Operational resilience: HKMA’s guidance and expectations on OR-2 Banks have 2 years to implement their operational resilience framework and demonstrate operational resilience The Hong Kong Monetary Authority (HKMA) has set out its guidance and expectations on operational resilience (OR) in the Supervisory Policy Manual (SPM): “OR-2 on “Operational Resilience”. Authorised Institutions (AIs) in Hong Kong are given 1 year for framework development, and 2 years for framework implementation and to become operationally resilient. Now that the deadline for OR framework development has passed (i.e. 31 May 2023), AIs should start implementing their frameworks, including but not limited to mapping the interconnections and independencies of all critical operations, conducting scenario testing to validate its ability to deliver the critical operations through disruptions and incident management, before 31 May 2026.What should AIs achieve by the end of the implementation deadline (i.e. 31 May 2026)?Complete the mapping of interconnections and interdependencies of all critical operationsIdentify potential risks that may affect the delivery of critical operationsConduct scenario testing and document any gaps or weaknesses identified and the remedial actions planned Design process of continuous improvement of mapping documentation Establish an incident management programme to manage the incidents and learning from disruptions or near misses The HKMA OR-2 requirements related to implementation: Pro person 3 Mapping interconnections and interdependencies It is imperative to first identify and document the supporting assets of critical operations. Next, mapping the interconnections and interdependencies between these operations is essential. Lastly, identifying potential risks or disruptive events that affect or disrupt the delivery of critical operations. Pro Document Folder Manage risks to operations delivery Effective risk management involves comprehensive preparations and oversight of potential threats to critical operations. This encompasses operational risk management, business continuity planning, third-party relationships, and safeguarding information and communication technology, including cybersecurity. Pro Document Consent Scenario testing To ensure uninterrupted critical operations, it's imperative to consistently evaluate the system's capability and diligently address any gaps or weaknesses detected through documentation and remediation processes. Pro Legal Briefcase Incident management To enhance business resilience, it's crucial to implement a comprehensive incident management program, one that carefully tracks incidents throughout their entire lifecycle. By doing so, organisations can learn valuable lessons from these incidents, ultimately strengthening their ability to withstand future challenges. Role of the Board and senior management Senior management should report regularly to the Board and review remedial actions planned for addressing deficiencies identifiedThe Board should prioritise the remedial actions and oversee the communication and trainings to relevant partiesBoth the Board and senior management are required to review the OR-2 framework on a regular basis (i.e. annually) Challenges AIs typically face Resource and expertise constraints: Limited staff knowledge and/or time available to conduct comprehensive end-to-end mapping and test ability to remain within tolerance for disruption for all critical operations.Lack of collaboration between front and back-office teams: Siloed organisational structures that make it challenging for front and back-office teams to collaborate effectively. This can result in insufficient granularity of mapping and hinder the ability of AIs to identify vulnerabilities.Failure to demonstrate the resilience of a bank: Inability to demonstrate appropriateness of an operational resilience framework in line with the organisation's nature, size, complexity and risk profile. There are challenges showing the Board, senior management, internal auditors, regulators and other key stakeholders that the framework is fit for purpose and the bank is able to achieve resilience. Why Protiviti? We understand the challenges that AIs face and we have unique and competitive advantages that can help you achieve operational resilience. Flexible delivery model – We offer different engagement models to address client demands (i.e., project-based, staff argumentation, or hybrid). Flexible models, complemented by professional specialists to help support you in conducting mapping and scenario testing.Knowledge and experience – We understand the regulatory requirements and have extensive experience utilising technology capabilities to perform process mapping and business continuity planning (BCP) testing for financial institutions. Cross-domain competencies – Our team has extensive cross-domain expertise and project management experience that promotes cross-team synergies.Proven track record – We have a proven regulatory change track record of developing end-to-end process flows, conducting scenario testing and ensuring regulatory compliance for our financial services clients, which includes banks, insurance companies, asset managers and other financial institutions. How Protiviti can helpKey focus areasHow we can support you…What to expect from us …Mapping interconnections and interdependenciesAdopt technologies to visualise the end-to-end process flow for each critical operationIdentify the interconnections and independencies of critical operations through conducting walkthrough meetings and reviewing relevant documentationCreate a comprehensive end-to-end process mapIdentify potential risks that may affect critical operations deliveryScenario testingUse of skilled professionals to perform testing to validate the bank’s ability to deliver the critical operation under disruptionDeploy professionals to conduct scenario testing for critical operationsEstablish formal testing reports with gaps identified and propose remedial actionsOR-2 related policies upliftUtilise our team's expertise in risk management to review OR-2 related policiesReview and uplift the OR-2 related policiesDraft an OR-2 policy outlining the operational resilience frameworkIncident managementEstablish incident management programme to enable the bank to promptly manage, respond to and recover from an incidentDefine incident’s severity criteriaEstablish comprehensive internal and external communication plans for reporting incidentsDevelop/uplift the incident management programme to enable prompt incident response and recoverySelf-assessmentAssist in performing self-assessment of the operational resilience framework and critical operations for the bank to assess its resilienceAssist in performing a self-assessmentDocument methodology/approach, review process and lesson learntProject management supportEnable seamless project delivery and promote effective communication amongst project stakeholdersManage project risks and report to the client on a timely basisFacilitate an effective and efficient communication and discussion between relevant stakeholders Find out more about our solutions: Operational Resilience Improve resilience through a robust testing program, building on existing business continuity management activities, IT disaster recovery, and cybersecurity incident response. We bring knowledge across the four domain areas of operational resilience: business, technology, cyber, and third-party. Regulatory Compliance Disruptive technologies, regulatory pressures, evolving customer loyalty, and pressure to enhance economic returns are just some of the challenges organisations need to overcome by innovating and managing their compliance risks to succeed over the next decade. Risk Management Consulting Protiviti helps organisations around the world assess risk and develop tech-enabled solutions to manage risk in an agile manner and minimise potential losses. We bring leading insights and innovative capabilities to help you meet future challenges. Leadership Jeffrey Hau Jeffrey leads Protiviti Hong Kong's risk and compliance and internal audit practices with more than 20 years of experience in regulatory compliance consulting and auditing. As the leader of the financial services practice, his specific areas of focus include advising ... Learn More Michael Pang Michael is a managing director with over 20 years’ experience. He is the IT consulting practice leader for Protiviti Hong Kong and Mainland China. His experience covers cybersecurity, data privacy protection, IT strategy, IT organisation transformation, IT risk, post ... Learn More Featured insights IN FOCUS Will CrowdStrike serve as a reboot on tech resiliency? Global IT systems are still in reboot and recovery after a software update by cybersecurity vendor CrowdStrike caused a massive worldwide outage of Windows computers. Global businesses, governments and organisations were impacted across several... WHITEPAPER SIFMA’s Quantum Dawn VII After-Action Report The latest iteration of SIFMA’s biannual cybersecurity exercise focused on the outage of a critical third-party service provider. The simulation and concluding survey found many financial institutions are already experienced with the loss of a... BLOGS How tech firms can prepare for new EU operational resilience rules on ICT risks A two-step indicator-based approach proposed by EU supervisory authorities will be used to assess ICT services providers to determine whether they should be designated as critical and subjected to oversight under the Digital Operational Resilience... BLOGS U.K. Supervisory Authorities and Basel Committee Refine Operational Resilience Approaches, Align on Expectations for Firms Several Key Policies Take Effect March 31, 2022 On March 29, 2021, the Bank of England (BoE), the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) issued a series of policy statements to both refine and finalise... WHITEPAPER Early Signs of Regulatory Alignment on Operational Resilience Concepts, Themes In early August 2020, the Basel Committee on Banking Supervision (BCBS) released a consultative document, titled “Principles for Operational Resilience,” that proposed a pragmatic yet flexible approach to operational resilience, one intended to be... VIDEO Operational Resilience at the Intersection with Public Policy Lessons learned from the pandemic and a forward-looking view on regulatory and policy developments for resilient capital markets. Button Button
