Joint Agency Paper Offers ‘Sound Practices’ for Operational Resilience

The Federal Reserve, the OCC and the FDIC late Friday released an interagency paper outlining sound practices for strengthening operational resilience. The paper—which does not revise any existing rules or guidance—is focused primarily on large, domestic institutions with more than $250 billion in total consolidated assets, or banks with more than $100 billion in total assets and other risk characteristics.

The sound practices outlined in the paper provide a “comprehensive approach that firms may use to strengthen and maintain their operational resilience,” the agencies said. “In this approach, effective governance grounds the sound practices. Robust operational risk and business continuity management anchor the sound practices, which are informed by rigorous scenario analyses and consider third-party risks. Secure and resilient information systems underpin the approach to operational resilience, which is supported by thorough surveillance and reporting.”

The paper also includes an appendix on sound practices for cyber risk management, which lists several standardized tools that firms may opt to use to manage risk and measure cyber preparedness. These tools include, among others, the Financial Services Sector Coordinating Council Cybersecurity Profile, which ABA helped develop. The appendix further outlines “a collection of sound practices for cyber risk management, aligned to [the]NIST [cyber security framework]and augmented to emphasize governance and third-party risk management,” mirroring the structure of the FSSCC Cyber Profile.