FINMA’s update of the Operational Risk Circular

What are the key changes?

• Incorporation of operational resilience, extending on previous regulatory standards for business continuity management (BCM).¹
• Alignment with other regulatory provisions² in the area of digitalisation and ICT, cyber risks and dealing with critical data.
• Refinement but no significant changes to existing provisions on the management of operational risks.

What are the new principles?

The new circular contains eight principles. Seven of them directly evolve from the previous principles and/or other sources of regulatory requirements already in effect. One of the eight principles, operational resilience, is new.

The following four principles are expected to affect financial institutions the most:

Principle 2: Management of ICT risks

Principle 2 is linked to the former principle on IT infrastructure. It specifies the regulatory requirements described in the revisions to the ‘Principles for the Sound Management of Operational Risk’ BCBS paper.

Principle 3: Management of cyber risks

The provisions on the management of cyber risks were extended within Principle 3: the new circular will include the requirement of a scenario analysis on cyber risks and further testing requirements.

Principle 4: Management of critical data risks

Principle 4 expands the qualitative requirements described in the BCBS papers, now including any type of data that are perceived as critical regarding confidentiality, integrity and availability.

Principle 7: Operational resilience

Principle 7 is new in the circular and is based on the ‘Principles for Operational Resilience’ issued by BCBS and aligns with international standards.

References:

^{1 ‘Recommendations for Business Continuity Management’ by the Swiss Banking Association.
2 ‘Principles of Operational Resilience’ (POR) and the revised ‘Principles of the Sound Management of Operational Risk’ (PSMOR) by the Basel Committee on Banking Supervision (BSBS).}