Irelands’ Financial Service Sector Guidance on Operational Resilience

Vinod Menon
Head – Customer Success
Vinod Menon
Head – Customer Success

The Central Bank of Ireland`s objective of this guidance is to communicate to industry how to prepare for, respond to and recover and learn from an operational disruption that affects the delivery of critical or important business services. The Guidance aims to boost operational resilience and recognise the interconnections and interdependencies, within the financial system, that result from the complex and dynamic environment in which the firms operate.   

Objectives of the Guidance

  • Firms act to the best benefits of consumers
  • Firms are financially sound and safely managed with sufficient financial resources
  • Firms are governed and controlled appropriately, with clear and embedded risk appetites, which drive an effective culture
  • Firms have frameworks set up to ensure the failed or failing providers go through orderly resolutions.

Scope and implementation of the Guidance

This guidance applies to all regulated financial service providers. Firms are expected to be actively and promptly addressing operational resilience vulnerabilities and be in a position to evidence actions/plans to apply the guidance no later than two years of it being published.

Operational Resilience and its Pillars

Operational Resilience is the ability of a firm, and the financial services sector as a whole, to identify, respond to, recover and learn from an operational disruption. The following are its pillars

  1. Critical or Important Business Service is a service provided by a firm to an external end user or market participant where a disruption to the provision of the service could cause material harm to customer and market integrity; jeopardize policyholder protection; or threaten a firm’s viability, safety and soundness, or financial stability.
  2.  Impact tolerance is the maximum level of disruption a critical or important business service can withstand.
  3.  Mapping is the process of identifying, documenting and understanding the series of activities involved in delivering critical or important business services. This involves the identification of all interdependencies and interconnections including people, processes, information, technology, facilities, and third parties service providers.
  4.  Scenario testing is the test of a firm’s ability to remain within its impact tolerance for each of its  critical or important business services in the event of a severe, but tenable disruption of its operations.

 Operational Resilience Vs Operational risk management

Operational resilience focuses on building capabilities to deal with risk events when they materialise while Operational risk management focuses on building defences to prevent risk events from occurring.

What are the core principles of any operational resilience framework?

  • Board and senior management ownership of the Operational Resilience framework;
  • Identification of critical or important business services and all activities, people, processes, information, technologies and third parties involved in providing these services;
  • The setting of impact tolerances for each of these identified services, and the testing of the firm’s ability to stay within those impact tolerances during a severe but plausible downtime scenario; and
  • The Ongoing review of how a firm responded and adapted to disruptive or potentially disruptive events so that lessons learned can be incorporated into operational improvements to continuously increase the operational resilience of the firm.

The Central Bank Guidance is built around three pillars of Operational Resilience

  1. Identify and Prepare;
  2. Respond and Adapt;
  3. Recover and Learn.

1. Identify and Prepare

A. Governance

The Board has ultimate responsibility for the Operational Resilience of a firm. The Operational Resilience Framework should be aligned with a firm’s overall Governance and Risk Management Frameworks.

B. Identification

The Board should review and approve the criteria for critical or important business services and identify its critical or important business service.

C. Impact Tolerances

Impact tolerances should be approved for each critical or important business service and should develop clear impact tolerance metrics.

D. Mapping

A firm should understand and map how its critical or important business services are delivered and capture the third party dependencies in the mapping of critical or important business services.

E. ICT and Cyber Resilience

A firm should have ICT and Cyber Resilience strategies that are integral to the operational resilience of its critical or important business services.

F. Scenario Testing

A firm should document and test its ability to remain within impact tolerances through severe but tenable scenarios.

2. Respond & Adapt

A. Business Continuity Management

Business Continuity Management should be totally integrated into the overarching Operational Resilience Framework and linked to the firm’s risk appetite.

B. Incident Management

The Incident Management Strategy should be totally integrated into the overarching Operational Resilience Framework.

C. Communication Plan

Internal and External Crisis Communication plans should be totally integrated into the overarching Operational Resilience Framework.

3. Recover & Learn

A. Lessons learned exercise and continuous improvement

Lessons learned exercise should be conducted after a disruption to a critical or important business service in order to enhance a firm’s capabilities to adapt and respond to future operational events, and should promote an effective culture of learning and continuous improvement as operational resilience evolves. 

Recent Blog’s


Explore more

Risk Management

Key Risk Indicators -A Powerful Tool to Anticipate Your Risk Within the Enterprise

In simple terms, Key Risk Indicator (KRI) is a metric used to measure the level of exposure to risk. These are indicators that denote the …

Hongkong regulation blog| Gieom Operational Resilience
Operational Resilience

Hongkong’s Regulations for Operational Resilience

On 22nd December, 2021 HKMA (Hong Kong Monetary Authority) came up with a Supervisory Policy Manual for Operational Resilience to provide Authorized Institutions (AI) with …

US Regulation Blog-Gieom
Operational Resilience

New Operational Resilience Regulation for Financial Institutions in United States (USA)

The Federal Reserve, the Central Bank of the United States in August 2021 has released a paper intended to help community banks assess threats when …

Operational Resilience

Process Mapping is an important step in building an Operational Resilience Framework

The Covid -19 pandemic has clearly shown two trends within firms: The intensified use of technology and Operations can be managed through digital work force …

Game-based Learning

What is Game-Based Employee Onboarding? Tips and tricks to implement the right gamification strategy

Learning begins with joining. Effective Onboarding contributes to a newbie commencing with confidence, feeling supported, and acclimatizing much sooner. Conversely, employees who spend weeks and …

Digital Transformation

Strategies for Improving Banks’ Operating Efficiency

Banks occupy a place of pride because of its structure of undivided attention and contemporary functions. They have come an extended way from merely performing …

Digital Identity

Get started with Digital Identity Verification

In a growing interconnected digital economy, identity verification of an individual’s real-world identity against their digital one has become ever critical in fraud detection. The …

Operational Resilience

Growing Importance of Operational Resilience in the Digital Era

Operational Resilience assumes that things will go wrong, and it will force organizations to plan on how to recover from the disruption. It is a …

Digital Identity

Why are organizations jumping onto the AI-enabled Identity verification bandwagon?

Who has not experienced being asked to show some kind of government ID, be it to receive your courier, or check into a hotel, or …

Digital Identity

What is Identity Proofing?

As per the Digital Identity Guidelines published by NIST, a US agency, Identity Proofing is verifying the claimed identity of an applicant by authenticating the …

Digital Identity

New Amendment to KYC Regulation by RBI – 10th May, 2021

In Jan 2020, Reserve Bank of India amended the KYC norms allowing banks and other lending institutions to use Video based Customer Identification Process (VCIP) …

Digital Transformation

5 Steps to a Successful Execution of a Digital Transformation Project

Digital Transformation is bringing about a radical shift in the way you run your business, deliver services or manage your customers. The objective of digital …