‘Operational resilience’ is the ability of firms and the financial system as a whole to absorb and adapt to shocks, rather than contribute to them.
It is important for maintaining financial stability and confidence in the UK banking system. Extending beyond business continuity and disaster recovery, firms must have plans in place to deliver essential services, no matter what the cause of the disruption. This includes man-made threats such as physical and cyber attacks, IT system outages and third-party supplier failure as well as natural hazards such as fire, flood, severe weather and pandemic flu.
As a central bank and as a regulator of financial organisations and financial market infrastructure, we have an important part to play in improving the resilience of the sector.
Governance around operational resilience
The operational resilience agenda is governed by a number of bodies, both inside and outside the Bank of England. The Bank’s Financial Policy Committee (FPC) looks at the cyber resilience of the system as a whole. Updates to the FPC’s priorities are published in the Financial Stability Reports. The Bank’s Prudential Regulation Committee and Financial Market Infrastructure (FMI) Board focus on the operational resilience of the firms and FMIs they regulate.
Our approach to operational resilience
We approach operational resilience in the same way as financial resilience: through supervising individual firms and financial market infrastructures and through engaging with sector forums, industry and international stakeholders to drive collective action.
Our operational resilience strategy and programme has three elements:
Targeting the right things
This element of our programme is about deciding which firms and parts of the system are most critical to UK financial stability. This in turn helps to identify where we should focus our efforts and determine what our tolerance for operational disruption should be.
We also keep up-to-date with the current threats to the finance sector and the sector’s vulnerabilities to those threats, so that we can determine the level of resilience required.
This includes setting out our expectations for the level of operational resilience we require of firms and developing our supervisory framework and tools for assessing operational resilience. Examples of such tools are the ‘Dear Chairman exercise’, which reviewed the technology and cyber resilience of the major retail deposit-takers in the UK, our cyber triage questionnaire and our CBEST threat-led assurance testing of cyber resilience to identify improvements required of firms.
The financial system is highly interconnected and many of the threats we face are global in nature. Therefore, another core part of our programme is cooperating with international partners such as the G7 and G20 countries.
Response and exercising
The third element of our operational resilience programme involves responding to operational shocks when they occur. This requires the financial sector and authorities to have well-rehearsed contingency plans and incident response processes, which are critical for minimising impact and continuing to deliver essential services to an acceptable level during operational disruption.
The UK financial authorities (HM Treasury, the Bank of England and the Financial Conduct Authority) have a single mechanism to coordinate a response to incidents that have affected, or have the potential to affect, the financial sector. It now includes the National Cyber Security Centre (NCSC) and, when appropriate, the National Crime Agency (NCA) for cyber incidents.
We regularly exercise our response frameworks together with the sector to prove plans work and identify improvements. This includes testing of communication lines, coordination arrangements and decision-making processes. We have organised several market-wide exercises to rehearse the sector’s response to bomb threats, flu pandemic, severe weather and travel disruption and the Olympics. More recently we simulated and tested the industry’s response to an extended outage of the Bank’s real-time gross settlement system. Some of our exercises have led to the development of industry-owned resilience playbooks, which set out coordinated approaches to dealing with a particular scenario.
Given the increasing cyber threat, we have organised a series of cyber exercises to test the sector’s response to a large-scale cyber-attack. We have also organised a cyber exercise with the US to improve cooperation between the two countries.