Operational risk management

• Operational Resilience of Critical Functions: establishing disruption tolerance, preventive remediation measures, Incident and crisis management • Managing risks: ICT, Cyber, Third Party Risk Management, externalised AI • Evolution of banking processes: extension of working hours at stock exchanges, acceleration of the settlement process, integration of the blockchain and AI

Operational Resilience of Critical Functions

What is Operational Resilience? How does it differ fundamentally from Business Continuity Management?

• Difference between BCM objectives (addressing isolated failures) and operational resilience (overcoming a major/general crisis where traditional continuity management measures would be ineffective).
• Operational resilience covers the entire value chain rather than isolated ICT processes and systems.
• Importance of defining and documenting tolerances for each critical function: tolerances should specify the minimum level of service and results required for a critical function to operate during a crisis.

The process of establishing disruption tolerance and minimum service levels in a crisis: rationale, justification, documentation

• Defining disruption tolerance for critical functions is more complex than initially expected.
• Collecting data to rationalize the defined minimum service level and results.
• Documenting disruption tolerance in a results-based objective statement, along with justifications and additional data/evidence supporting the chosen tolerance level.
• Assessment of work conducted to determine tolerances for critical functions: misunderstandings, poor practices, best practices.
• Practical application of disruption tolerances for critical functions such as payments, securities, and treasury.

Vulnerabilities and preventive remediation measures

• Regulatory requirements for identifying vulnerabilities and implementing remediation measures.
• Preventive measures to reduce vulnerabilities (examples) and protective measures.
• Practical application to critical functions such as payments, securities, and treasury.

Incident and crisis management: regulator expectations, lessons from crisis experiences in financial intermediaries

• Requirements for crisis management preparedness.
• Differences between an incident, a crisis, and an attack; isolated failure vs. general crisis.
• Scenario-based preparation.
• Detecting crises.
• How to manage/respond during a crisis and an attack; recovery measures and maintaining normal operations during a crisis.
• Priorities during a crisis.
• Lessons from financial intermediaries that have faced crises.

Operational Risk Management
Vulnerabilities, tolerances, mitigation measures, controls, tests, exercises

ICT Risk Management

• Objectives and expectations under Circular 2023/1: inventory, backup recovery and testing, incident controls.
• Mitigation measures.
• Practical application, failures, best/bad practices.

Cyber Risk Management

• Objectives and expectations under Circular 2023/1: vulnerability assessments, penetration testing, exercises.
• Actions to be taken: defining risk appetite and tolerance for cyber risks; introducing key controls within the internal control system; regular review of control effectiveness.
• Specific exercise requirements outlined in FINMA Guidance 03/2024: solutions, best practices.
• Mitigation measures.
• Practical application, failures, best/bad practices.

Managing risks related to critical data

• Objectives and expectations under Circular 2023/1: identification and categorization of critical data, defining responsibilities for data access rights, due diligence on suppliers, concrete and relevant risk tolerance statements, identification of vulnerabilities.
• Mitigation measures.
• Practical application, failures, best/bad practices.

Third Party Risk Management

Third Party Risk Management (TPRM): Focus topics for banks and regulators

• Why Third Party Risk Management matters
• Practical challenges in the management and monitoring of third parties
• Changing regulatory focus: from compliance to operational resilience
• New BCBS principles on TPRM and potential implications for Swiss banks
• Good practice approach for a future-proof TPRM

New Challenges

New operational stakes: risk factors, impacted functions, food for thought

Market practices require rapid and significant adaptation of operational banking processes (extension of working hours at stock exchanges, acceleration of the settlement process, integration of the blockchain and Artificial Intelligence)

• What factors must be taken into account?
• How to integrate these factors in the analysis of operational risks?
• Who are the impacted stakeholders?
• Which measures should be considered ?

What are the Swiss and European regulatory requirements for artificial intelligence applications? What precautions should be taken against the risks of outsourced AI?

• FINMA expectations: governance and responsibility; robustness and reliability; transparency and explainability.
• The new European AI Regulation.
• Risks of outsourced AI: ensuring data remains in Switzerland while AI engines are hosted abroad.