Andrew Cunningham explains the difference between operational risk and operational resilience, and looks at Basel III’s new standards and how banks can comply with them.
Earlier this year, the Basel Committee on Banking Supervision published new standards on operational risk and on operational resilience.
They were two separate documents, but they were published simultaneously, demonstrating the extent to which these two issues – which are conceptually different – share many common features.
The difference between operational risk and operational resilience
Operational risk is one of the three key risks – along with credit risk and market risk – that drive banks’ Pillar One capital ratios.
When discussing operational risk, we consider the potential losses that a bank could suffer because of certain events. These include, for example, the failure of its IT systems or a faulty internal control that enables fraud. We then measure the losses that arise from such events in terms of their impact on earnings and capital.
However operational resilience requires us to think about a bank’s ability to maintain or restore an essential service after an event, such as a cyber-attack or an IT failure.
Operational resilience assumes that the bad event has already occurred and questions the impact of that event on banks’ customers and on the financial system.
Basel III’s operational risk and resilience standards
Not much has changed in recent years, in terms of our understanding of where operational risks exist.
Basel published new operational risk standards this year that focus on implementation – and whether banks have the right analytic tools to monitor and measure operational risk effectively – rather than fundamental risk issues.
The situation with operational resilience is very different. There’s a belief that fundamentals have changed. The risk of significant disruptions to critical services has increased due to more frequent climate events and greater exposure to cyber-security incidents and technology failures.
Some of these issues have been heightened by Covid-19, which has led to more services being delivered remotely, sometimes through less secure digital channels.
More fundamentally, we need to see regulators’ current focus on operational resilience as another step in their efforts to strengthen financial systems – following the global financial crisis of 2008 and the European sovereign crisis of 2013.
Implementation of the various Basel III standards has led to banks being better capitalised and more liquid than before, with better governance and risk management.
But Basel’s work on operational resilience recognises that despite banks being stronger and better managed, disruptions to services will sometimes happen.
Regulators want to make sure that when such disruptions could cause harm, either to the financial sector or to customers, they will be quickly remedied.
How can banks implement operational resilience?
To comply with the new standards, banks first need to identify the critical services that they provide.
Examples of critical services could include customers’ online access to their bank accounts, or proper functioning of ATM cards and debit cards. If a bank provides payroll services to companies, such payroll services would probably be considered an essential service.
Banks must then define their tolerance for the disruption of their essential services. What is the maximum acceptable time for that service to be unavailable before it harms customers or the financial system?
Finally, you need to have a plan for restoring the service within your stated tolerance.
A crucial element – in both setting tolerances and planning to restore the service – is understanding all the different pieces that together enable the bank to provide the service.
The bank needs to understand all the links in the chain – from end to end – and ask itself how quickly it could fix one of the those ‘links’ if it were broken.
See our Level 6 Managing Operational Risk & Governance