Revision FINMA RS Operational Risks Banks: The most important changes.

Close the gap

On December 13, 2022, FINMA published Circular RS 2023/01 Operational risks and resilience of banks. It comes into force on January 1, 2024 and replaces the previous RS 2008/21. RS 2023/01 also adopts the existing requirements Principles for the Sound Management of Operational Risk (PSMOR) and Principles for Operational Resilience (POR). In this article we summarize the most important changes.

Principle 1 – General requirements for the management of operational risks

The revision contains a significantly expanded specification of the roles for assessing the effectiveness of measures and the minimum scope of reporting in connection with operational risks. This is primarily intended to counter the misinterpretations frequently identified in practice in the previous FINMA RS 08/21. Institutions that already consider ICT and cyber risks as well as risks relating to critical data in their operational risk management should have little need to adapt.

Principle 2 – Management of ICT risks

The revision replaces the previous Principle 4 “Technology infrastructure”. This will largely be replaced by the requirements of the BCBS, which already reflects FINMA’s supervisory practice. This relates in particular to the formulation of incident management in coordination with the areas of disaster recovery (DR) and business continuity management (BCM), as well as regular reporting. Another new feature is the anchoring of the duty to report significant disruptions in accordance with FINMASA Art. 29.

Principle 3Management of cyber risks

This principle primarily contains clarifications of existing supervisory practice and defines the roles, responsibilities and processes for the collection, assessment and documentation of cyber risks, as well as regular reporting. These significant changes relate to the anchoring of the reporting obligation in accordance with FINMASA Art. 29 and the requirement to conduct scenario-based cyber exercises.

Principle 4Managing the risks of critical data

The current FINMA RS 08/21 primarily defines the requirements for the protection of electronic client data. This definition is extended in the revision and is intended to apply to all data classified as critical in terms of confidentiality, integrity or availability. The provisions also include the selection, training, monitoring and regular review of privileged access, as well as the implementation of a role and function-specific authorization system.

These requirements largely correspond to security practice today and many institutions have probably already implemented corresponding measures. Depending on the organizational structure and/or the degree of maturity of the implementation, however, there may still be a need for action in this area, which should be planned for at an early stage.

Principle 5 – Management of risks from the cross-border services business

These requirements correspond to the previous Principle 7 and do not contain any significant changes.

Principle 6 – Business Continuity Management (BCM)

This principle formulates the requirements for the Business Impact Analysis (BIA) and the Business Continuity Plans (BCP). It also contains the requirements for the crisis team, periodic tests and regular reporting to the management. This largely implements the SBA’s previous recommendations in coordination with the BCBS and therefore does not contain any significant changes for institutions that already follow these standards.

Principle 7Operational resilience

This principle is new and essentially defines the coordination between the relevant components of risk management such as the management of operational risks, ICT/cyber risks, business continuity management, the management of outsourcing (see FINMA RS 2018/3 “Outsourcing”) and emergency planning. The principle formulates the specific requirements for the identification of critical, system-relevant processes, notification and adjustment in the event of significant changes, as well as regular testing and reporting. In the revised circular, FINMA addresses both business continuity management and operational resilience requirements. At first glance, these seem to overlap, but they differ in their objectives.

Operational resilience

Convergence of the protection goals of BCM and operational resilience

While BCM covers all critical processes in connection with the institution’s business performance, operational resilience focuses on the systemically relevant functions. This means that the requirements for operational resilience depend heavily on the respective systemic relevance of the institution. The transition period for achieving operational resilience should be 3 years, with critical functions being identified after just one year.

Principle 8 – Continuation of critical services in the resolution and restructuring of systemically important banks

These requirements correspond to the previous Principle 6 and do not contain any significant changes.

The implementation effort depends heavily on the degree of maturity of existing practice

FINMA points out that the principles of the revised Circular apply in principle to all addressees, but must still be implemented in individual cases according to size, complexity and structure, as well as the respective risk profile. Irrespective of this, institutions that have already implemented best practice standards in risk and business continuity management are likely to have a more manageable effort to implement these guidelines.

Pragmatica helps with the planning and implementation of the new FINMA guidelines

Do you need support in implementing the new regulations? Our teams of experts in the areas of risk and continuity management, as well as information and cyber security, take the pressure off your valuable resources and help you to analyze your institution’s need for action and implement it in a targeted and efficient manner.

Further topics