[OR] [P2] [S5] [LL] [C13] Regulatory Expectations and Compliance

[P2] [S5] Chapter 13

Regulatory Expectations and Compliance

Introduction

Regulators globally have shifted their focus from framework design and documentation to demonstrable resilience outcomes. Organisations are no longer assessed solely on whether they have plans and policies, but on whether they can:

• Learn from disruptions
• Continuously improve resilience capabilities
• Maintain delivery of Critical Business Services (CBS) within impact tolerances

At the centre of this shift lies the Lessons Learned capability, which serves as evidence that an organisation can:

• Adapt to evolving risks
• Strengthen controls
• Enhance service resilience

This chapter outlines key regulatory expectations and how organisations can ensure compliance through effective lessons learned processes.

Purpose of the Chapter

To provide a comprehensive understanding of regulatory expectations related to Lessons Learned and continuous improvement in operational resilience, and to guide organisations in aligning their frameworks, processes, and evidence with supervisory requirements across key jurisdictions.

The Regulatory Shift: From Compliance to Resilience

Traditional Approach

• Focus on:
• Policies
• Procedures
• Documentation
• Limited emphasis on outcomes

Modern Regulatory Expectations

• Focus on:
• Service continuity
• Impact tolerance adherence
• Continuous improvement
• Evidence-based supervision

Implications for Organisations

Organisations must demonstrate:

• Real-world resilience
• Effective learning from disruptions
• Continuous enhancement of capabilities

Core Regulatory Themes for Lessons Learned

Across jurisdictions, regulators consistently emphasise:

Continuous Improvement

• Ongoing enhancement of resilience capabilities
• Integration of lessons learned into frameworks

Scenario Testing and Learning

• Use of testing outcomes to improve resilience
• Iterative refinement of scenarios

Service-Centric Approach

• Focus on CBS rather than individual components

Governance and Accountability

• Clear ownership of lessons learned
• Strong oversight mechanisms

Evidence and Documentation

• Demonstrable records of:
• Lessons learned
• Actions taken
• Outcomes achieved

Key Regulatory Frameworks and Expectations

Monetary Authority of Singapore (MAS)

MAS expects financial institutions to:

• Identify Critical Business Services
• Conduct scenario testing
• Analyse outcomes and identify gaps
• Implement improvements to maintain service continuity

Relevance to Lessons Learned:

• Lessons learned must feed into:
• Scenario testing refinement
• Impact tolerance validation
• Evidence of continuous improvement is required

Bangko Sentral ng Pilipinas (BSP Circular 1203)

BSP requires institutions to:

• Conduct post-incident reviews
• Analyse disruptions and their causes
• Continuously improve operational resilience

Relevance to Lessons Learned:

• Mandatory capture and analysis of lessons
• Integration into resilience frameworks
• Demonstration of improvement over time

Bank Negara Malaysia (BNM)

BNM emphasises:

• Ongoing monitoring and review
• Continuous enhancement of resilience capabilities
• Integration with risk management

Relevance to Lessons Learned:

• Lessons must inform:
• Risk assessments
• Control improvements
• Strong governance and oversight required

UK PRA and FCA

UK regulators require firms to:

• Remain within impact tolerances
• Conduct regular scenario testing
• Continuously improve resilience

Relevance to Lessons Learned:

• Lessons learned must:
• Refine testing scenarios
• Improve resilience capabilities
• Evidence of learning from testing outcomes

Alignment with International Standards

ISO 22301 (Business Continuity Management)

ISO 22301 requires organisations to:

• Monitor and review performance
• Conduct internal audits
• Implement corrective actions
• Ensure continual improvement

Lessons Learned Role:

• Identify non-conformities
• Drive corrective actions
• Enhance BCMS effectiveness

ISO 22361 (Crisis Management)

ISO 22361 emphasises:

• Post-crisis reviews
• Learning from crisis events
• Improving response capabilities

Lessons Learned Role:

• Capture insights from crisis management
• Improve decision-making processes

Evidence Required by Regulators

Regulators expect organisations to provide clear and auditable evidence of lessons learned processes.

13.6.1 Key Evidence Components

Demonstrating Effectiveness

Organisations must show:

• Actions are implemented
• Improvements are effective
• Risks are reduced

Regulatory Audit and Assessment

Key Audit Questions

• Are lessons learned systematically captured?
• Is root cause analysis conducted effectively?
• Are improvement actions implemented and tracked?
• Are lessons integrated into resilience frameworks?
• Is there evidence of continuous improvement?

Scoring Criteria

Integration with Risk and Compliance Frameworks

Operational Risk Management (ORM)

• Lessons feed into risk identification
• Strengthen controls

Compliance

• Ensure adherence to regulatory requirements
• Support regulatory reporting

Internal Audit

• Validate effectiveness of lessons learned processes
• Provide independent assurance

Challenges in Meeting Regulatory Expectations

Lack of Structured Framework

• Inconsistent processes

Weak Governance

• Poor accountability

Insufficient Evidence

• Lack of documentation

Limited Integration

• Lessons not embedded across functions

Best Practices for Compliance

Establish a Formal Framework

• Define processes and governance

Maintain Comprehensive Documentation

• Ensure auditability

Integrate Lessons Across Functions

• Align with risk, BCM, and crisis management

Conduct Regular Reviews

• Ensure continuous improvement

Engage with Regulators

• Demonstrate transparency

Case Example: Regulatory Compliance in Banking

Scenario

A bank undergoes regulatory review for operational resilience.

Findings

• Weak lessons learned process
• Incomplete action tracking

Actions Taken

• Implemented structured framework
• Enhanced governance and reporting

Outcome

• Improved regulatory compliance
• Strengthened resilience capabilities

Regulatory expectations for operational resilience are increasingly focused on continuous improvement and demonstrable outcomes. Lessons learned play a central role in meeting these expectations by providing evidence that organisations can:

• Learn from disruptions
• Improve resilience capabilities
• Protect Critical Business Services

By aligning lessons learned processes with regulatory requirements, organisations can:

• Enhance compliance
• Strengthen governance
• Achieve resilience maturity

Transition to Next Chapter

With regulatory expectations clearly defined, the next chapter will explore common challenges and pitfalls in implementing lessons learned, providing practical insights into how organisations can overcome barriers and improve effectiveness.