You have probably heard about the recent FINMA publication about the revision of: “Circular 2023/1 Operational risks and resilience – banks” which will replace the previous circular 2008/21: “Operational risks – banks”. This circular will come into force on January 1, 2024, and addresses major changes for your organization, starting from the title with the mention of operational resilience. Swiss banks, insurance companies, financial institutions will all have to comply with it within the year… Time is short and the workload is high!
So, what is in this new circular? What are the new changes? And how does your company comply? For you, we will answer all these questions.
What is in FINMA 2023/1 circular?
The 2023/1 circular “Operational risks and resilience – banks” concerns risk management and business continuity in the banking sector. It also includes elements of the Basel Committee on Banking Supervision (BCBS). It aims to develop practices in line with international standards in terms of resilience and to meet the challenges of the growing digitalization process.
As mentioned earlier, this revision of the FINMA circular includes additional principles regarding operational resilience. There are now 8 of them:
- Overarching operational risk management
- ICT risks management, ICT strategy and governance, Change management, ICT operations (run and maintenance), incident management
- Cyber risk management
- Critical data risk management
- Management of risks from cross-border service business
- Business continuity management
- Operational resilience
- Continuation of critical services during the resolution and recovery of systemically important banks
Operational risks are really difficult to quantify. An example of this is the risk of fraud. In this case we can quickly come to the conclusion that no organization is really safe from such a risk because it can come from the outside as well as the inside. In addition, the estimated of the financial impacts cannot be relied upon. For this reason, FINMA has refined its risk management supervision.
Financial institutions must therefore have a comprehensive risk management concept. It must enable you to cover all types of risks across all your activities, but also identify, analyze, evaluate and manage effectively significant risks. Lastly, it has to bring coherence in order to allow all control functions to interact with each other and share their views with the board in a coordinated way.
Finally, this circular sets out the recommendations for Business Continuity Management (BCM). These set out the framework that companies must follow in order to guarantee the continuity of their services in the event of a crisis. In connection with BCM, FINMA addresses the topic of operational resilience in companies based on the “Principles of Operational Resilience” published by the BCBS.
Want to learn more about resilience? Read our white paper on resilience in your organization, written with our partner Pragm@TIC!
What are the new changes?
FINMA has evolved the principles of this circular to align with other regulatory provisions in the areas of digitization and Information and Communication Technology (ICT), cyber risk, and critical data processing. It also incorporates operational resiliency as an extension of previous regulatory standards for business continuity management (BCM).
Principle 2: ICT risk management
Concerning ICT risks, FINMA circular requires good change management and ICT operations by ensuring the separation of test and production environments as well as good incident management. This principle is directly linked to the former principle on IT infrastructure.
Principle 3: Cyber risk management
Cyber risk management imposes a duty to inform FINMA of cyberattacks, but this duty is not new. However, it is required to set up a strategy that includes processes and tests to:
- Identify specific and potential threats related to cyberattacks.
- Protect privacy, integrity and availability of critical electronic data and the ICT components.
- Quickly detect cyberattacks,
- Respond to vulnerabilities and quickly restore business operations after a cyberattack.
Principle 4: Critical data risk management
This principle demands more qualitative requirements than the ones in the BCBS documents, asking for a particular kind of critical data protection regarding aspects like data privacy, integrity and availability:
- Limited access for employees (only the ones who need to know)
- Supervisory training
- Protection and monitoring of data stored outside Switzerland
- Due diligence of service providers who process this data
This responsible approach to data management significantly reduces risk.
Principle 7: Operational resilience:
Seeing the number of operational disruptions rising (Cyberattacks, supply shortage…) , institutions are required to identify, protect against, respond to, and restore normal operations to potential threats and failures. Therefore, principle 7 is really similar to principle 6 on BCM. Operational resilience ensures that things work and prevents organizational dysfunction.
How to comply with FINMA new circular?
Many roles will be impacted within your organization: the risk manager, the chief information security officer (CISO) , the business continuity manager, the executive committee, the board of directors… It is important to implement a system that breaks down the silos between the systems/structures you already have in place and thus transcends the collective intelligence.
Here is a non-exhaustive list of practices that you can already implement that will help your company achieve compliance:
- Integrate all elements of risk management. This includes your strategy, but also the risk tolerance you have, the inherent risks you face, the control risks you can take, and any residual risks.
- Take a holistic approach (proper governance system) that includes identifying, assessing and managing your critical systems, data, processes and applications.
- Set up a well-balanced concept for all your control functions. This requires common vocabulary and methodologies, but also a unique categorization of risks and the notion of coherence developed earlier to allow the management to compare the different views between them.
- Implement Business continuity management, operational resilience and data protection.
We offer a dedicated cockpit that allows you to pilot the 360° health of your business. Ensure you have the right organization while mitigating your operational risks and increasing your resilience!
Do you want a turnkey solution adapted to your company? Take advantage of our network of partners who will accompany you in the analysis, consulting and integration phases of smartcockpit, with a clear and efficient approach. Simplify your life with smartcockpit !
Contact us for more information.
Are you looking to develop the value of your organization in a sustainable way? A new white paper is coming very soon. Stay tuned 😎