Lisa Huang and Shannon Wong offer guidance on making a timely start to compliance with HKMA’s new operational resilience framework.
With threat drivers on the increase, from global pandemics to geopolitical risk, regulators around the world are keen for financial institutions to strengthen their operational resilience. The Hong Kong Monetary Authority (HKMA) is no exception and has proposed significant changes to its supervisory policy manual to ensure that banks within its remit are well prepared and aligned with Basel Committee principles released in March 2021.
The results of the HKMA consultation on the changes, which closed in February 2022, are now being considered – the compliance clock starts ticking as soon as the new rules are finalised. Banks will need to make a timely start to their compliance journey if they are to turn operational resilience into a continuously improved organisational capability rather than a tick-box exercise.
Timelines – and getting going
Under the HKMA’s proposed timeline, within one year of the finalised release following the consultation, banks are expected to have developed an operational resilience framework – largely Steps 1 and 2 in our sample timeline below. They also need to have set out their own bespoke timeline, indicating when they will have implemented the framework and become operationally resilient.
After that first year, banks are expected to become operationally resilient as soon as possible, though HKMA allows up to two further years for institutions of different sizes and complexity.
Firms should not delay setting out a plan of action and considering the first two steps recommended by the regulator, reviewed below, so they can build in features to make their operational resilience programme more thorough, efficient and adaptive.
Step 1: Determining operational resilience parameters
HKMA recommends that firms test their ability to remain within their impact tolerances for each of their critical business services in the event of a ‘severe but plausible’ disruption of operations. The test results will reassure banks about their resilience or indicate where things need to be improved.
To do this, banks will first need to identify their critical operations, set impact tolerances and specify the most appropriate ‘severe but plausible’ scenarios. Perhaps the key challenge here is that these must all be customised to each institution. That means significant communication with stakeholders – who may not all agree on tolerances – and appropriate selections based on the bank’s unique offerings, as well as an understanding of how critical functions may be reprioritised during major operational risk events.
Step 2: Mapping interconnections and interdependencies underlying critical operations
HKMA will expect firms to have a comprehensive understanding and mapping of the systems and processes that support critical business services. This includes systems and processes over which the firm may not have direct control due to outsourcing and reliance on third-party service providers.
The primary challenge here is identifying interdependencies, including those generated by multi-layered supply chains. This is a complex problem that may be best approached by deploying what we call a ‘Digital Twin’ approach. This involves creating a digital representation of a company’s real systems – which can be navigated layer by layer to visualise and identify interconnections without disturbing daily operations.
Adaptability and continuous improvement is key
Banks will then need to press on to cover the other steps set out by the regulator – Steps 3-4 in our sample Timeline. These include managing risks to critical operations, such as cyber security vulnerabilities, and testing the bank’s ability to deliver critical operations under severe but plausible scenarios, as well as testing response and recovery capabilities.
Across all these steps, banks should aim to build an approach that can be continuously improved. This takes a little more planning but will pay dividends in terms of future responsiveness and efficiency of the resilience programme.
For example, we mentioned above the ‘Digital Twin’ approach. Once this is in place, it can be used as an efficient tool to explore the bank’s underlying vulnerabilities going forward, including exploring any implications when bank operations change their shape. (Additionally, the tool can be used to optimise processes beyond operational resilience.)
Another example is the training that can help staff take decisions in an emergency. For instance, the ‘OODA Loop’ is an effective framework used by militaries to respond better and faster in unstable environments. Each of the four phases (observe, orient, decide and act) is taken in isolation, improved in terms of both accuracy and time, and then recombined and run at a fast pace to retain the initiative. OODA Loop exercises can be run during business continuity testing, and the results can be used as a tool to continuously improve the bank’s responses and recovery procedures, as well as its decision-making in a highly unstable environment.
To make their programmes more adaptive and responsive, banks can also consider incorporating early warnings of operational risk exposures, and operational resilience testing results, into reporting dashboards. They can also deploy new technologies to accelerate threat detection and reduce human and physical dependencies. Expediting cloud adoption and process automation can mitigate physical dependencies, while easy-to-scale AI and chatbot deployments offer ways to support customers during periods of potentially overwhelming demand triggered by a crisis.
First mover advantage?
Bank operating models are evolving fast and the wider environment can change in a heartbeat, as the pandemic still raging in the APAC region reminds us. By making a timely start to complying with the revised HKMA supervisory policy manual, banks can build an efficient ‘adapt and learn’ approach that takes account of the latest practices and technologies – and that goes a lot further than ticking boxes.
This article was contributed by Shannon Wong, Consultant at Capco APAC, and Lisa Huang, Senior Consultant at Capco APAC.