In July 2024, a faulty Microsoft-CrowdStrike softwareupdate triggered a massive IT outage worldwide, bringing global operations to a halt. Airports shut down, financial institutions faced major disruptions, stock exchanges were thrown into chaos, and healthcare systems were grounded to a standstill.

Fortunately, in India, the impact was limited to only ten banks and non-banking financial companies (NBFCs), according to the Reserve Bank of India (RBI). However, shortly after, on July 31, C-Edge Technologies—responsible for managing critical systems for many cooperative and rural banks—experienced a suspected ransomware attack. The National Payments Corporation of India (NPCI) confirmed that the incident impacted 300 banks across India.

In the past, banks and financial institutions in India have alsobeen affected by widespread disruptions. In October 2016, a data breach compromising 3.2 million debit cards affected major Indian banks like SBI, HDFC, ICICI, YES Bank, and Axis Bank. This led to one of India's most extensive card replacement drives, with SBI replacing nearly 600,000 debit cards.

Then there was the worst crisis of our generation -- the COVID-19 pandemic,when all organizations, including banks and financial institutions, had to quickly transition to remote work and scale digital services in a matter of dayswhile facing an unprecedented health crisis.

Now, even though the pandemic may be over,it's clear that it won't be the last major crisis we encounter. The World Economic Forum’s 2024 Global Risk Report highlights the increasingly complex risk across several areas including cyber insecurity, extreme weather events, geopolitical conflict and more. Risks are increasing in scale, speedand interconnectedness while cyber threats evolve across legacy systems and emerging technologies.

Shifting Focus to Operational Resilience

Operational resilience has long been a regulatory concern. On the global front, in 2018, the Bank of England, the UK's Prudential Regulation Authority, and the Financial Conduct Authority collaborated on a discussion paper to strengthen the resilience of firms and financial infrastructures.

In 2021, the Basel Committee on Banking Supervision (BCBS) introduced its "Principles for Operational Resilience", emphasizing that while risks like pandemics can't be avoided, organizations can certainly prepare for such events.

At its heart, resilience equips an organization to foresee, manageand recover from disruptions with minimal impact. It's not just about backing up data or creating contingency plans—it is about identifying and addressing potential threats before they escalate into full-blown issues.

Resilient organizations are ready for whatever comes their way. They have laid the groundwork with comprehensive business continuity, incident managementand recovery processes. What sets them apart is their proactive approach to assessing and mitigating risks—actively preventing disruptions before they even occur.

As operational resilience becomes more crucial to the stability of organizations and industries, a wave of new regulations addressing the topic has emergedworldwide.

On April 30, 2024, the RBI released an updated Guidance Note on Operational Risk Management and Operational Resilience, replacing the previous 2005 version. The new guidelines align RBI regulations with the Basel Committee on Banking Supervision (BCBS) Principles and international best practices.

The introduction of the guidance note emphasizes the importance of robust operational risk management for all financial sector-regulated entities (REs). It outlines how operational disruptions can impact consumers, threaten the sustainability of an RE and undermine financial stability. The note also details the various operational risks REs face, covering areas such as people, processes, technology, and external events. It stresses that proactively identifying, assessing, and managing these risks is vital to ensuring operational resilience.

Internationally, several global regulatory bodies have also introduced guidelines to strengthen operational resilience across financial sectors. These include the US Federal Reserve Board's operational resilience guidance, the Australian Prudential Regulation Authority's Prudential Standard CPS 230 on Operational Risk Management and the EU's Digital Operational Resilience Act. In Canada, the Office of the Superintendent of Financial Institutions has released Guideline E-21 on operational risk and resilience. At the same time, the Central Bank of Ireland provides Cross-Industry Guidance on Operational Resilience. Similarly, the Monetary Authority of Singapore and the Hong Kong Monetary Authority have outlined their operational resilience frameworks to enhance the stability and preparedness of financial institutions.

Although each of these regulations has specific requirements, they all emphasize operational risk management (ORM) as a critical component of operational resilience.

Stronger ORM, Stronger Resilience

BCBS said in their Principles, "Operational resilience is an outcome that benefits from the effective management of operational risk."

So, how can organizations improve their management of operational risks to enhance resilience?

Build a Strong Base

Organizations need to build operational resilience by implementing effective ORM frameworks. This includes defining risk tolerance, identifying critical operations and assets, conducting risk assessments and implementing controls.

Quantify Risks for Assessing Impact

Measuring operational risks in monetary terms helps organizations make data-driven decisions on risk mitigation, resource allocation and strategic planning.

Understand Risk Interconnections

Recognizing how interconnected operational risks allows businesses to develop more comprehensive response strategies, reducing disruptions' overall impact.

Plan for Risk Scenarios and Responses

Simulating risk scenarios and having pre-defined response plans helps organizations act quickly and reduce downtime and financial losses during disruptions.

Align ORM with Business Continuity

Integrating ORM with business continuity and disaster recovery plans ensures organizations can maintain essential services during and after disruptions.

Build a Risk-Aware Culture

Training employees to identify and manage risks across all levels ensures that issues are flagged early and addressed quickly, with incentives encouraging proactive behaviour.

Leverage Technology for ORM

A centralized ORM platform streamlines risk management by consolidating data, automating assessmentsand using AI to predict trends. This allows faster and more informed responses to risks.

Summing it up

In the banking and financial sectors, operational resilience and ORM are pivotal. Risk managers must evolve strategies to meet emerging challenges and ensure business continuity readiness.

A robust ORM solution that equips organizations with tools to identify, assess, mitigate, monitor and report risks is helpful. Such platforms provide automated workflows and real-time reporting while integrating risk management into business continuity and recovery processes.