![BB OR [A] 13](https://blog.bcm-institute.org/hs-fs/hubfs/BB%20OR%20%5BAi%20Gen%20Blog%20Photo%5D/OR%20Pictures%20A/BB%20OR%20Folder%20A/BB%20OR%20%5BA%5D%2013.jpg?width=2000&height=1333&name=BB%20OR%20%5BA%5D%2013.jpg "BB OR [A] 13")
Key Governance Requirements and Expectations
Introduction
As operational resilience becomes a strategic priority for financial institutions, central banks and regulators have formalised expectations through regulatory frameworks and reporting mandates.
In alignment with the Basel Committee on Banking Supervision’s (BCBS) Principles for Operational Resilience (2021), banks are now required to demonstrate their ability to deliver critical business services (CBS) consistently, even during severe disruptions.
To achieve this, banks must adopt a structured approach to resilience, involving identification of critical services, setting of impact tolerances, conducting scenario-based stress testing, and implementing robust governance and risk mitigation mechanisms.
Regulators are not only seeking assurance of compliance but also evidence of ongoing readiness, oversight, and adaptation to evolving threats.
Purpose of Chapter
This chapter outlines the specific regulatory reporting requirements expected by central banks under the Basel Operational Resilience Framework.
It explains the meaning and scope of key submissions, including the operational resilience report, scenario testing outcomes, risk mitigation plans, the resilience framework, and the CBS list, providing clarity on what regulators expect and how banks should prepare.
When the central bank requires a bank to report on its operational resilience, the regulatory expectations typically draw from the guidance of the Basel Committee on Banking Supervision (BCBS), as well as jurisdiction-specific supervisory guidelines (e.g., from the Monetary Authority of Singapore, Bank Negara Malaysia, Prudential Regulation Authority, or Australian Prudential Regulation Authority).
1. Regulatory Reporting Requirement for BASEL Operational Resilience
Under the BASEL Principles for Operational Resilience (2021), banks are expected to:
-
Identify and map their critical operations.
-
Assess resilience through severe but plausible scenarios.
-
Implement mitigation measures.
-
Monitor, test, and adapt resilience strategies.
-
Ensure board and senior management oversight.
The regulatory reporting requirement typically entails submitting formal documentation and evidence demonstrating how the above has been implemented, especially about:
-
Governance (roles, responsibilities, oversight).
-
Impact tolerance thresholds.
-
Scenario testing results.
-
Third-party dependencies.
-
Response and recovery capabilities.
Central banks use this information to assess whether the bank can continue delivering critical business services (CBS) during disruption.
2. Understanding Regulatory Report Requirement
This typically requires the bank to submit three key types of documents:
a. Operational Resilience Report
This is a consolidated document demonstrating the bank's current state of resilience, including:
-
Critical business services identified.
-
Mapping of supporting processes, people, technology, and third parties.
-
Set impact tolerances for each CBS.
-
Overview of risk assessment and controls in place.
-
Governance and ownership of resilience.
b. Resilience Framework
This is the bank’s internal framework or policy document, which outlines:
-
Definition and scope of operational resilience in the bank.
-
Alignment with BASEL principles and local regulations.
-
Governance structure, escalation protocols, and board oversight.
-
Processes for identifying CBS, setting impact tolerances, testing scenarios, and executing response and recovery.
c. Critical Business Services List
This is a formally defined list of services considered critical to customers, markets, or the economy. It should include:
-
Name and description of each CBS.
-
Justification of why it’s critical (based on impact analysis).
-
Supporting systems, processes, teams, and third parties.
-
Associated impact tolerance thresholds (e.g., time, capacity).
d. Scenario Results
This includes:
-
Description of severe but plausible scenarios used in testing.
-
Outcome of the test: whether CBSs remained within impact tolerances.
-
Lessons learned and vulnerabilities exposed during the scenario testing.
e. Risk Mitigation Plans
-
Action plans to address gaps identified from scenario testing or resilience assessments.
-
Timeline, responsible parties, and budget for each mitigation activity.
-
Integration with risk management and internal audit follow-up.
Summary Table
| Requirement | What It Means | Expected Contents |
|---|---|---|
| Operational Resilience Report | Summary of the current state of resilience | CBS, mapping, impact tolerances, governance |
| Resilience Framework | Governance and policy framework | Definitions, board oversight, and methodology |
| CBS List | List of critical services | CBS details, dependencies, tolerances |
| Scenario Results | Outcomes of resilience testing | Scenarios, tolerances breached/ met, findings |
| Risk Mitigation Plans | Actions to close resilience gaps | Risk owner, actions, timelines, priorities |
Summing Up ...
Operational resilience reporting is more than a compliance exercise—it is a reflection of an institution’s preparedness to withstand disruption while continuing to serve its customers and support financial stability.
By clearly articulating and documenting their resilience posture through structured reports and tested scenarios, banks demonstrate accountability, transparency, and commitment to continuous improvement.
The requirement to submit operational resilience reports, scenario results, risk mitigation plans, and the resilience framework—including the list of critical business services—serves as a critical touchpoint between banks and regulators.
It enables supervisors to assess institutional vulnerabilities and readiness, ensuring that the financial sector remains robust in the face of emerging threats.
As such, banks must embed these reporting processes into their operational resilience lifecycle, underpinned by strong governance, executive oversight, and a culture of proactive risk management.
More Information About Blended Learning OR-5000 [BL-OR-5] or OR-300 [BL-OR-3]
To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
![[OR] [P1-S5] Key Governance Requirements and Expectations](https://3893111.fs1.hubspotusercontent-na1.net/hubfs/3893111/Operational%20Resilience%20OR/OR%20Diagram/OR%20Roadmap%20Diagram/Updated%20OR%20PM%20Diagram/OR%20PM%20%5B1%5D_Develop%20and%20Embed%20Governance.png)
![[OR] [P2-S4] [1] What is Severe but Plausible Scenarios in Operational Resilience](https://3893111.fs1.hubspotusercontent-na1.net/hubfs/3893111/BCMPedia%20MorePost%20OR%20%5BOperational%20Resilience%5D/IC_OR_BCMPedia_Sever%20but%20Plausible%20Scenarios.png)
![[OR] Disclaimers and Usage of eBook](https://3893111.fs1.hubspotusercontent-na1.net/hubfs/3893111/Disclaimer%20and%20Proper%20Usage%20Morepost/IC_OR_Legal%20Disclaimer.png)
![[OR] [ISO] [C4] 22316:2017 Evaluating Resilience](https://3893111.fs1.hubspotusercontent-na1.net/hubfs/3893111/CM%20ISO22316%20Morepost/IC_CM_ISO22316_2017_Evaluating%20Resilience.png)
