Operational resilience has become a critical aspect of risk management for financial institutions operating in Hong Kong.
Implementing operational resilience in compliance with HKMA's regulatory framework presents several challenges and valuable learnings for financial institutions.
This is a summary of the presentation by Gan Kwai Liang, Head of Operational Risk Asia Pacific of Bank of New York Mellon, at the Meet-the-Expert Webinar on 27 July 2023.
The speaker discusses the critical elements of building blocks within the Operational Resilience (OR) framework. It emphasises the importance of regulatory governance, oversight, structure, and developing an Enterprise Resiliency strategy and recovery planning.
The approach is holistic, considering operational resilience from a risk management perspective. The ongoing monitoring, testing, and assurance aspects are highlighted, along with the development of enablers to support the framework's implementation.
The first key component outlined pertains to regulatory compliance, particularly concerning the Hong Kong Monetary Authority (HKMA) regulations. To ensure alignment and compliance, the organisation has conducted a comprehensive Gap analysis against HKMA's OR-2 requirements and the TMG-2 standards.
This process seeks to satisfy regulatory requirements and identifies areas for improvement and necessary enhancements. The organisation maintains close contact with regulators in the US and UK and actively participates in surveys and communications to stay aligned with global regulatory expectations.
The importance of governance and oversight in operational resilience is not to be underestimated. It emphasises Senior Management's accountability and ownership of the Operational Resilience program. Existing Senior Management committees and crisis management teams are leveraged to ensure representation across various business functions.
The Enterprise Resiliency (responsible for operational resilience) Office is critical in developing and updating relevant policies and standards to facilitate the implementation and operationalisation of operational resilience initiatives. Additionally, the organisation incorporates OR requirements into other risk disciplines, demonstrating a commitment to comprehensive and integrated resilience practices.
In embarking on the Operational Resilience journey, the organisation will need to delve into the fundamental building blocks of this framework. It commences with an emphasis on regulatory governance, oversight, and structural components. The approach incorporates the development of an Enterprise Resiliency strategy and recovery planning.
A holistic perspective towards operational resilience is adopted and viewed through the risk management lens. Ongoing activities like monitoring, testing, and assurance are also integral aspects. Enabling mechanisms have been devised to support the framework's implementation and operationalisation.
The initial focal point revolves around adherence to local regulations, particularly those of the Hong Kong Monetary Authority (HKMA). The Enterprise Residency office has undertaken a meticulous Gap analysis of HKMA OR-2 requirements and the TMG-2 standards in conjunction with the risk management team. This serves a dual purpose: ensuring alignment with Business Continuity Management (BCM) requisites and compliance with OR-2 standards and established practices.
Governance and oversight play a pivotal role in operational resilience, with a strong emphasis on accountability at the senior management level. Senior Management's active involvement and ownership of the operational Residency program are vital.
Existing Senior Management committees and crisis management teams are leveraged to ensure comprehensive representation across various business functions. Additionally, the Enterprise Resiliency office has taken proactive measures to develop and update relevant policies and standards, facilitating the implementation and operationalisation of the operational resiliency program.
Ongoing efforts are directed towards reviewing and updating standards. There is also an initiative to integrate OR requirements into other risk disciplines, such as third-party risk management, new product approval processes, and business process changes, underscoring a commitment to a comprehensive and integrated resilience strategy.
This framework aids in identifying these critical services and is pivotal in prioritising resilience efforts and investments. It enables the organisation to align key resiliency terms and establish a structured approach to enhancing resiliency.
By comprehensively understanding the end-to-end processes involved in delivering products and services to clients, the framework reveals interdependencies among various Business Services and the IT systems and applications supporting them.
Moreover, it facilitates business impact analysis, focusing on market impact, client perspective, regulatory obligations, access to liquidity and capital, reputation, and liquidity and capital management under stress. The framework also defines the minimum variable service, the essential set of services necessary to prevent intolerable harm to clients and financial market stability.
The organisation has set up an incident and crisis management team to manage and respond to disruptive events effectively. To ensure a coordinated response, this team coordinates with various stakeholders, including business, technology, corporate support, and corporate communications.
Leveraging existing recovery strategic plans and business continuity platforms, the organisation maintains a repository of business recovery plans for each line of business and function. This repository serves as a crucial reference point in times of crisis.
The holistic approach to operational resilience extends beyond Business Services to encompass technology risks and information security governance. The speaker also touches on the challenges posed by outsourcing and offshoring arrangements. While these arrangements offer cost-saving benefits, they can also increase the organisation's risk profile if service providers fail.
Therefore, the organisation has implemented a robust onboarding risk assessment process for service providers, ensuring they meet business continuity readiness standards and undergo ongoing performance monitoring. In addition, the organisation emphasises the need for technology resiliency, given the critical role of technology in delivering services.
This includes capacity planning, system availability monitoring, and rigorous change management processes. Lastly, an advanced incident management and response process, especially in the face of cyber threats, is in place to safeguard the organisation's technology infrastructure. In this context, reference to regulatory guidance in identifying critical IT systems and applications is also highlighted as a valuable resource.
This monitoring occurs annually and aligns with risk management principles, subjecting the resilience strategy and plan to independent audits. The organisation has also integrated resiliency risk assessment into control self-assessments (RCSA) and employs an annual attestation process that holds first-line stakeholders accountable for the fitness and effectiveness of their plans, including participation in exercises and testing.
To support these resilience efforts, the organisation has developed key enablers. One such enabler is the Critical Business Process Framework, which assists stakeholders in process mapping. Standardisation is emphasised through rules on organising process maps and grouping third-party service providers.
Risk and control self-assessment (RCSA) are integral for critical Business Services, ensuring that risks and controls are embedded within the business or function. Additionally, the organisation has established an authority structure for reviewing and approving process map changes to accommodate the evolving nature of organisations.
In addressing challenges in operational resilience, data availability stands out as a significant concern. Specifically, assessing the impact on financial markets poses challenges due to data limitations.
The organisation has conveyed this concern to its global team, highlighting the need for solutions. Furthermore, the organisation is working on developing online introductory training for operational resilience to educate its employees worldwide.
These training programs enhance the organisation's awareness and understanding of operational resilience principles.
The speaker emphasises the importance of documenting rationales comprehensively within the operational resilience framework. Currently, the approach is qualitative rather than quantitative, underscoring the need for robust documentation for future reference and various purposes.
Completing the critical Business Services framework is noted, but challenges lie in capturing bespoke processes at the country level. Limited resources pose another hurdle, with part-time involvement from first-line stakeholders and a shortage of resiliency managers in the APAC region, making stakeholder engagement and support challenging.
Managing change is a recurring theme, encompassing business process changes, organisational structure shifts, and system modifications that can impact end-to-end process mapping.
A critical Business Services change process management system has been introduced to address these challenges. Offshoring activities from branches to headquarters introduces complexity and potential knowledge loss.
Moreover, defining severe and plausible scenarios presents a coordination challenge, especially when many third-party service providers are in the United States. Additionally, obtaining adequate information about first-party service providers poses a challenge in comprehensively identifying and testing critical Business Services.
The speaker outlines several ongoing challenges in operational resilience, including the need to calibrate operational resiliency matrices and thresholds for regional and branch entities, geopolitical considerations, and data localisation issues.
Hong Kong's geopolitical situation and position between the two superpowers raise concerns about potential crises. Key lessons learned from recent events in Hong Kong highlight the importance of resilience, adaptability, relationships with critical service providers, and employee support during crises.
Additionally, the speaker mentions how operational resilience enhances the existing business continuity management (BCM) program by integrating it with other risk domains such as materials, technology risks, and information security.
The speaker highlighted several key points in this concluding session on operational resilience.
Firstly, there's a shift in accountability from the risk management level to the board level, making the board responsible for setting risk appetite and making decisions. The importance of understanding third-party risk was emphasised, but the speaker also mentioned the need to consider fourth and fifth-party risks.
The speaker mentioned the importance of a critical Business Service change management process regarding technology changes and keeping operational resilience up-to-date. This process helps ensure that technology changes are incorporated into the framework effectively.
The speaker also discussed the lessons learned from Hong Kong's recent events, emphasising the importance of resilience, adaptability, maintaining good relationships with critical service providers, and supporting employees during crises.
Overall, the session focused on the challenges and best practices in operational resilience, emphasising the evolving landscape of technology, third-party risks, and the need for proactive strategies to adapt to changing circumstances.
Dr Goh Moh Heng moderated and recorded the session.
To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.