Following the HKMA’s 21 April 2021 circular highlighting the additional guidance issued by the Basel Committee on Banking Supervision (BCBS) on 31 March 2021, namely the Principles for Operational Resilience (POR) and the Revised Principles for Sound Management of Operational Risk (Revised PSMOR), the HKMA launched a consultation on 22 December 2021 on a new proposed Supervisory Policy Manual (SPM) module OR-2 (Operational Resilience) and proposed amendments to existing SPM modules TM-G-2 (Business Continuity Planning) and OR-1 (Operational Risk Management) in order to align with the BCBS’s operational resilience guidance. The HKMA’s consultation period ended on 4 February 2022.
The HKMA proposals are important for all authorised institutions (AIs) as they set out the HKMA’s supervisory approach towards operational resilience, operational risk management policies and business continuity plans.
- The HKMA notes that operational disruptions (including those due to pandemics, cyber incidents, technology failures and natural disasters) can affect the viability of individual financial institutions, and in turn, the stability of the wider financial system.
- AIs should keep a close eye on the outcome of this consultation exercise as they will be judged against these new standards in the event of a disruption to their business, in particular the delivery of their critical operations.
- The HKMA has said that it will, according to its risk based supervisory approach, assess the effectiveness of the operational resilience frameworks of AIs through a combination of risk-focused on-site examinations, off-site reviews and prudential meetings. Where needed, AIs may also be required to submit self-assessments of their ability to remain operationally resilient.
The recent focus by Hong Kong regulators on operational resilience (please see our bulletin covering the recent guidance from the Securities and Futures Commission on operational resilience and remote working here) is part of a global regulatory trend to improve the operational resilience of financial institutions.
In the United Kingdom (UK), the deadline for complying with the new Bank of England, Prudential Regulation Authority (PRA) and the Financial Conduct Authority’s initial requirements around operational resilience is 31 March 2022. 31 March 2022 is also the compliance deadline for the PRA requirements on outsourcing and third party risk management. Similar to the HKMA, the UK regulators have adopted a phased implementation approach, though the implementation timescales are different. Please see our bulletins dated 7 April 2021, 10 May 2021, 11 May 2021, 21 September 2021 and 2 December 2021 for more details on the UK developments.
The recent HKMA proposals contain the same concepts as the UK requirements and the BCBS’s POR, such as setting tolerances for disruption and identifying severe but plausible scenarios, signalling harmonisation of standards across different jurisdictions. This will hopefully reduce the compliance burden on firms that operate across borders in the long run.
Currently, the HKMA is proposing that by one year after the date upon which the final OR-2 module is issued, the HKMA expects an AI to have:
(a) Developed its operational resilience framework; and
(b) Determined the timeline by which it will have implemented the operational resilience framework, and become operationally resilient.
For the purposes of (a) above, AIs are expected to have identified the operational resilience parameters and commenced a basic programme of mapping. The HKMA recognises that AIs may not be able to produce mapping that reaches the full level of sophistication at the initial stage, and instead, would expect AIs to make continual improvements as they obtain more experience in implementing their operational resilience frameworks.
The HKMA expects AIs to become operationally resilient as soon as practicable. However, taking into consideration the need to accommodate AIs of different size and complexity, the HKMA has decided to allow AIs up to two years to become operationally resilient. In other words, the timeline specified under (b) above should not extend beyond two years from one year after the date upon which the final module is issued ie, not beyond three years from the date upon which the module OR-2 is issued.
The proposed amendments to existing SPM modules TM-G-2 (Business Continuity Planning) and OR-1 (Operational Risk Management) will come into effect once the HKMA finalises and publishes the modules.
Key highlights from the new proposed SPM module OR-2 (Operational Resilience)
Requirements for operational resilience
The HKMA has stated that it will consider an AI to be operationally resilient under the new proposed SPM module if it satisfies the requirements below. AIs should develop a holistic operational resilience framework which enables them to satisfy such requirements.
Identify and mitigate risks that may threaten delivery of critical operations and critical functions of AIs
“Critical operations” refers to (1) activities, processes, and services performed by an AI and (2) the supporting assets (including people, technology, information and facilities) necessary for the delivery of such activities and services, which if disrupted, could pose (a) material risks to the viability of the AI itself or (b) impact the AI’s role within the Hong Kong financial system.
When identifying its critical operations, an AI should take into consideration a set of defined criteria. These criteria should encompass both (a) and (b) above but a given operation need not impact both (a) and (b) in order for it to be classified as a critical operation.
Critical operations should include any “critical financial functions”, as defined in the Code of Practice “CI-1 Resolution Planning – Core Information Requirements”, that may be performed by the AI. An AI may also, where appropriate, leverage on relevant concepts covered within its recovery and resolution plans.
Continue to deliver critical operations when disruptions occur, including under severe but plausible scenarios
For this purpose, disruptions to an AI’s critical operations must not exceed its “tolerance for disruption”, which is defined as the maximum level of disruption to a critical operation that an AI can accept, and is in practice the point after which further disruption would pose risks to the viability of the AI or impact its role within the Hong Kong financial system.
“Severe but plausible scenarios” refer to situations that would result in significant disruptions, and while unlikely to occur, remain probable.
- A tolerance for disruption should be set for each critical operation. It should include at least a time-based metric, but may also include a combination of other quantitative (eg, volume or value of transactions) and qualitative metrics (eg, reputational or legal implications).
- AIs should be aware that their operational capabilities may vary during different business cycles or as a result of seasonal factors. For instance, during the periods of time when more initial public offerings are launched, an AI’s trading systems are more likely to come under stress, which could weaken the AI’s ability to respond under severe but plausible scenarios.
- AIs should identify a range of scenarios of different nature, severity and duration relevant to its business and risk profile. Examples of scenarios that AIs may consider include, but are not limited to, pandemics, natural disasters, and failures or disruptions at a third party or within the third party’s supply chain.
- When identifying the scenarios, AIs should make reference to previous incidents or near misses within the institution or across financial sectors, as well as in other sectors or jurisdictions, or any situations that could result in significant disruptions given the changing operational landscape.
Resume normal operations in a timely manner after disruptions occur
Absorb learnings from disruptions or near-misses
AIs should absorb learnings to continually improve the ability to prevent, adapt to and recover from risks and disruptions to critical operations delivery.
Responsibilities of Board and senior management
An AI’s Board and senior management are expected to actively participate in establishing, implementing and overseeing the operational resilience framework. In particular, the Board and senior management should actively participate in the setting and review of an AI’s operational resilience parameters. Specifically:
- The Board should approve and regularly review: (i) the criteria for determining an AI’s critical operations; and (ii) the actual list of critical operations. The reviews should be conducted no less than annually or when major operational changes occur.
- The Board is responsible for setting the tolerance for disruption. Assisted by senior management, it should also review the tolerance for disruption at least on an annual basis or when major operational changes occur.
- Senior management should identify and the Board should approve the severe but plausible scenarios which will be used to review whether an AI is operationally resilient. Both the Board and senior management should regularly review the continued relevance of the scenarios identified.
Minimum components of an operational resilience framework
At a minimum, an operational resilience framework should include the following components:
Mechanism for determining the operational resilience parameters
The parameters include critical operations, tolerance for disruption and severe but plausible scenarios (see above and also Section 4 of OR-2).
AIs should conduct mapping exercises to identify what risks or events may affect or disrupt critical operations delivery through developing a detailed understanding of the interconnections and interdependencies that underlie critical operations delivery.
AIs should also include those interconnections and interdependencies that depend on third parties and intragroup arrangements. They are expected to update their mapping documentation on a regular basis, but no less than annually or following any material changes to their operations (see Section 5 of OR-2).
Risk management policies and frameworks
AIs should put in place policies and frameworks to help prepare for and manage the various risks to critical operations delivery in an integrated and holistic way (see Section 6 of OR-2).
The HKMA expects that AIs should, at a minimum, take into consideration the following risk management components with respect to operational resilience:
- Operational risk management (eg, OR-1 Operational Risk Management);
- Business continuity planning and testing (eg, TM-G-2 Business Continuity Planning);
- Third-party dependency management (eg, SA-2 Outsourcing); and
- Information and Communication Technology (ICT) including cybersecurity (eg, TM-G-1 General Principles for Technology Risk Management);
AIs should conduct scenario testing to regularly assess whether they are able to continue delivering critical operations through disruption, including under severe but plausible scenarios (see Section 7 of OR-2). Where practicable, AIs may leverage on existing testing arrangements, including those devised for business continuity planning purposes, to fulfil the testing requirement relating to operational resilience.
AIs should be able to demonstrate how an existing testing exercise enables them to achieve the specified objectives of scenario testing for operational resilience purposes. After each testing exercise, they should prepare a formal testing report to record any gaps or weaknesses identified, as well as document the remedial actions planned. The reports should be reviewed by senior management.
Incident management programme
AIs should have in place an incident management programme to enable them to effectively respond to and manage disruptions to critical operations delivery (see Section 8 of OR-2).
The requirements around responding to and recovering from incidents complement existing HKMA guidance on incident management. These include but are not limited to SPM modules “TM-G-2 Business Continuity Planning” and “TM-G-1 General Principles for Technology Risk Management”, and the HKMA’s circular on “Incident Response and Management Procedures” issued in June 2010.
AIs may determine the most appropriate approach to developing their operational resilience frameworks, taking into account their particular circumstances. They may refer to Diagram 1 of OR-2 for an illustration of how the different components can be brought together to create a holistic operational resilience framework. It is important to note that developing operational resilience is an iterative process. The process will not always be linear. An AI should actively apply learnings from its implementation of the framework and the management of actual incidents to continually improve on the effectiveness of the framework.
Substantive amendments to existing SPM modules TM-G-2 (Business Continuity Planning) and OR-1 (Operational Risk Management)
By reason of the above requirements in the new proposed SPM module OR-2 (Operational Resilience), the HKMA has proposed many substantive amendments to existing modules TM-G-2 (Business Continuity Planning) and OR-1 (Operational Risk Management).
In terms of TM-G-2 (Business Continuity Planning):
- The HKMA expects an effective Business Continuity Plan (BCP) should be forward-looking, and validated for a range of severe but plausible scenarios which contain disruptive events and incidents.
- The BCP should identify critical operations as well as the key internal and external dependencies supporting these critical operations. It should incorporate business impact analysis, recovery strategies, testing programmes, training and awareness programmes, communication strategies and crisis management processes.
- An AI’s BCP for the delivery of critical operations, including those reliant on critical third-party services, should be consistent with its operational resilience framework. The same consistency requirement also applies to BCPs which may be contained within an AI’s recovery and resolution plans.
In terms of OR-1 (Operational Risk Management), the HKMA expects AIs to develop, implement and maintain an appropriate operational risk management framework (ORMF) that is effective and efficient in identifying, assessing, monitoring, and controlling/mitigating operational risk (including ICT risks), taking into account its complexity, range of products and services, organizational structure, and risk management culture. As part of its substantive amendments, the HKMA has set out what major components an ORMF should contain in sections 4 to 9 of OR-1.
For a detailed summary of the proposed amendments to TM-G-2 and OR-1, please refer to the Appendix to the bulletin.
Keeping up with operational resilience
Our Operational Resilience Hub helps to keep you up to date on the upcoming regulatory expectations. The hub features an interactive timeline which currently covers the UK, EU, Hong Kong, Singapore and Australia, and output from global standard setters such as the BCBS, the Financial Stability Board, and the International Organisation of Securities Commissions. The content includes operational resilience, cyber resilience, outsourcing, BCP and more. We are adding more major financial services centres and we are regularly updating the timeline to provide a “one stop shop”.