Supervisory Policy and Guidance Topics
Operational resilience has always been important to the safety and soundness of financial firms and the stability of the financial system. The ability of a bank to recover from an operational disruption—such as a cybersecurity incident or a natural disaster—has become even more important with the growing trend toward technology-led business transformation.
Banks have made progress in enhancing operational resilience in recent years, including through their response to the challenges posed by the COVID-19 pandemic. In addition, the Federal Reserve is encouraged by recognition of the shared interest between supervisors and the industry in strengthening operational resilience, and the actions firms have taken to date. However, more work remains to be done to ensure that banks are resilient to potential operational disruptions from all hazards, including severe but plausible cybersecurity incidents, which could pose risks to the wider financial system.
The Federal Reserve recognizes the global and interconnected nature of banks and the importance of supervisory coordination and is committed to working closely with international authorities to ensure that supervisory approaches on operational resilience are well coordinated.
In recent years, financial institutions have experienced significant challenges from a wide range of disruptive events, including technology-based failures, cyber incidents, pandemic outbreaks, and natural disasters. While advances in technology have improved firms' ability to identify and recover from various types of disruptions, increasingly sophisticated cyber threats and growing reliance on third parties continue to expose firms to a range of operational risks. These operational risks underscore the importance for firms of all sizes to strengthen their operational resilience.
Operational resilience is the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard. It is the outcome of effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions.
While potential hazards may not be prevented, a flexible operational resilience approach can enhance the ability of firms to prepare, adapt, withstand, and recover from disruptions and to continue operations.
Contact Information in Relation to Computer-Security Incident Notification Requirements
Interagency Paper on Sound Practices to Strengthen Operational Resilience
12 CFR Appendix D to Part 30 - OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches (PDF)
12 CFR 208, Appendix D-1 Interagency Guidelines Establishing Standards for Safety and Soundness (PDF)
12 CFR 3.101 and 217.101 (Regulation Q) Definitions (PDF)
12 CFR part 243 (Regulation QQ) Resolution Plans (PDF)
12 U.S.C. 1867(c)(2) Regulation and examination of bank service companies (PDF)