incident management is a crucial element of operational resilience, requiring organisation’s to handle the entire lifecycle of an event, from incident classification and response activation to post-incident reviews and lessons learned. Aligned with the Operational Resilience Framework, Credit Union’s must develop response and recovery plans to manage incidents potentially disrupting critical or important business services, considering impacts on risk appetite and tolerance metrics. Maintaining an inventory of response and recovery steps, impacted resources, and communication plans is essential. These procedures should be regularly reviewed, tested, and updated, with a focus on identifying and addressing root causes to prevent recurring incidents.
Additionally, an effective crisis communication plan is vital, either as part of the Operational Resilience Framework or within the BCM/recovery plans, to ensure efficient communication during disruptions. This plan should involve preparing key resources and experts to minimise disruption impacts. Credit Union’s must develop comprehensive internal and external communication strategies, including escalation routes for decision-makers and operational staff, and plans for communicating with customers, stakeholders, and regulators. This holistic approach to incident management and communication planning is critical for managing and mitigating the effects of disruptions on operations.
Step 9: Recover and Learn
Credit Union’s should conduct a lessons learned exercise following any disruption to critical or important business services, including disruptions at third-party providers. Utilising data from incident management or disaster recovery processes, these exercises enable organisation’s to reflect on their operational resilience approach, creating a feedback loop for continuous improvement. Predetermined criteria or questions should guide these exercises, focusing on the cause of the incident, vulnerabilities, impact on service delivery, appropriateness of risk controls, recovery processes, and the adequacy of impact tolerances. The exercises should lead to remediation measures, adjustments in impact tolerances, and updates in self-assessment documents presented to the board.
Continuous improvement in operational resilience involves learning from experiences, regularly updating operational approaches and technology infrastructure. This process should be a part of ongoing governance discussions, not just post-disruption. Credit Union’s should foster a culture of continuous improvement, ensuring operational resilience is integral to strategic decisions. Changes to strategy or business models should be assessed for their impact on critical services and activities identified in mapping exercises. Annual self-assessments should document compliance with operational resilience policies, covering all three pillars of resilience, ensuring no emerging vulnerabilities are overlooked. This includes rationalising criteria for identifying critical services and approaches to impact tolerances, mapping, and scenario testing, ensuring alignment with regulatory guidelines.
Conclusion
For Irish Credit Unions, the CBI’s Cross Industry Guidance on Operational Resilience, isn’t just a regulatory necessity; it’s an opportunity to embrace. Adapting to this changing environment goes beyond compliance – it’s about enhancing the robustness and reliability of essential business services.
Whether you are in the process of implementing an operational resilience framework by the Central Banks December 2023 deadline or haven’t yet started on your journey, our team is here to guide you every step of the way.
Get in touch if you need any advice or guidance to support you in your journey to compliance.