Hanging Tough: Operational Resilience is High on the Regulatory Agenda

May 10, 2021
The global COVID-19 pandemic has brought the topic of operational resilience to the top of the agenda for regulators worldwide. Here, we sum up some of the common areas of focus among the open operational resilience regulatory assessments and how they are influencing policymakers' actions going forward.

One advantage in having a global role is the opportunity to talk to colleagues, clients, and industry groups based around the globe. One of the biggest challenges of global regulatory horizon scanning is the fact that frequently there is a regulatory theme playing out globally, but there are many localized versions of the central theme to navigate. Regulatory fragmentation abounds with ESG, fund liquidity, and even cryptocurrency universal themes, but with regionalized (hence fragmented) rulemaking in flight. Another universal area of regulatory scrutiny is now Operational Resilience.

It is obvious that the onset of the global COVID-19 pandemic and the move to remote global workforce is heavily influencing policymaker’s recent actions in this regard. The COVID-19 pandemic has not just exacerbated operational risks, but also amplified economic and business uncertainty. Operational disruptions come in many forms and can result in material harm to investors. They can occur either at an entity level or be more widespread creating the possibility of systemic risk. The mix of investor protection and systemic risk married to the ongoing widespread uncertainty of the pandemic signifies that operational resilience will remain high on regulator agendas for the foreseeable future.

Before plunging into the myriad of market updates, let’s first define operational resilience. There isn’t particularly a uniform definition of the term, but most agree it relates to creating an effective risk management framework which identifies and prepares to mitigate risks of operational disruption with a view to minimizing disruption caused by such events. An operationally resilient firm is less prone to untimely outages or failures in their operating model due to unexpected disruption.

Regulators know that while it is not possible to avoid operational risks or disruption, such as a pandemic or a cybersecurity breach, it is possible to prepare and improve the resilience of a firm’s operational model to mitigate the impact of such events. And this is where once more the industry and regulators appear to have slightly divergent views. Recently, we touched on the fact that the global asset management industry believe that it managed the extraordinary events of March 2021 pretty well in terms of managing fund liquidity and portfolio volatility to meet the redemption needs of their investors. However, regulators globally continue to probe and ask certain “what if” questions with a view to bolstering fund defenses before the next big shock wave comes. Operational resilience is similar. Overall, the financial services industry and asset managers suggest that they managed the shift to remote working and unusual circumstances very well, showing that their operational models were generally resilient. However, this self-satisfied view is not fully shared by global policymakers who see several vulnerabilities from their own assessments.

I don’t wish to give a comprehensive view of all the open operational resilience consultations and papers that are open at the time of writing, that would be an extra-long (and tedious) article for all of us. However, should anyone be interested in the nitty gritty, we list ten distinct open operational resilience regulatory assessments in the bank and asset management space at the bottom of this piece for those who do enjoy their technical reading.

What is also notable from the various publications from global regulators is that even though they each have their own slant or particular slant on the various elements of operational resilience at their core, there is also a large degree of commonality contained in them. These focus areas fall into distinct categories:

Regulator Action Governance Risk Management Outsourcing
Risk based approach / proportionality Documentation of policies, procedures, and decision making Provider concentration risk Scrutiny on chain outsourcing (3rd & 4th level outsourced providers)
Control extraterritorial impacts Regular and robust testing of plans The evolution of business continuity post-pandemic
Focus on cloud usage
Conflict between global standards and regional regulations Crisis communication with multiple stakeholders (boards, regulators, and investors)
Consistency of approach for due diligence of delegates (initial and ongoing) and service providers in operational model Intragroup delegation treated with identical rigor to that of a 3rd party arrangement
Appetite for greater global consistency on definitions and principles Learning from events – formal assessments and attendant revisions to plan post event Formal identification of a hierarchy of functions in model from those deemed “critical” to those less important
Consideration of linkages, relationships, and interdependencies amongst various regulated entities Challenge of contractually enforcing regulatory requirements to critical third parties in your operational model (e.g. DORA in Europe imposed on U.S. service provider) Greater importance on scenario testing and stress testing of model in severe but plausible scenarios Use of unregulated firms (notably “fintechs”) by regulated firms
 Pros and cons of rules-based versus principles-based approach Service Level Agreements (SLAs) must be reviewed and acted upon if quality of service diminishes Incident management Growing probability of financial regulator supervision of critical/ larger unregulated third-party service providers (e.g. cloud or internet platform providers, social media, and others)

It is clear that the focus on Operational Resilience is great, it’s growing and it’s global. When you see the volume of policymaker actions on operational resilience (see below) it is evident that it is an area which is going to be front and center of our industry for the foreseeable future.

If you would like to get in touch with BBH’s subject matter experts or read more about how BBH is empowering clients to build efficient and resilient operational models, please visit our Investment Operations page.

Top 10 Open Operational Resilience Policy Documents

1.     SEC Office of Compliance and Examinations – Cybersecurity and Resiliency Observations

2.     EBA Guidelines on outsourcing arrangements

3.     ESMA Guidelines on outsourcing to cloud providers

4.     E.U. Digital Operational Resilience Act (DORA)

5.     IOSCO consultation on Principles for Outsourcing  

6.     FCA Building Operational Resilience – Policy Statement 21/03

7.     CBI CP140 Guidance on Operational Resilience

8.     CBI CP138 Guidance on Outsourcing

9.     EBA Guidelines on ICT and security risk management

10.  BCBS consultation on principles for operational risk management and operational resilience


Brown Brothers Harriman & Co. (“BBH”) may be used as a generic term to reference the company as a whole and/or its various subsidiaries generally. This material and any products or services may be issued or provided in multiple jurisdictions by duly authorized and regulated subsidiaries.This material is for general information and reference purposes only and does not constitute legal, tax or investment advice and is not intended as an offer to sell, or a solicitation to buy securities, services or investment products. Any reference to tax matters is not intended to be used, and may not be used, for purposes of avoiding penalties under the U.S. Internal Revenue Code, or other applicable tax regimes, or for promotion, marketing or recommendation to third parties. All information has been obtained from sources believed to be reliable, but accuracy is not guaranteed, and reliance should not be placed on the information presented. This material may not be reproduced, copied or transmitted, or any of the content disclosed to third parties, without the permission of BBH. All trademarks and service marks included are the property of BBH or their respective owners.© Brown Brothers Harriman & Co. 2021. All rights reserved.IS-07291-2021-05-06

As of June 15, 2022 Internet Explorer 11 is not supported by BBH.com.

Important Information for Non-U.S. Residents

You are required to read the following important information, which, in conjunction with the Terms and Conditions, governs your use of this website. Your use of this website and its contents constitute your acceptance of this information and those Terms and Conditions. If you do not agree with this information and the Terms and Conditions, you should immediately cease use of this website. The contents of this website have not been prepared for the benefit of investors outside of the United States. This website is not intended as a solicitation of the purchase or sale of any security or other financial instrument or any investment management services for any investor who resides in a jurisdiction other than the United States1. As a general matter, Brown Brothers Harriman & Co. and its subsidiaries (“BBH”) is not licensed or registered to solicit prospective investors and offer investment advisory services in jurisdictions outside of the United States. The information on this website is not intended to be distributed to, directed at or used by any person or entity in any jurisdiction or country where such distribution or use would be contrary to law or regulation. Persons in respect of whom such prohibitions apply must not access the website.  Under certain circumstances, BBH may provide services to investors located outside of the United States in accordance with applicable law. The conditions under which such services may be provided will be analyzed on a case-by-case basis by BBH. BBH will only accept investors from such jurisdictions or countries where it has made a determination that such an arrangement or relationship is permissible under the laws of that jurisdiction or country. The existence of this website is not intended to be a substitute for the type of analysis described above and is not intended as a solicitation of or recommendation to any prospective investor, including those located outside of the United States. Certain BBH products or services may not be available in certain jurisdictions. By choosing to access this website from any location other than the United States, you accept full responsibility for compliance with all local laws. The website contains content that has been obtained from sources that BBH believes to be reliable as of the date presented; however, BBH cannot guarantee the accuracy of such content, assure its completeness, or warrant that such information will not be changed. The content contained herein is current as of the date of issuance and is subject to change without notice. The website’s content does not constitute investment advice and should not be used as the basis for any investment decision. There is no guarantee that any investment objectives, expectations, targets described in this website or the  performance or profitability of any investment will be achieved. You understand that investing in securities and other financial instruments involves risks that may affect the value of the securities and may result in losses, including the potential loss of the principal invested, and you assume and are able to bear all such risks.  In no event shall BBH or any other affiliated party be liable for any direct, incidental, special, consequential, indirect, lost profits, loss of business or data, or punitive damages arising out of your use of this website. By clicking accept, you confirm that you accept  to the above Important Information along with Terms and Conditions.

1BBH sponsors UCITS Funds registered in Luxembourg, in certain jurisdictions. For information on those funds, please see bbhluxembourgfunds.com

captcha image

Type in the word seen on the picture

I am a current investor in another jurisdiction