Basel urges improved disaster planning

The Basel Committee is proposing to update its operational risk framework with new change management and technology principles, urging banks to step up their disaster planning in the wake of the disruption wrought by the covid-19 pandemic.

In a consultation published on 6 August, the Basel Committee on Banking Supervision issued a series of seven new draft principles for the regulation of operational risk and resilience, updating the Principles for the Sound Management of Operational Risk (PSMOR) it first introduced in 2003.

In its proposals, the committee urges banks to implement business continuity plans, conducting drills “under a range of severe but plausible scenarios in order to test their ability to deliver critical operations through disruption”.

It says these drills should encompass banks’ relationships with third-parties and intra-group entities, and the plans should include “detailed guidance” on implementing banks’ disaster recovery frameworks.

The committee also urges banks to look at their dependencies on those third parties, and secure critical operations by verifying that their service providers have “at least equivalent” operational resilience policies to their own. It says banks should consider their third-party providers’ “substitutability” in the event of adverse events, including bringing their functions back in-house.

The proposals address banks’ information and communication technology (ICT) policies, urging banks to prioritise cybersecurity according to the significance of various information assets to banks’ critical operations, and to make plans for “cyber events” that attack those assets.

The new proposals also address incident management, saying banks should maintain an inventory of their response and recovery, internal and third-party resources that “captures the life cycle of an incident”.

They also urge banks to continually identify external and internal threats and potential failures in their people, processes and systems, and to establish operational resilience approaches that enable them to respond to and recover from disruptive events.

The committee says it wants to increase banks’ resilience against operational risks, including those arising from pandemics, cyber incidents, technological failures and natural disasters.

According to the paper, the covid-19 pandemic has exacerbated the operational risks stemming from recently banks’ reliance on technology infrastructures, and on third-party-provided technology, as the pandemic affects information systems, personnel, facilities and banks’ relationships with their providers.

It also highlights a spike in cyber threats including ransomware attacks and phishing attempts, and warns that greater reliance on virtual working arrangements is increasing the potential for operational risk events caused by people and failed processes and systems.

The consultation is open until 6 November.

Get unlimited access to all Global Banking Regulation Review content