Recent bank failures around the world have underlined the need for stronger risk oversight and controls in the financial industry. These incidents have emphasized the criticality of effective risk management and operational resilience, including stress testing bank balance sheets and prompt communication during a crisis to maintain customer and investor confidence in the bank's operations.
In Hong Kong, regulators were already in the process of stepping up their scrutiny of controls, after recognizing the need for greater resilience in the face of macroeconomic threats and an ever-increasing reliance on technology and third-party providers. The Hong Kong Monetary Authority (HKMA) launched its OR-2 Supervisory Policy Manual (SPM) in May 2022, aligning its operational resilience requirements with the Basel Committee’s “Principles for Operational Resilience”, published in 2021.
With the first HKMA deadline fast approaching (May 31, 2023), banks should have already developed an operational resilience framework, including identifying operational resilience parameters, commenced basic mapping of interdependencies, and built a timeline to achieve operational resilience. To meet the second deadline (31 May 2026) for implementing the operational resilience framework, banks need to focus on completing the further steps shown in our Figure, Achieving HKMA Operational Resilience Step by Step, and overcoming the three key challenges discussed below.
The HKMA expects banks to take into consideration existing operational risk management (ORM) and business continuity planning (BCP) procedures to ensure alignment with the new SPM OR-2 requirements when implementing an operational resilience program. While ORM focuses on preventing and minimizing the effect of operational risk events, and BCP ensures the continuation of critical business processes during and after disruptive events, operational resilience encompasses and extends beyond both to include proactive measures for preventing and recovering from disruptions.
Given ever-evolving regulations, achieving alignment of SPM OR-2 compliance efforts with existing risk management initiatives can be challenging. SPM OR-2 requires banks to conduct scenario testing for severe but plausible events, establish more comprehensive risk management policies and frameworks specific to the critical business operations identified, and to implement robust incident management programs – the requirements for which go over and above existing business continuity planning and operational risk management frameworks. It is therefore critical for banks to ensure that there is a common understanding and awareness of the banks’ existing and new operational resilience objectives at all levels, including the board, to enable synergies across functions to be leveraged.
To promote a standardized approach to operational resilience across all related functions, banks should utilize their existing risk framework to maintain coherence between management risk forums and establish a dedicated team/committee or ‘control room’ approach to oversee all initiatives related to operational resilience, including ORM and BCP. This committee should ensure that a consistent message on operational resilience is sent from the board to the second line of defense across all critical business functions, establish clear roles and responsibilities, and monitor initiative status regularly – communicating with stakeholders at all levels.
Another fundamental challenge when implementing an operational resilience framework is the ever-evolving nature of risks within the financial industry. While banks are still grappling with the aftermath of the Covid-19 pandemic and recent bank failures, they must remain alert to ever-evolving cybersecurity threats and the emerging risks posed by the growth of cryptocurrencies. Given recent ‘black swan’ events, authorities are keen to bolster firms’ ability to respond to and recover from unexpected disruptions.
Pragmatic operational risk management requires establishing an appropriate narrative that meets regulators’ expectations and differentiates between theoretical and actual risks without downplaying the importance of risks – like the Covid-19 pandemic – that are almost or entirely unprecedented. However, differentiating between actual and theoretical risks can be challenging for banks. Some risks may seem theoretical until they suddenly pose a tangible threat to the bank.
Traditionally, banks have assessed risks based on the likelihood and potential impact of each risk, causing firms to focus too much on high probability, high impact scenarios. However, the rise of black swan events – like the Ukraine war and the pandemic – has forced banks to think beyond traditional risk management. The result of this is a more comprehensive risk assessment process, that uses scenario analysis to also consider high impact, low probability events, using metrics that consider operational risk data and risk and control evaluations, and any additional quantitative and qualitative risk assessment methodologies that can further strengthen their risk assessment approach. Banks should also ensure that management is well-informed about the ongoing resilience of business units. This includes keeping management apprised of incident remediation efforts, critical operations, and emerging services that are on a "Watch List." By staying informed and up-to-date on these matters, the board can provide effective oversight and ensure that the bank remains resilient in the face of unexpected challenges.
Developing a scenario testing regime that is customized to the specific demands of operational resilience and to the individual firm can be challenging. Financial institutions are required to showcase, through testing plans and reports, that they have effectively defined and implemented scenarios that adequately assess critical operations. This means involving widespread bank functions across scenario roles; selecting realistic and pertinent scenarios specific to the firm; adopting a regulatory viewpoint; emphasizing the testing of the most significant business services; and aligning with crisis management planning. Resilience scenario testing will need to be supported by a scenario library that considers existing business continuity documentation, business continuity plans, process maps created by the firm, historical operational risk and resilience events of the last 10 years, and real-life cyber and IT disruption events.
Banks also face the challenge of balancing different testing methods, such as desktop and live simulation exercises, due to their unique advantages and drawbacks. Desktop testing is cost-effective but may not capture real-world complexities, while live simulation testing is more comprehensive but time-consuming to co-ordinate. To determine the appropriate mix of testing method, banks should develop a testing strategy based on the unique features of their critical business services and the testing scenarios, while keeping costs and time constraints in mind. Banks can also consider seeking expert assistance to gain insights into industry norms and standards when testing similar business services.
Implementing HKMA’s operational resilience framework presents several challenges for banks in today's rapidly changing financial landscape. Banks must build common understandings and a consistent approach to operational resilience across the bank; adapt their frameworks to keep pace with evolving risks; and develop a thorough testing regime unique to operational resilience.
Building and maintaining an effective operational resilience program requires significant resources, including human capital, and locating suitable talent to work on it can be challenging in Hong Kong given the competition for skilled professionals. Therefore, banks must ensure they are well-prepared to assemble a dedicated workforce with the capacity and knowledge to complete the implementation as required by HKMA.
To keep ahead, firms must build an approach that allows them to continuously improve their operational resilience capabilities. By treating operational resilience as a strategic imperative, banks can move beyond compliance to protect themselves and their customers against a constantly evolving threat landscape and thrive in today's volatile and highly competitive market.