On 13 December 2022, the Swiss Financial Market Supervisory Authority (FIMNA) published a fully revised Circular 2023/1: Operational Risks and Resilience, which comes into force on 1 January 2024. The circular integrates the principles of the Basel Committee on Operational Resilience into FINMA’s regulatory regime and widens the scope of firms subject to the requirements.
The update is driven by recent technological developments, heightened risks around data, and the overarching desire to improve the governance of Operational Risk in Banks and Securities firms in Switzerland. It is important to note that Operational Resilience regulation is already live in the UK and is on the horizon for the EU regulator, ESMA (European Securities and Markets Authority).
Designing the solution is not straightforward
Compliance with the principles of the circular is not prescriptive and each firm must design its own framework depending on size, complexity, structure, and risk profile. This leaves firms open to significant interpretation of the requirements and design of a bespoke solution. There cannot be a market-standard response – with each firm acting in a silo – so how do firms know if they are on track?
It is insightful to refer to the UK Financial Conduct Authorities’ (FCA) recent Operational Resilience regulation, which is closely aligned with the Swiss requirements. The UK regime is already in force and there are interesting lessons to take from how firms have responded.
Challenges and common pitfalls we’ve come across
- Overcomplicating Operational Resilience
- Confusing processes for end-to-end business services
- Prioritising what the regulator expects and what is practical
- Gaining cross-functional buy-in
- Embedding an Operational Resilience culture across the organisation
- Ensuring the Board understands their responsibility and accountability
- Setting appropriate impact tolerances
- Understanding the lines of responsibility when critical processes are outsourced
- Managing third parties where the current arrangements are not adequate for the firms’ operational resiliency framework
For further insight into how firms in the UK are progressing with their responses, please refer to Sionic’s recent Operational Resilience survey here.
Given the challenges laid out above, it is understandable firms are hesitant and slightly unsure of their strategy. However, there are common themes that significantly enhance the chance of a strong response to put them in a good position to meet their obligations.
- Confirm an adequate governance structure to oversee the design, implementation, and ongoing management of the firms’ response
- Comprehensive scoping of all services and clear identification of critical business services
- Design appropriate management reporting and control frameworks to support identification and management of vulnerabilities
- Appointment of a Chief Data Officer (or expansion of the role) to manage data security, availability and, confidentiality
- Include third parties early in the design process and ensure contractual alignment
- Carefully select pilot cases and design robust scenario testing, implementing lessons learned
- Ensure the Board are fully engaged and aware of their responsibilities
- Engage consulting support to accelerate the firms’ response and help ensure the solution is in line with market practice – do not be the outlier!
Our award-winning team of specialists advises firms internationally on all aspects of operational resilience. If you would like to discuss any aspect of this article or our practical approach, please contact us.
Read more on this topic:
- Sionic ‘Operational Resilience Market Insights’ Survey 2023 – Sionic
- Operational Resilience – the Culture Conundrum – Sionic
- Sionic ‘Operational Resilience Market Insights’ Survey 2022 – Sionic
- Operational resilience: a game of three halves – Sionic
- Third Parties – Solution or Achilles heel? – Sionic
- Making Operational Resilience real – Sionic
- Scenario testing: passing the practical and the theory – Sionic