· 公众号:业务连续性+

《运营韧性原则》中文简译

写在前面 :越来越多的人们开始关注运营韧性。事实上,虽然该领域还在快速的发展中,但已经凝聚了一些共识。考虑到金融行业是最为关注运营韧性的行业之一,近几年来,英美等国的金融监管机构以及巴塞尔银行监管委员陆续发布/修订了运营韧性(Operational Resilience)和业务连续性管理方面的正式文件。为让更多的专业人员者和爱好者了解国外运营韧性领域的进展,学习并实践运营韧性的良好实践,在2021年中期,我组织了一个公益翻译小组,对运营韧性相关资料进行翻译。目前,翻译已取得了一些进展,接下来我会根据翻译和审校进展、陆续发布一些资料的翻译稿供大家使用,也欢迎有一定翻译能力和闲暇时间的朋友申请加入公益翻译小组(可以公众号给我发信息)。

以下是参与本文翻译的成员 (排名不分前后,按姓氏拼音排序): 傅盛(广州赛宝,sanarcher@qq.com) 翟红波(北京,25354646@qq.com) 张锋(北京,zhangfeng76@wo.cn) 王曙(新常安科技,kevinwang@vip.sina.com)

感谢公益翻译小组的各位专业人员在疫情期间抽出个人休息时间进行翻译工作。以下译文由我负责最终统一审校定稿,如译文中有任何不准确或理解错误的地方,都是由于我的原因造成,与诸位翻译人员无关。如对译文有意见或修改建议,请给我留言。

王曙(kevinwang) 2021.11.22

这份文件由巴塞尔委员会于2021年3月31日发布,原文见:https://www.bis.org/bcbs/publ/d516.pdf。 通过这份文件,巴塞尔委员会力求促进以原则为基础的方法来提高运营韧性。这些原则旨在增强银行抵御可能导致重大运营事故或金融市场大规模扰乱的操作风险相关事件的能力,如大流行病、网络事件、技术故障或自然灾害。该方法建立在对委员会 《 操作风险稳健管理原则 修订》 之上,并借鉴了先前发布的银行业公司治理原则,以及与外包、业务连续性和相关风险管理相关的指南。

Ⅰ. 引言(Introduction)

  1. 在2007-09年大金融危机(GFC)之后的几年中,巴塞尔委员会对其审慎框架的改革加强了全球银行体系的监管,并在增强银行体系的金融韧性方面产生了一些结构性变化。虽然资本和流动性水平的显著提升,提高了银行吸收金融冲击的能力,但委员会认为,有必要进一步加强银行吸收操作风险相关事件的能力,如大流行病、网络事件、技术故障和自然灾害,这些事件可能导致重大运营事故或金融市场的大规模扰乱。鉴于银行在全球金融基础设施运作中的关键作用,增强其韧性将为金融体系提供额外的保障。

  2. In the years that followed the Great Financial Crisis (GFC) of 2007–09, the Basel Committee’s reforms of its prudential framework have enhanced the supervision of the global banking system and resulted in a number of structural changes to strengthen banks’ financial resilience. While significantly higher levels of capital and liquidity have improved banks’ ability to absorb financial shocks, the Committee believes that further work is necessary to strengthen banks’ ability to absorb operational risk-related events, such as pandemics, cyber incidents, technology failures and natural disasters, which could cause significant operational failures or wide-scale disruptions in financial markets. In light of the critical role that banks play in the operation of the global financial infrastructure, increasing their resilience would provide additional safeguards to the financial system.

  3. 甚至在新冠肺炎(Covid-19)大流行之前,委员会就认为,重大的运营扰乱将不可避免地考验自大金融危机(GFC)以来金融体系运营韧性的改进状况。随着新冠肺炎(Covid-19)大流行的持续发展,委员会观察到银行迅速适应其运营态势,以应对在其组织的不同部分发生的新的危险或现有危险的变化。委员会认识到一些危险无法预防,因此认为,务实、灵活的运营韧性方法可以提高银行抵御、适应潜在危险以及从中恢复的能力,从而减轻可能的严重不利影响。

  4. Even prior to the Covid-19 pandemic, the Committee considered that significant operational disruptions would inevitably test improvements to the financial system’s resilience made since the GFC. As the Covid-19 pandemic progressed, the Committee observed banks rapidly adapting their operational posture in response to new hazards or changes in existing hazards that occurred in different parts of their organisation. Recognising that a range of potential hazards cannot be prevented, the Committee believes that a pragmatic, flexible approach to operational resilience can enhance the ability of banks to withstand, adapt to and recover from potential hazards and thereby mitigate potentially severe adverse impacts.

  5. 通过本文件的发布,委员会寻求提倡一种基于原则的方法来提高运营韧性。该方法以委员会的《操作风险稳健管理原则》(PSMOR) [1] 的更新为基础,借鉴了之前发布的银行业公司治理原则,以及外包、业务连续性和风险管理相关指南。

  6. Through the publication of this document, the Committee seeks to promote a principles-based approach to improving operational resilience. The approach builds on updates to the Committee’s Principles for the Sound Management of Operational Risk (PSMOR) [1] and draws from previously issued principles on corporate governance for banks, as well as outsourcing-, business continuity- and relevant risk management-related guidance.

  7. 委员会认可多个司法管辖区和标准制定机构(SSBs)为增强金融部门的运营韧性而开展的工作 [2] ,旨在通过进一步国际参与来加强运营韧性,并寻求促进在这一工作领域更大的跨部门合作。

  8. Recognising the work undertaken by several jurisdictions and standard-setting bodies (SSBs) to bolster the operational resilience of the financial sector [2] ,the Committee aims to strengthen operational resilience by furthering international engagement and seeks to promote greater cross-sectoral collaboration over this body of work.

Ⅱ. 不断演变的操作风险形势(An evolving operational risk landscape) 5. 尽管技术使用的增加带来了新的风险,银行及其客户仍受益于将技术应用于金融服务。直到最近,银行面临的一些最主要的操作风险都是由于金融服务和中间服务快速采用和对技术基础设施依赖性增加相关的缺陷、以及行业日益依赖于第三方提供的技术服务所造成的。新冠肺炎大流行加剧了这些操作风险,增加了经济和商业的不确定性。同时,技术和与第三方的关系支撑了继续向客户交付产品和服务,并提高了银行在大流行病期间持续运营的能力。 5. Banks and their customers have benefited from the application of technology to financial services, although the increased use of technology presents new risks. Until recently, some of the most predominant operational risks that banks faced resulted from vulnerabilities related to the rapid adoption of and increased dependency on technology infrastructure for the provision of financial services and intermediation, as well as the sector’s growing reliance on technology-based services provided by third parties. The Covid-19 pandemic has exacerbated these operational risks and increased economic and business uncertainty. Technology and relationships with third parties have at the same time supported the continued delivery of products and services to customers and promoted the ability of banks to continue operations during the pandemic.

  1. 与大流行病相关的扰乱影响了信息系统、人员、设施以及与第三方服务提供商和客户的关系。此外,网络威胁(勒索软件攻击、网络钓鱼等)激增,由于更多地依赖虚拟工作安排,人员、流程和系统故障引起的操作风险事件的可能性也随之增加。通过监测新冠肺炎(Covid-19)大流行的影响和任何经验教训,委员会将持续了解完善对运营韧性的指导。
  2. Pandemic-related disruptions have affected information systems, personnel, facilities and relationships with third-party service providers and customers. In addition, cyber threats (ransomware attacks, phishing, etc) have spiked, and the potential for operational risk events caused by people, failed processes and systems has increased as a result of greater reliance on virtual working arrangements. The Committee’s guidance on operational resilience will continue to be informed by its monitoring of the impact of the Covid-19 pandemic and any lessons learned.

Ⅲ. 运营韧性基本要素(Essential elements of operational resilience) 7. 运营韧性是得益于操作风险有效管理 [3] 的一种结果。风险识别和评估、风险缓释(包括控制的实施)以及风险和控制有效性的监测等活动协同工作,使运营扰乱及其影响降至最低。此外,管理层注重银行应对扰乱和从中恢复的能力,假定会发生故障,这将支持运营韧性。具有运营韧性的银行不太容易在运营中犯错误和因扰乱受损,从而减少了事件对关键运营及相关服务、职能和系统的影响。虽然可能无法避免某些操作风险,如大流行病,但有可能提高银行运营对此类事件的韧性。 7. Operational resilience is an outcome that benefits from the effective management of operational risk [3] . Activities such as risk identification and assessment, risk mitigation (including the implementation of controls) and the monitoring of risks and control effectiveness work together to minimise operational disruptions and their effects. In addition, management’s focus on the bank’s ability to respond to and recover from disruptions, assuming failures will occur, will support operational resilience. An operationally resilient bank is less prone to incur untimely lapses in its operations and losses from disruptions, thus lessening incident impact on critical operations and related services, functions and systems. While it may not be possible to avoid certain operational risks, such as a pandemic, it is possible to improve the resilience of a bank’s operations to such events.

  1. 此外,业务连续性、第三方服务外包以及银行所依赖的技术都是银行在加强其运营韧性时考虑的重要因素。以前这些领域发布的指南,无论是由委员会独立发布 [4] 还是与其他标准制定机构(SSBs) [5] 联合发布,单独考虑都不能充分涵盖所有基本要素,但在综合考虑时确实推进了运营韧性。

  2. In addition, business continuity, outsourcing of services to third parties and the technology upon which banks rely are important factors for banks to consider when strengthening their operational resilience. Previously issued guidance in these areas, whether issued solely by the Committee [4] or jointly with other SSBs [5] , does not adequately capture all essential elements when considered on a standalone basis, but does advance operational resilience when considered collectively.

  3. 确保现有风险管理框架、业务连续性计划和第三方依赖关系管理在组织内得到一致实施,对银行至关重要。银行应当考虑其运营韧性方案是否与所述行动、组织映射、以及其(金融稳定委员会(FSB)的恢复和处置规划框架中规定的)恢复和处置计划中包含的关键职能和关键共享服务的定义相匹配(可酌情 [6] )。

  4. It is essential for banks to ensure that existing risk management frameworks, business continuity plans and third-party dependency management are implemented consistently within the organisation. Banks should consider whether their operational resilience approach is appropriately harmonised with the stated actions, organisational mappings, and definitions of critical functions and critical shared services contained in their recovery and resolution plans as specified in the Financial Stability Board’s (FSB’s) Recovery and Resolution Planning framework, as appropriate [6] .

  5. 本文件阐述的运营韧性原则主要来源和改编自委员会或各国监管机构多年来发布的现有指南。委员会认为,许多银行已经建立适合其独特风险状况、运营结构、公司治理和文化的风险管理流程,并符合其司法管辖区的特定风险管理要求。在现有指南和当前实践的基础上,委员会正在发布一种基于原则的运营韧性办法,这将有助于确保不同规模、复杂程度和地域位置的银行相称地实施。

  6. The principles for operational resilience set forth in this document are largely derived and adapted from existing guidance that has been issued by the Committee or national supervisors over a number of years. The Committee recognises that many banks have well established risk management processes that are appropriate for their individual risk profile, operational structure, corporate governance and culture, and conform to the specific risk management requirements of their jurisdictions. By building upon existing guidance and current practices, the Committee is issuing a principles-based approach to operational resilience that will help to ensure proportional implementation across banks of various size, complexity and geographical location.

Ⅳ. 运营韧性定义(Definition of operational resilience) 11. 委员会将 运营韧性 定义为银行经历扰乱交付关键运营的能力。这种能力使银行能够识别和保护自己免遭威胁和潜在故障,应对和适应破坏性事件,以及从破坏性事件中恢复和吸取教训,从而最小化在经历扰乱时它们对关键运营交付的影响。在考虑其运营韧性时,银行应当假设会发生扰乱,并重视其整体风险偏好 [7] 和扰乱容忍度。在运营韧性的背景下,委员会将扰乱容忍度定义为在假定的一系列严重但合理可信的情景下,银行愿意接受的任何类型操作风险的扰乱程度。 11. The Committee defines operational resilience as the ability of a bank to deliver critical operations through disruption. This ability enables a bank to identify and protect itself from threats and potential failures, respond and adapt to, as well as recover and learn from disruptive events in order to minimise their impact on the delivery of critical operations through disruption. In considering its operational resilience, a bank should assume that disruptions will occur, and take into account its overall risk appetite [7] and tolerance for disruption. In the context of operational resilience, the Committee defines tolerance for disruption as the level of disruption from any type of operational risk a bank is willing to accept given a range of severe but plausible scenarios.

  1. 术语“ 关键运营 ”以联合论坛2006年业务连续性高级原则为基础。它包括金融稳定委员会(FSB) [8] 定义的“ 关键职能 ”,并扩展到包括活动、流程、服务及其相关支持资产 [9] ,其它们的扰乱对银行持续运营或其在金融体系中的作用很重要。某运营是否“关键”取决于银行的性质及其在金融体系中的作用。银行的扰乱容忍度应当应用到关键运营层面。

  2. The term critical operations is based on the Joint Forum’s 2006 high-level principles for business continuity. It encompasses critical functions as defined by the FSB [8] and is expanded to include activities, processes, services and their relevant supporting assets [9] the disruption of which would be material to the continued operation of the bank or its role in the financial system. Whether a particular operation is “critical” depends on the nature of the bank and its role in the financial system. Banks’ tolerance for disruption should be applied at the critical operations level.

  3. 本文件所用术语“ 有关职能 ”明确指向操作风险稳健管理原则(PSMOR) [10] 所述银行三道防线中的相应职能。这些包括(i)业务单元管理;(ii)独立的操作风险管理职能;以及(iii)独立的鉴证。根据银行的性质,如其规模、复杂程度和风险状况,这三道防线的实施可能会有所不同。

  4. The term respective functions used in this document explicitly refers to the appropriate function(s) within the bank’s three lines of defence, as described in the PSMOR [10] . These consist of (i) business unit management; (ii) an independent operational risk management function; and (iii) independent assurance. Depending on a bank’s nature, such as its size, complexity and risk profile, how these three lines of defence are implemented may vary.

Ⅴ. 运营韧性原则(Operational resilience principles) 14.本节给出委员会的运营韧性原则,分为以下7类:治理;操作风险管理;业务连续性规划和测试;关键运营的互连和互依赖映射;第三方依赖管理;事件管理;以及韧性ICT(包括网络安全)。这些原则将在综合的基础上应用于符合巴塞尔框架范围的银行。 14. This section presents the Committee’s principles for operational resilience which are organised across the following seven categories: governance; operational risk management; business continuity planning and testing; mapping of interconnections and interdependencies of critical operations; third- party dependency management; incident management; and resilient information and communication technology (ICT), including cyber security. The principles are to be applied on a consolidated basis to banks consistent with the scope of the Basel Framework.

  1. 这些类别基于委员会更新的PSMOR,以及之前发布的关于公司治理、业务连续性、外包和其他相关风险管理框架的原则性指导。下文所述的做法(其中一些反映了先前发布的指导)不应当孤立看待,而应当视为银行前瞻性运营韧性方案的组成部分,与其操作风险偏好和扰乱容忍度一致。
  2. These categories are based on the Committee’s updated PSMOR, and previously issued principle-based guidance on corporate governance, business continuity, outsourcing and other relevant risk management frameworks. The practices described below, some of which reflect previously issued guidance, should not be viewed in isolation, but rather as integral parts of a bank’s forward-looking operational resilience approach in line with its operational risk appetite and tolerance for disruption.

治理(Governance) 原则1:银行应当利用其现有治理结构 [11] ,建立、监督和实施有效的运营韧性方案,使其能够应对和适应破坏性事件,并从中恢复和吸取教训,以最小化扰乱对关键运营交付的影响。 Principle 1: Banks should utilise their existing governance structure [11] to establish, oversee and implement an effective operational resilience approach that enables them to respond and adapt to, as well as recover and learn from, disruptive events in order to minimise their impact on delivering critical operations through disruption.

  1. 董事会应当审查并批准银行的运营韧性方案,考虑银行风险偏好及其关键运营的扰乱容忍度。在制定银行的扰乱容忍度时,董事会应当估量银行的运营能力,考虑广泛的严重但合理可信的情景,这些情景会影响银行的关键运营。董事会应当确保银行政策能有效解决银行能力不足以满足其设定扰乱容忍度的情况。

  2. The board of directors should review and approve the bank’s operational resilience approach considering the bank’s risk appetite and tolerance for disruption to its critical operations. In formulating the bank’s tolerance for disruption, the board of directors should consider the bank’s operational capabilities given a broad range of severe but plausible scenarios that would affect its critical operations. The board of directors should ensure that the bank’s policies effectively address instances where the bank’s capabilities are insufficient to meet its stated tolerance for disruption.

  3. 在董事会监督下,高级管理层应当实施银行的运营韧性方案,并确保适当分配财务、技术和其他资源,以支持银行的整体运营韧性方案。

  4. Under the oversight of the board of directors, senior management should implement the bank’s operational resilience approach and ensure that financial, technical and other resources are appropriately allocated in order to support the bank’s overall operational resilience approach.

  5. 高级管理层应当及时报告银行各业务单元的运营韧性状况,以支持董事会的监督,特别是当重大缺陷可能影响银行关键运营的交付时。

  6. Senior management should provide timely reports on the ongoing operational resilience of the bank’s business units in support of the board’s oversight, particularly when significant deficiencies could affect the delivery of the bank’s critical operations.

  7. 董事会应当发挥积极作用,通过向所有相关方(包括银行人员、第三方和集团内部实体)明确传达其目标,广泛了解银行的运营韧性方案。

  8. The board of directors should take an active role in establishing a broad understanding of the bank’s operational resilience approach, through clear communication of its objectives to all relevant parties, including bank personnel, third parties and intragroup entities.

操作风险管理(Operational risk management) 原则2:银行应当利用其操作风险管理的有关职能,持续识别人员、流程和系统中的外部和内部威胁以及潜在故障,及时评估关键运营的脆弱性,并根据其运营韧性方案管理由此产生的风险。 Principle 2: Banks should leverage their respective functions for the management of operational risk to identify external and internal threats and potential failures in people, processes and systems on an ongoing basis, promptly assess the vulnerabilities of critical operations and manage the resulting risks in accordance with their operational resilience approach.

  1. 银行的操作风险管理职能应当与其他相关职能合作,管理和解决威胁关键运营交付的任何风险。银行应当协调其业务连续性规划、第三方依赖管理、恢复和处置规划以及其他相关风险管理框架,以增强全行的运营韧性。

  2. The bank’s operational risk management function should work alongside other relevant functions to manage and address any risks that threaten the delivery of critical operations. Banks should coordinate their business continuity planning, third-party dependency management, recovery and resolution planning and other relevant risk management frameworks to strengthen operational resilience across the bank.

  3. 银行应当具有足够的控制和程序 [12] ,以便及时识别和评估威胁和脆弱性,更广泛地说,识别和评估其操作风险,并尽可能防止其影响关键运营交付。有关职能应当定期评估所实施控制和程序的有效性。这些评估还应当在关键运营的任何基本组成部分发生变化时和事件发生后开展,以便全面考虑经验教训以及导致事件的新威胁和脆弱性。

  4. Banks should have sufficient controls and procedures [12] to identify and assess threats and vulnerabilities, and more generally their operational risk, in a timely manner and, to the extent possible, prevent them from affecting critical operations delivery. The respective functions should regularly assess the effectiveness of the implemented controls and procedures. These assessments should also be conducted in the event of changes to any underlying components of the critical operations, as well as after incidents in order to take into account lessons learned and new threats and vulnerabilities that caused the incident.

  5. 银行应当根据操作风险总体管理下的变更管理流程 [13] ,利用变更管理能力,评估对关键运营交付及其互连和互依赖的潜在影响。

  6. Banks should leverage change management capabilities in accordance with the change management processes [13] under the overall management of operational risk as a way to assess potential effects on the delivery of critical operations and on their interconnections and interdependencies.

业务连续性规划和测试(Business continuity planning and testing) 原则3:银行应当制定业务连续性计划,并用一系列严重但合理可信的情景开展业务连续性演练,以测试其经历扰乱时 [14] 交付关键运营的能力。 Principle 3: Banks should have business continuity plans in place and conduct business continuity exercises under a range of severe but plausible scenarios in order to test their ability to deliver critical operations through disruption [14] .

  1. 在评估潜在扰乱的影响时,有效的业务连续性计划应当有前瞻性。业务连续性演练 [15] 应当针对一系列严重但合理可信(包含破坏性事件和事故)的情景开展和验证。

  2. An effective business continuity plan should be forward-looking when assessing the impact of potential disruptions. Business continuity exercises [15] should be conducted and validated for a range of severe but plausible scenarios that incorporate disruptive events and incidents.

  3. 有效的业务连续性计划应当识别关键运营,以及关键的内部和外部依赖,以评估各种扰乱情景对关键运营的风险和潜在影响。这些计划应当包括业务影响分析和恢复策略以及测试方案、培训和意识方案以及沟通和危机管理方案。

  4. An effective business continuity plan should identify critical operations, and key internal and external dependencies to assess the risks and potential impact of various disruption scenarios on critical operations. These plans should incorporate business impact analyses and recovery strategies as well as testing programmes, training and awareness programmes, and communication and crisis management programmes.

  5. 业务连续性计划应当制定、实施和维护定期的业务连续性演练,涵盖关键运营及其互连和互依赖关系,包括但不限于与第三方和集团内实体的关系。在其他业务连续性目标中,业务连续性演练应当支持员工的运营韧性意识,包括员工培训等,以便他们能够有效地适应和应对事件。

  6. Business continuity plans should develop, implement and maintain a regular business continuity exercise encompassing critical operations and their interconnections and interdependencies, including those through relationships with, but not limited to, third parties and intragroup entities. Among other business continuity goals, business continuity exercises should support staff’s operational resilience awareness including training of staff, so that they can effectively adapt and respond to incidents.

  7. 业务连续性计划应当为实施银行的灾难恢复框架提供详细指导。这些计划应当建立管理运营扰乱的角色和责任,并就扰乱情况下关键人员的权力继任提供明确指导。此外,这些计划应当明确规定内部决策流程,并定义启用银行业务连续性计划的触发条件。

  8. Business continuity plans should provide detailed guidance for implementing the bank’s disaster recovery framework. These plans should establish the roles and responsibilities for managing operational disruptions and provide clear guidance regarding the succession of authority in the event of a disruption that impacts key personnel. Additionally, these plans should clearly set out the internal decision-making process and define the triggers for invoking the bank’s business continuity plan.

  9. 银行的恢复和处置计划中包含的交付关键运营和关键第三方服务的业务连续性计划,应当与其运营韧性方案保持一致。

  10. Banks’ business continuity plans for the delivery of critical operations and critical third-party services contained in their recovery and resolution plans should be consistent with their operational resilience approaches.

互连和互依赖映射(Mapping interconnections and interdependencies) 原则4:一旦银行识别了其关键运营,银行应当根据其运营韧性方案,映射出关键运营交付所需的内部和外部互连和互依赖关系。 Principle 4: Once a bank has identified its critical operations, the bank should map the internal and external interconnections and interdependencies that are necessary for the delivery of critical operations consistent with its approach to operational resilience.

  1. 有关职能应当根据需要映射(即识别和记录)人员、技术、流程、信息、设施以及它们之间互连和互依赖关系,以交付银行的关键运营,包括依赖但不限于第三方或集团内的协议的运营。

  2. The respective functions should map (ie identify and document) the people, technology, processes, information, facilities, and the interconnections and interdependencies among them as needed to deliver the bank’s critical operations, including those dependent upon, but not limited to, third parties or intragroup arrangements.

  3. 银行可以酌情利用其恢复和处置计划来定义关键运营,并应当考虑其业务韧性方案与其恢复和处置计划中所包含的关键运营和关键第三方服务的组织映射是否适当地协调。

  4. Banks may leverage their recovery and resolution plans, as appropriate, for definitions of critical operations and should consider whether their operational resilience approaches are appropriately harmonised with the organisational mappings of critical operations and critical third-party services contained in their recovery and resolution plans.

  5. 映射的方法和颗粒度级别应当足以让银行识别脆弱性,并支持测试其经历扰乱时交付关键运营的能力,如原则3所述,同时考虑银行的风险偏好和扰乱容忍度。

  6. The approach and level of granularity of mapping should be sufficient for banks to identify vulnerabilities and to support testing of their ability to deliver critical operations through disruption, as described in Principle 3, considering the bank’s risk appetite and tolerance for disruption.

第三方依赖管理(Third-party dependency management) 原则5:银行应当管理交付关键运营(包括但不限于第三方或集团内实体)的关系的依赖。 [16] Principle 5: Banks should manage their dependencies on relationships, including those of, but not limited to, third parties or intragroup entities, for the delivery of critical operations. [16]

  1. 银行应当在签订协议前进行风险评估和尽职调查,包括但不限于与第三方或集团内实体的协议,并与银行的操作风险管理框架 [17] 、外包/第三方风险管理政策以及运营韧性方案保持一致。在银行签订此类协议之前,银行应当核实第三方(包括与这些协议相关的集团内实体)是否至少具有同等水平的运营韧性,以在正常情况下和扰乱情况下保障银行的关键运营。

  2. Banks should perform a risk assessment and due diligence before entering into arrangements including those of, but not limited to, third parties or intragroup entities, consistent with the bank’s operational risk management framework [17] ,outsourcing/third-party risk management policy and operational resilience approach. Prior to the bank entering into such an arrangement, the bank should verify whether the third party, including, if relevant, the intragroup entity to these arrangements, has at least equivalent level of operational resilience to safeguard the bank’s critical operations in both normal circumstances and in the event of disruption.

  3. 银行应当制定适当的业务连续性和应急规划程序以及退出策略,以在第三方故障或扰乱影响提供关键运营的情况下保持其运营韧性。银行业务连续性计划中的情景应当评估为银行关键运营提供服务的第三方的可替代性,以及其他可行的替代方案,这些替代方案可能有助于在第三方中断时提高运营韧性,如在内部恢复服务。

  4. Banks should develop appropriate business continuity and contingency planning procedures and exit strategies to maintain their operational resilience in the event of a failure or disruption at a third party impacting the provision of critical operations. Scenarios under the bank’s business continuity plans should assess the substitutability of third parties that provide services to the bank’s critical operations, and other viable alternatives that may facilitate operational resilience in the event of an outage at a third party, such as bringing the service back in-house.

事件管理(Incident Management) 原则6:银行应当制定并实施响应和恢复计划,以管理可能扰乱关键运营交付的事件 [18] ,使其符合银行的风险偏好和扰乱容忍度。银行应当通过吸取以往事件的经验教训,不断改进其事件响应和恢复计划。 Principle 6: Banks should develop and implement response and recovery plans to manage incidents [18] that could disrupt the delivery of critical operations in line with the bank’s risk appetite and tolerance for disruption. Banks should continuously improve their incident response and recovery plans by incorporating the lessons learned from previous incidents.

33.银行应当维护事件响应和恢复、内部和第三方资源的清单,以支持银行的响应和恢复能力。 33. Banks should maintain an inventory of incident response and recovery, internal and third-party resources to support the bank’s response and recovery capabilities.

  1. 事件管理的范围应当涵盖事件的生命周期 [19] ,通常包括但不限于: a) 根据预定义标准(如恢复正常工作的预期时间)对事件严重性分类,以便为响应事件进行适当的优先排序和资源分配。 b) 事件响应和恢复程序,包括其与银行业务连续性、灾难恢复和其他相关管理计划和程序的联系。 c) 执行沟通计划,向内部和外部相关方(如监管机构)报告事件,包括事件期间的绩效指标以及事后的经验教训分析。

  2. The scope of incident management should capture the life cycle of an incident [19] typically including, but not limited to: a) the classification of an incident’s severity based on predefined criteria (eg expected time to return to business as usual), enabling proper prioritisation of and assignment of resources to respond to an incident. b) The incident response and recovery procedures, including their connection to the bank’s business continuity, disaster recovery and other associated management plans and procedures. c) The implementation of communication plans to report incidents to both internal and external stakeholders (eg regulatory authorities), including performance metrics during, and analysis of lessons learned after an incident.

  3. 应当定期审查、测试和更新事件响应和恢复程序。银行应当识别并解决事件的根本原因,以防止或尽量减少接连发生。

  4. Incident response and recovery procedures should be periodically reviewed, tested and updated. Banks should identify and address the root causes of incidents to prevent or minimise serial recurrence.

  5. 在更新事件管理计划时,应当适当反映从以往事件(包括其他方经历的事件)中吸取的经验教训。银行的事件管理计划应当管理影响银行的所有事件,包括归属于但不限于第三方和集团内实体的事件。

  6. Lessons learned from previous incidents including incidents experienced by others, should be duly reflected when updating the incident management programme. A bank’s incident management programme should manage all incidents impacting the bank, including those attributable to dependencies on, but not limited to, third parties and intragroup entities.

包括网络安全 [20] 的ICT(ICT including cyber security) [20] 原则7:银行应当确保具有韧性的信息和通信技术,包括受到保护、检测、响应和恢复计划约束的网络安全,定期进行测试,并在风险管理和决策过程中纳入适当的情境意识并及时传达相关信息,以充分支持和促进银行关键运营的交付。 [21] Principle 7: Banks should ensure resilient ICT including cyber security that is subject to protection, detection, response and recovery programmes that are regularly tested, incorporate appropriate situational awareness and convey relevant timely information for risk management and decision-making processes to fully support and facilitate the delivery of the bank’s critical operations. [21]

  1. 银行应当制定书面的ICT政策(包括网络安全),在其中规定治理和监督要求、风险所有权和问责、ICT安全措施(例如访问控制、关键信息资产保护、身份管理)、网络安全控制的定期评估和监督,以及事件响应、业务连续性和灾难恢复计划。

  2. Banks should have a documented ICT policy, including cyber security, which stipulates governance and oversight requirements, risk ownership and accountability, ICT security measures (eg access controls, critical information asset protection, identity management), periodic evaluation and monitoring of cyber security controls, and incident response, as well as business continuity and disaster recovery plans.

  3. 银行应当识别其关键信息资产及其所依赖的基础架构。银行还应当根据其ICT风险评估和关键信息资产对银行关键运营的重要性,优先开展网络安全工作,同时遵守与数据保护和保密相关的所有相关法律和监管要求。银行应当制定计划并实施控制,以在发生网络事件时保持关键信息的完整性,如对支持关键运营的数据在不变介质的存储和离线备份进行保护。银行应当定期评估其关键信息资产的威胁状况,测试脆弱性,并确保其对ICT相关风险的韧性。

  4. Banks should identify their critical information assets and the infrastructure upon which they depend. Banks should also prioritise their cyber security efforts based on their ICT risk assessment and on the significance of the critical information assets to the bank’s critical operations, while observing all pertinent legal and regulatory requirements relating to data protection and confidentiality. Banks should develop plans and implement controls to maintain the integrity of critical information in the event of a cyber event, such as secure storage and offline backup on immutable media of data supporting critical operations. Banks should regularly evaluate the threat profile of their critical information assets, test for vulnerabilities and ensure their resilience to ICT-related risks.

本公众号 (ID: bcmplus) 专注于业务连续性管理知识的传播和普及,关注业务连续性、应急和危机管理的朋友可关注本公众号。

由于公众号注册时正处于腾讯政策调整,未能开通留言功能,希望交流和讨论业务连续性管理问题,或获取相关资料的朋友,可长按以下二维码加入知识星球留言和讨论(公众号1月只能发4次文章,也会有一些小观点直接在知识星球而不在公众号发布)。

《操作风险稳健管理原则修订》,2021年3月,www.bis.org/bcbs/publ/d515.htm。 ↑ 英格兰银行和金融行为监管局,《建设英国金融部门运营弹性》,2019年12月;欧洲银行业管理局,《欧洲银行业管理局ICT和安全风险管理指南》,2019年11月;欧盟委员会,《关于金融部门数字运营韧性(DORA)的欧盟监管框架的立法提案》,2020年9月;新加坡金融管理局,《保障金融部门安全管理和运营韧性》,2020年4月:国际证券委员会组织(IOSCO),《外包原则》,2020年5月;美联储理事会、联邦存款保险公司和货币监理署,《加强运营韧性的良好实践》,2020年9月。 ↑ 巴塞尔银行监管委员会(BCBS),《操作风险稳健管理原则修订》,2021年3月。 ↑ 巴塞尔银行监管委员会(BCBS),《电子银行风险管理原则》,2003年7月,www.bis.org/publ/bcbs98.pdf;《银行业公司治理原则》,2015年7月, www.bis.org/publ/bcbs.pdf。 ↑ 巴塞尔银行监管委员会(BCBS)-国际证券委员会组织(IOSCO)-国际保险监督官协会(IAIS) 联合论坛,《金融服务外包》,2005年2月,www.bis.org/publ/joint12.pdf;《业务连续性高级原则》,2006年8月,www.bis.org/publ/joint17.pdf。 ↑ 参见金融稳定委员会(FSB),《金融机构有效处置机制的关键属性》,2014年10月(http://www.fsb.org/wp-content/uploads/r_141015.pdf);《确定关键功能和关键共享服务》的相关支持指南,2013年7月(http://www.fsb.org/wp-content/uploads/r_130716a.pdf);以及《支持运营连续性的处置协议的指南》,2016年8月(https://www.fsb.org/wp-content/uploads/Guidance-on-Arrangements-to-SupportOperational-Continuity-in-Resolution1.pdf). ↑ 根据金融稳定委员会2015年《公司治理指南》,该指南使用金融稳定委员会2013年的《有效风险偏好框架的原则》,“风险偏好”定义为:银行为实现其战略目标和业务计划而愿意承担、提前决定并在其风险能力范围内的风险的总水平和类型。 ↑ 金融稳定委员会,《系统重要性金融机构的恢复和处置规划:关键功能和关键共享服务识别指南》,2013年。根据金融稳定委员会,关键职能定义为“为第三方开展的活动,如果(由于银行集团的规模或市场份额、外部和内部互连、复杂程度和跨境活动)出现故障将导致对实体经济运行和金融稳定至关重要的服务扰乱。例如支付、托管、商业或零售部门的某些借贷和存款活动、清算和结算、批发市场的有限部分、某些证券以及高集中度的专业借贷部门的做市。” ↑ 在此处,“支持资产”被定义为关键运营交付所需的人员、技术、信息和设施。 ↑ 巴塞尔银行监管委员会,《操作风险稳健管理原则修订》,第6段,2021年3月。 ↑ 与PSMOR一致,本文件指由董事会和高级管理层组成的治理结构。委员会意识到,各国在董事会和高级管理层职能方面的立法和监管框架存在重大差异。在一些国家,董事会的主要职能(如果不是排他性的话)是监督执行机构(高级管理人员、一般管理人员),以确保后者完成任务。因此,在某些情况下,它被称为监事会。这意味着董事会没有执行职能。在其他国家,董事会的职权范围更广,因为它制定了银行管理的总体框架。由于这些差异,本文件中使用的术语“董事会”和“高级管理层”并非用于确定公司治理实践中的独立法律责任,而是用于标记一般银行内部的两级决策职能。 ↑ 这些控制和程序应当与PSMOR拟议修订中原则6所述的风险识别过程保持一致,并与之同时进行。 ↑ 见PSMOR原则7。 ↑ 更多关于业务连续性的巴塞尔银行监管委员会指南可在联合论坛(BCBS-IOSCO-IAIS)发布的文件中找到,业务连续性高级原则,2006年8月,www.bis.org/publ/joint17.pdf。 ↑ 关键运营的业务连续性规划和测试应与PSMOR拟议修订之原则11所述的业务连续性规划保持一致,并与之一起进行。 ↑ 关于服务外包的巴塞尔银行监管委员会的更多指导可在联合论坛(BCBS-IOSCO-IAIS)发布的文件中找到,《金融服务外包》,2005年2月,www.bis.org/publ/joint12.pdf。 ↑ 本原则中阐述的依赖关系管理应当与PSMOR原则9第51段中阐述的控制和风险缓解政策保持一致,并与之一起进行。 ↑ 事件是指当前或过去的破坏性事件,其发生将对银行的关键运营产生不利影响。事件管理是识别、分析、纠正和从事件中吸取教训,并防止事件复发或减轻其严重程度的过程。事件管理的目标是减少扰乱和恢复关键运营,使其符合银行对扰乱的风险容忍度。参见金融稳定委员会《网络事件响应和恢复的有效实践》,2020年10月,https://www.fsb.org/wp-content/uploads/P191020-1.pdf,作为详细响应和恢复实践的示例。 ↑ 认识到事件的生命周期可能跨越多个时间尺度,从几小时到几周到几月不等。 ↑ 2018年11月FSB网络词典(www.FSB.org/wp content/uploads/P121118-1.pdf)中定义的网络安全。 ↑ 本原则中阐述的ICT管理应与PSMOR拟议修订中原则10第55-57段中阐述的ICT原则保持一致,并与之一起进行。 ↑

原文发表于公众号”业务连续性+” | 原文链接