Operational Resilience: Regulations Around the World

Operational resilience remains one of the top priorities for regulators and leaders around the world. But keeping track of every new operational resilience regulation that is enacted around the world is no easy task. 

As an organizational leader, you might be grappling with the constant stream of regulatory updates and tech innovations that could either fortify or compromise your business. 

That’s why our team, who has a firm grasp on the pulse of legislative movements worldwide, wrote this article. Below, we will navigate the latest operational resilience frameworks around the world, from the EU’s The Digital Operations Resilience Act (DORA) regulation to the SEC’s consolidation efforts in the United States. 

We will arm you with insights into how various nations are responding to this crucial topic, especially as businesses become more dependent on technology. 

With more and more of our world’s infrastructure relying on digital platforms, the world’s regulators have stepped up. For example, proactive risk management around Critical Third-Party Providers (CTPP) has been a focus for the United Kingdom’s recent legislation. It’s no surprise, as this increase in digital dependance has amplified IT risk!  

Which Nations are Preparing for Operational Resilience Regulations? Via Norton Rose Fulbright Report 

But it’s not just the United Kingdom that is changing their policies. Here are some highlights of the major global movements around operational resilience. 

Global – The Basel Committee on Banking Supervision issued Principles for Operational Resilience and updated Principles on Outsourcing in 2021.  

United States – Exam Priorities issued by the SEC Division of Examinations reflected Operational Resilience efforts by U.S banking regulators to consolidate into a single paper, “Sound Practices to Strengthen Operational Resilience.”  

Canada – Office of the Superintendent of Financial Institutions (OFSI) revised consolidated guidance for operational risk management for Federally Regulated Financial Institutions (FRFIs). OFSI also revised its guidelines on third-party risk management and issued guidelines for how FRFIs should manage technology and cyber risks. 

EU – Most European countries are supportive of DORA, and many have already published local legislation that aligns to DORA requirements. If you’re interested in learning more about DORA, check out this article that discusses the EU’s DORA framework. 

Australia – The Australian Securities and Investments Commission (ASIC) issued market integrity rules to promote operational resilience of securities and futures markets operators and participants. The Australian Prudential Regulation Authority (APRA) released Prudential Standard CPS 230 to strengthen management of operational risks in the banking, insurance and superannuation industries. 

Hong Kong – The Hong Kong Monetary Authority (HKMA) issued a Supervisory Policy Manual (SPM) module on operational resilience together with a revised version of the SPM module on business continuity planning.  

Singapore – The Monetary Authority (MAS) has issued a paper on operational risk management and the management of outsourcing and third parties. It also encourages non-bank financial institutions to adopt the good practices in the information paper where relevant. 

Compliance has proven to be a time-consuming endeavor for European financial firms as evidenced by regulatory deadlines this year. On March 31, 2022, UK firms were required to: 

• Pinpoint and map their essential business services 

• Establish impact thresholds 

• Launch a scenario testing program 

All of this was conforming to fresh regulations from the Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA).  

The buildup to this date was filled with frantic activity as regulated firms rushed to achieve compliance while simultaneously detecting and reconciling inconsistencies across their operations. Despite fulfilling the 2022 regulatory obligations, many of those firms with operations in the EU still have a significant path to traverse in order to reach comprehensive resilience by DORA’s 2025 deadline. 

These UK and EU regulations are an example of why it’s vital to improve your operational risk management workflows sooner rather than later, no matter where your organization is located. 

In your ITOps workflow is not as easy as flipping a switch. Driving that change requires working smarter, not harder to reduce your IT risk. 

It is likely that the following trends will intensify in the future: 

• Businesses become ever more reliant on technology 

• Software and software interdependencies become increasingly more complex 

• Disjointed software defect management processes among ITOps teams inhibit effective risk management 

 We believe that the only path forward is to use software to solve software problems. 

That’s why we created BugZero. It’s the only automated platform that focuses on operational defect risk management. It integrates with your ITSM tool to collect, filter, correlate, and track non-security third-party software defects. 

Learn more about what BugZero can do and how we can help fortify your operational resilience!