In 2023, when the financial crisis hit global banks, Indian banks performed better than their international counterparts across various metrics and with some notable resilience.
As per a Boston Consulting Group (BCG) study in collaboration with FICCI and the Indian Banks’ Association, Indian banks proved resilient amid global inflation and market downturns, showing profits, more robust credit growth and financial strength.
But does this contextual fact paint the whole picture of operational resilience and Indian banks?
According to the FIBAC’23 survey, a joint venture of FICCI & the Indian Banks Association (IBA), only 10% of Indian banks implement an integrated risk management strategy. The question is, how do Indian banks fare compared to global standards regarding operational resilience? This is one focal point to explore in this article.
A Global Outlook on Operational Resilience in Banks
Across the world, operational resilience has moved beyond mere buzzword status. Today, it is a primary focus for financial institutions and regulatory authorities as new regulations are set to take effect within months. Globally, banks are looking at regulatory guidelines as an imperative to ensure they implement robust measures to respond to operational disruptions effectively.
The regulations that are taking effect now for banks in different parts of the world have been in development for many years. Efforts from regulatory authorities worldwide, such as the Australian Prudential Regulation Authority, the European Commission, the Financial Conduct Authority, the Hong Kong Monetary Authority, the Monetary Authority of Singapore, and others, began well before the pandemic.
In the United Kingdom, the Bank of England (BoE), Financial Conduct Authority (FCA), and Prudential Regulation Authority (PRA) finalized operational resilience policies in 2021. These policies mandate organizations to identify critical business services, set impact tolerances and conduct robust mapping and testing by March 31, 2025.
The European Union’s Digital Operational Resilience Act (DORA), effective January 17, 2025, requires all EU financial services firms to bolster cyber threat prevention, ICT risk management, incident response, third-party oversight, and information sharing.
In the United States, financial regulators emphasize operational resilience through guidelines on risk management, business continuity and information security. The Commodity Futures Trading Commission (CFTC) mandates operational resilience frameworks for key financial entities.
Across the Asia Pacific, regulatory bodies like Australia’s APRA, Hong Kong’s HKMA, and Singapore’s MAS have updated standards and guidelines to fortify operational resilience and business continuity planning, aligning with international best practices. These efforts collectively aim to enhance the strength of financial institutions worldwide against diverse operational risks.
Status of Indian Banks on Operational Resilience
In April this year, the Reserve Bank of India (RBI) issued an updated directive to all regulated entities (REs) to bolster their operational resilience. In the guidance note, RBI emphasized that all REs must implement solid information and communication technology (ICT) risk management programs that are aligned with their operational risk frameworks.
Earlier, the RBI’s operational risk management guidelines were limited to commercial banks. However, the recent directive expands this scope to include all regulated entities (REs), covering non-bank entities and all-India financial institutions.
According to RBI, REs must effectively manage their dependencies on various relationships, including third parties (intra-group entities), which are necessary to deliver essential operations.
Most experts in the industry feel that this operational risk (OR) guidance, which aligns with the Basel Committee on Banking Supervision (BCBS) principles issued in March 2021 (integrating operational resilience principles and international best practices), has come rather timely for regulated entities (REs) in India.
The revised guidance is comprehensive and aims to strengthen REs against current and emerging operational risks. Here are some of its highlights:
- It extends the scope to cover all REs, including cooperative banks and all Indian financial institutions, with a new emphasis on operational resilience.
- It introduces the ‘Three lines of defence’ model, enhancing risk control with business units as the first line, organizational OR management (including compliance) as the second, and audit functions as the third.
- It adapts the OR organizational structure to accommodate diverse RE sizes and functional complexities.
- It mandates an updated change management system to enhance transitional capabilities in dynamic business environments.
- It calls for mapping internal and external connections, incident management, ICT, and disclosure practices.
- It strengthens governance around third-party relationships beyond traditional outsourcing.
- It implements principles for continuous improvement through feedback and lessons learned from operations.
What It Means for Indian Banks
The revised guidelines shift the focus for banks from solely managing operational risk to emphasizing operational resilience. This change introduces a more holistic approach that looks at operational resilience resulting from better operational risk management practices.
Here are some critical areas that Indian banks need to focus on, given the revised guidelines:
- Strong risk identification, assessment, mitigation and monitoring are essential for operational resilience.
- Disruptions are inevitable, but REs need plans to respond and recover quickly.
- REs should withstand, absorb, adapt and recover from disruptions with minimal impact on critical operations.
- Management’s focus on response and recovery will remain crucial for building resilience.
- A resilient RE suffers fewer operational disruptions and losses, protecting critical services and functions.
Key Takeaways
While the new RBI guidelines have spotlighted the importance of building resilience in banks and REs, there is still substantial room for improvement. The relatively low implementation of integrated risk management strategies shows more work to be done.
By enhancing their focus on operational resilience, Indian banks can better prepare for future uncertainties and align more closely with global standards.
