CP140: Consultation on New Cross-Industry Operational Resilience Guidance
20 Apr 2021
On 9 April 2021 the Central Bank of Ireland ("Central Bank") published a consultation paper and draft cross sectorial guidance on operational resilience ("CP140").
Industry feedback on the proposals is sought, with the deadline for responses being 9 July 2021.
CP140 highlights the Central Bank's continued focus in addressing existing vulnerabilities and mitigating risks in the financial system emitting from operational disruption.
Purpose and Scope
The Central Bank is aware of an array of disruptive events financial services firms face daily including technology failures; cyber incidents; the COVID-19 pandemic and natural disasters which affect the delivery of critical or important business services.
CP140 aims to enhance the industry's operational resilience – that is, the ability to identify and prepare for, respond and adapt to, recover and learn from an operational disruption.
The Central Bank proposes to apply CP140 to all Regulated Financial Service Providers ("RFSPs"), as defined in Section 2 of the Central Bank Act 1942. However, CP140 is designed to be flexible and should be applied in a proportionate manner based on the nature, scale and complexity of the business.
The Central Bank expects that the boards and senior management of RFSPs will adopt appropriate measures to strengthen and improve their operational resilience frameworks and their effective management of operational resilience in line with CP140.
Firms should be focussed primarily on their most critical or important business services, which, if disrupted, could cause prudential or consumer harm or have an impact on overall financial stability.
Managing Operational Resilience
CP140 is built around three pillars of operational resilience:
- Identify and Prepare;
- Respond and Adapt; and
- Recover and Learn.
15 Guidelines are set out under these three pillars.
Guidelines 1-10 relate to measures under the pillar of Identify and Prepare.
Under this pillar, CP140 sets out that a firm's board will be ultimately responsible for the implementation of the firm's operational resilience framework. It should have adequate oversight of resilience activity; approve the operational resilience strategy and periodically, at least annually, test it.
Guidelines 11-13 relate to measures in under the pillar of Respond and Adapt.
Under this pillar, firms are expected to have an incident management strategy and capture operational resilience within the firm's business continuity management processes. Firms are also required to have a crisis communication plan in place to facilitate effective communication during the disruption.
Guidelines 14 and 15 relate to measures under the pillar of Recovery and Learn.
This pillar aims to encourage firms to learn from past experiences and strive for continuous improvement. Firms should carry out a lessons-learned exercise after a disruption to an important business service and use this to identify deficiencies that led to the disruption; the impact of the disruption on the delivery of important business service; whether the controls and processes were appropriate and the speed of recovery.
Implementation and Timeframe
The Central Bank expects boards and senior management of firms to adopt suitable measures to adhere to the guidance (once finalised) within an appropriate timeframe. While consideration will be given to a range of factors including nature, scale and complexity of a firm's business when assessing the appropriateness of the timeframe, the Central Bank expects firms to be actively and promptly addressing operational resilience vulnerabilities and be able to evidence the implemented measures within two years of the guidance being issued.
Further Information on our Irish Financial Services Regulatory Group, and the services we provide is available on our website page and in our brochure.
If you would like further information, please liaise with your usual Maples Group contact or one of the members of our Irish Financial Services Regulatory Group.
Our Financial Services Regulatory group in Ireland comprises of leading lawyers and experienced industry professionals with a wealth of experience in advising clients on regulatory requirements and how to manage regulatory risk within their business. Our highly technical team deliver pragmatic and solutions-focused advice to our clients.
T: +353 1 619 2023
T: +353 1 619 2125
T: +353 1 619 2122
Senior Regulatory Executive Dublin
T: +353 1 619 2158