Regulators worldwide have been busy pumping out operational resilience regulations, particularly for the financial services industry. The three main regulations – DORA, APRA, PRA/FCA – have multiple phases with different effective dates. Here’s a rundown of 2025 deadlines to help you prepare now to avoid an inadvertent and costly compliance misstep later.
U.K. – The Bank of England, Financial Conduct Authority (FCA), and Prudential Regulatory Authority (PRA)
Deadline: March 31, 2025
The Bank of England requirements made waves in 2021 as the first major operational resilience regulations-specific legislation to go into effect. The initial deadline for U.K. financial institutions went in effect March 2022 and required a self-assessment of the institution’s current program, including important business services, plausible scenarios, and impact tolerances. The next compliance deadline is March 31, 2025. By this date, regulated organizations are expected to have performed mapping and testing to ensure they remain within their reported impact tolerances for each important business service. They will also need to show they’ve made the necessary investments to support consistent operations within those impact tolerances.
What to do now:
- Refine your list of important business services with business and board input until you’ve reached consensus.
- Demonstrate you understand how services are delivered, at what point intolerable harm is reached – and most importantly – if you can remain within your stated impact tolerance.
- Build a case through exercises to validate your confidence on set impact tolerances and your ability to remain with those tolerances.
- Mature your analysis for a deeper understanding of the single points of failure and vulnerabilities that could make it difficult to remain within your set impact tolerances.
European Union – Digital Operational Resilience Act (DORA)
Deadline: January 17, 2025.
The EU’s Digital Operational Resilience Act went into effect in January 2023. The Act is designed to ensure the financial sector can remain resilient when faced with severe operational disruption or ICT-related incidents. It covers five core areas of governance, third-party risk mitigation, incident reporting, resilience testing, and information sharing. The guidelines promote a broader, strategic perspective for organizations to standardize and evolve existing practices. While DORA’s focus is aimed at digital and cyber resilience, there are numerous integration points with other risk disciplines, such as crisis management, operational risk, business continuity, and operational resilience. The deadline for compliance with DORA is January 17, 2025. You must meet requirements for six high-level areas, including:
- Information and Communication Technology (ICT) risk management
- Reporting of major ICT-related incidents and voluntarily notifying authorities about significant cyber threats
- Reporting of major operational or security payment-related incidents by financial entities to the authorities
- Digital operational resilience testing
- Information and intelligence sharing in relation to cyberthreats and vulnerabilities
- Measures for the sound management of ICT third-party risk by financial entities
What to do now:
- Assess which elements of DORA already exist in your organization, actively work to assess any gaps, and have an action plan for adding or modifying controls.
- Develop a solid understanding of your business continuity, information security, IT disaster recovery, crisis management, crisis communications, regulatory reporting, and third-party risk management programs and their associated controls. This information will also help you create a holistic resilience program.
Australia – APRA CPS 230
Deadline: July 1, 2025
Australia’s Prudential Regulation Authority’s CPS 230 aims to strengthen the way operational risk is managed by Australian financial services organizations and Australian branch operations of foreign banks and insurers. APRA CPS 230, however, goes beyond any other operational resilience regulation by addressing operational risk, business continuity, and third-party risk management. Those with operations in Australia will want to bring together business continuity, risk, and compliance professionals when developing a plan of action. Banks, insurers, and superannuation trustees have until July 1, 2025, to comply with the new system standards, including:
- Managing operational risks to set and maintain appropriate standards
- Maintaining critical operations within tolerance levels through severe disruption
- Managing risks associated with the use of service providers
- Identifying, assessing, and managing risks that may result from inadequate or failed internal processes or systems
- Preventing disruption to critical operations and adapting processes and systems to operate within tolerance levels
- Not relying on service providers unless they ensure that they can continue to meet its prudential obligations in full.
What to do now:
- Establish and endorse critical business processes that can be refined over time. Identify impact tolerance levels for these processes to ensure that resilience planners understand the timeframes required for recovery and when intolerable harm would be reached.
- Take stock of existing programs and practices aligned to operational risk management, business continuity, and third-party risk management to see what controls are already in place and which require implementation.
- Develop a plan to address some of the more challenging requirements, such as identifying concentration risk.
If your organization is impacted by any of these regulations, 2025 will be here before you know it, so start planning now. While financial services organizations have been the target of most operational resilience regulation to date, other industries could soon be included. Either way, the principles outlined in these requirements are good practice for building operational resilience in any organization.
For complete information on operational resilience legislation, download our white paper, Operational Resilience: Navigating the Global Regulatory Landscape, and check out Riskonnect’s Business Continuity & Resilience software solution.