Ensuring Operational Resilience (OR) in Japan

Initiatives from BCM (Business Continuity Management) to OR.

The collapse of Silicon Valley Bank and First Republic Bank in North America in the spring of 2023, the disappearance of Credit Suisse in Europe, and further financial failures represent a series of major threats to the ability of financial institutions to conduct their operations without interruption. 

The past 25 years have also seen the 9/11 attacks in 2001, the global financial crisis in 2008, the flash crash in 2010, the sovereign debt crisis in 2012, the Bangladesh bank heist in 2016, and the global pandemic in 2020, each of which significantly threatened the viability of financial services. In 2022, regulators around the world began to take steps to instill greater operational resilience to systemic risk throughout the financial services sector.

Regulations vary from region to region, but they all mandate an integrated risk management approach that combines multiple aspects of operational risk into a single framework, identifies critical business services, and identifies how to respond in the face of a system failure with enterprise-wide agreement.

Financial institutions need urgent and significant assistance in transforming their risk capabilities, as many regulators are calling for enhanced processes and systems by 2025. Many financial institutions are realizing that a higher level of collaboration is needed across the enterprise to meet regulatory requirements. Financial institutions need to improve both enterprise-level visibility into risk and compliance activities and enterprise-level crisis response capabilities.

This post discusses the latest Celent research findings on the following trends for the APAC/Japan market. 

• New Regulatory Trends: What operational resilience (OR) is, how it’s perceived, and what its challenges are.
• Responses and Strategies: IT and operations management’s initiatives, key agendas, and priorities. 
• Recommendations: The art of deploying BCM (business continuity management) to OR. 

Key Research Findings: 

1. Operational Resilience (OR)

• Operational resilience (OR) regulations have been issued by financial regulators around the world.
• There is 80–85% overlap in OR regulation worldwide, simplifying compliance for financial institutions across multiple jurisdictions.
• Australia, Hong Kong, Singapore, India, and Japan have all issued new regulations and guidance, but Australian and Hong Kong banks have a wide range of regulations that need to be implemented in a short time frame.
• OR regulations require financial institutions to manage risk in a coordinated manner across the organization.

2. Chief Risk Officer (CRO) Priorities and Readiness

• In a 2023 survey of the priorities of chief risk officers (CROs), OR was the fifth-most-cited priority.
• Three-quarters (74%) of bank CROs are in the process of implementing the changes necessary to comply with OR regulations.

3. Governance, Risk, and Compliance (GRC) Maturity and Transformation

• While most financial institutions were gathering information on an integrated view of governance, risk, and compliance (GRC), none were managing GRC in a coordinated manner at the enterprise-wide level.
• Many financial institutions had adopted a line of business (LOB) or headquarters-led approach in integrated risk management (IRM), but in neither case were they promoting coordinated GRC management across the organization.

4. Trends in the Japanese Market

• Rumors, information leaks, and destruction remain issues for BCP (business continuity plans). The priority of work-from-home (WFH) initiatives and digital support for customers increased both before and after the pandemic. Most institutions had no plans to update their business continuity management, though top-tier institutions had already implemented periodic updates.
• OR initiatives are progressing as a means of upgrading BCM. The main agenda items are consequence-based BCM, improving outsourcing management and interoperability, and system auditing of cloud computing. Integration of risk control divisions is halfway complete; efforts to address classic financial risks and new risks such as rumors, information leaks, and operational risks are mostly overseen by separate divisions, with OR being a particularly strong initiative of LOB, especially around customer relations.
• OR is an opportunity to reconsider IT assets (interconnectedness of systems/ personnel/data centers) through BCM review. Existing BCM (except for the top tier) needs to be re-examined and updated regularly. An effective organizational structure for integrated risk management (IRM) is essential. Upper management’s initiative is essential for coordination between the risk/IT control department and the LOB.

Recommendations:
Considering these trends and initiatives, Celent recommends the following to financial institutions and technology vendors in APAC/Japan. 

• Reselection of critical operations and a comprehensive review of related IT assets (interconnectedness of systems/personnel/data centers). 
• Expansion from BCM to OR: all-hazards BCP, transition to consequence-based BCM, and risk/IT oversight initiatives. 
• Cloud audits and prospective hybrid cloud combinations to optimize cost/risk and resilience.