Operational Resilience in the United States

SR 20-24

Introduction to SR 20-24

SR 20-24 is supervisory guidance published by the Federal Reserve to improve the operational resilience of large financial institutions. The guidance distills leading practices to assist firms in adequately preparing for, adapting to, and recovering from disruptions resulting from cyber tensions, technology outages, natural disasters, or other operational risks, and reinforces the importance of a disciplined risk management, governance, and business continuity. This guidance supplements existing regulatory expectations.

Key Requirements of SR 20-24

1. Governance

Institutions should set up a structured governance framework for operational resilience, providing board and senior management oversight.
The board should set and review, at least annually, the institution’s risk appetite and tolerance for disruption.
Senior management should lead the implementation of operational resilience work, provide resourcing and foster a culture of awareness to operational risk.

2. Operational Risk Management Framework

Firms must implement a comprehensive operational risk management framework to identify, assess, mitigate, and report risks.
It should be consistent with the broader risk strategies of the institution, and appropriate to its size, complexity, and activities.
The framework should be subject to regular review and updates in response to the evolving threat environment.

3. Business Continuity Management (BCM)

Robust business continuity plans (BCPs) should be maintained in institutions, to ensure continuity of critical operations in the event of a disruption.
Regular scenario analysis and simulation exercises should be carried out to test the effectiveness of resilience arrangements.
Cyber-attacks, IT outages, natural catastrophes, and operations incidents are some of the frequent risks in focus.

4. Third-Party Risk Management

Due to the increased reliance on outsourcing, robust third-party risk management should be implemented by institutions.
Prior to engaging with vendors, institutions should conduct due diligence and ensure conformity with regulatory and security requirements.
Contracts entered into should include service level agreements (SLAs), terms on security and fallback solutions in the event of provider default.
The ongoing monitoring and auditing of third-party suppliers are to be conducted for compliance purposes.

5. Scenario Analysis and Resilience Testing

Regular resilience testing should be conducted to determine the ability to recover from significant operational disruptions.
Common scenarios to test are cyber-attacks, failures of third-party services, data breaches, significant staff disruption & supply chain interruptions.
Cross-firm resilience exercises ought to be employed for comparison purposes against industry peers.

6. Secure & Resilient Information Systems

Information systems, supporting critical operations, need to be secure, resilient, and regularly tested.
Strong access controls, encryption and cyber security methods are encouraged to minimize data exposures.
Routine cyber security audits should be undertaken to confirm the conformity with industry benchmarks.

7. Surveillance & Reporting

Real-time surveillance and reporting should be established in institutions to identify and manage operational risk.
Monitoring of cyber threats, incidents and operational break-downs ought to be continuous.
Frequent updates to senior management and board members should facilitate timely decision-making.

WHO DOES IT IMPACT?

SR 20-24 is scalable in nature for financial institutions in that it addresses resilience levels commensurate with size, complexity, and interconnectedness of operations. Among the smaller institutions there will be room for flexibility, but as institutions grow in size or complexity, or become more systemically important, more sophisticated management and governance expectations will be expected by the regulator. The guidance aims to make sure that all relevant financial institutions will act upon achieving operational resilience.

These include: SR 20-24 applies to:

Systemically Important Financial Institutions (SIFIs)

Banks under Federal Reserve supervision

Bank Holding Companies (BHCs)

Savings and Loan Holding Companies (SLHCs)

Financial Institutions reliant on Critical 3rd Party Service Providers

National and State-Chartered Banks

Why is SR 20-24 Important?

1. Enhances Financial Stability

Preserving the ability of firms to perform critical activities in the face of severe operational disruption contributes to the overall stability of the financial system by minimizing widespread economic disruption.

2. Reduces Systemic Risk

Disruption at a single, major firm may have multiple, cascading consequences throughout the economy. SR 20-24 addresses this risk by increasing the degree of operational resilience.

3. Strengthens Cyber Resilience

In light of evolving cyber threats (e.g. ransomware and data breaches), SR 20-24 promotes the adoption of robust cybersecurity capabilities to safeguard key operations.

4. Improves Risk Management Frameworks

Firms encounter inherent risk both from their internal operations and third-party service providers. SR 20-24 improves the capability to identify, assess, and address such risks in an effective manner.

5. Ensures Regulatory Compliance

Compliance with SR 20-24 allows financial institutions to meet Federal Reserve expectations and industry standards, thus avoiding regulatory fines and enhancing operational performance.

8 Key points of SR 20-24

1

Governance

Board Oversight: Boards must define resilience strategies and risk appetite.

Senior Management Responsibility: Executives must integrate resilience within operational plans.

Decision-Making Frameworks: Governance structures should align with risk tolerance.

2

Operational Risk Management Framework

Operational Risk Taxonomy: Define categories such as cyber threats, IT failures, and third-party dependencies.

Integration with Existing Frameworks: Align SR 20-24 requirements with ISO 22301 (Business Continuity) and NIST (Cybersecurity Framework).

Scenario-Based Testing: Implement real-world stress testing to assess resilience to systemic shocks and cyber incidents.

RegTech Solutions: Utilize AI-driven compliance tools to automate risk assessments and reporting mechanisms.

3

Business Continuity Management (BCM)

Business Impact Analysis: Identify critical business functions and their dependencies.

Resilience Playbooks: Create predefined action plans for various disruption scenarios.

Alternative Work Arrangements: Establish remote work and off-site operational contingencies.

Periodic Drills: Conduct industry-wide and internal crisis simulations.

4

Third-Party Risk Management

Vendor Due Diligence: Assess financial and operational resilience of third-party providers.

Contractual Safeguards: Define service level agreements (SLAs) with clear continuity expectations.

Ongoing Monitoring: Establish key performance indicators (KPIs) for third-party resilience.

Exit Strategies: Develop contingency plans for vendor failure or service disruptions.

5

Scenario Analysis & Resilience Testing

Severe but Plausible Scenarios: Simulate financial, operational, and cyber crises.

Cross-Departmental Participation: Involve IT, operations, legal, and risk teams in testing exercises.

Lessons Learned Implementation: Apply insights from testing to enhance resilience strategies.

Annual Review Cycles: Update stress-testing methodologies to reflect evolving threats.

6

Secure & Resilient Information Systems

Zero Trust Architecture: Implement strict access controls to minimize exposure.

Incident Detection & Response: Establish automated monitoring for early risk identification.

Data Encryption & Backup: Ensure critical data is securely stored and recoverable.

Emerging Threat Mitigation: Stay ahead of cybersecurity risks through continuous updates.

7

Surveillance & Reporting

Operational Risk Dashboards: Implement centralized risk tracking and analytics.

Incident Escalation Protocols: Ensure timely reporting to leadership and regulators.

Industry Benchmarking: Compare resilience metrics against sector peers.

Regulatory Reporting Compliance: Align with Federal Reserve expectations for incident disclosures.

8

Regulatory Compliance & Adaptation

Compliance Audits: Conduct regular internal reviews to ensure adherence.

Policy Evolution: Adapt resilience policies to accommodate new risks.

Training & Awareness: Ensure employees understand regulatory expectations.

Engagement with Regulators: Maintain open dialogue with supervisory authorities.

Frequently Asked Questions

Does DORA apply to the US?

No, the Digital Operational Resilience Act (DORA) is a regulatory framework established by the European Union aimed at enhancing the digital resilience of financial institutions and third-party providers across Europe. DORA is specifically designed for the EU financial sector and does not apply directly to the United States. However, US-based financial institutions operating in Europe may need to comply if they provide services to EU-based entities. For US-specific regulations on operational resilience, the SR 20-24 guidance by the Federal Reserve and the Office of the Comptroller of the Currency’s (OCC) operational resilience framework are more relevant.

What are the three categories assessed by the US Resiliency Council Rating System?

The US Resiliency Council (USRC) Rating System evaluates buildings based on three key categories:

Safety – Measures the potential risk to human life during and after a disruptive event like an earthquake or natural disaster.

Damage – Assesses the level of structural and non-structural damage expected in a building, influencing repair costs and downtime.

Recovery – Evaluates the time required for a building to be restored to operational use after an event.

These categories help stakeholders understand the resilience and readiness of critical infrastructures.

What is SR 20-24?

SR 20-24 is a supervisory guidance issued by the Federal Reserve Board (FRB) that outlines the expectations for operational resilience in large financial institutions. This guidance emphasizes the need for firms to identify and mitigate risks that could disrupt critical operations. It focuses on:

Business Continuity Planning

Third-Party Risk Management

Cybersecurity Measures

Incident Response and Recovery

SR 20-24 aims to bolster the financial sector’s ability to remain resilient in the face of adverse events and is part of the broader strategy to strengthen systemic stability.

Who is in scope for SR 20-24?

The SR 20-24 guidance primarily applies to:

US-based large financial institutions

Bank Holding Companies (BHCs)

Foreign Banking Organizations (FBOs) operating in the US

Designated Financial Market Utilities (DFMUs)

The scope includes organizations that are systemically important to the financial stability of the US, with a strong emphasis on critical operations, third-party providers, and infrastructure that support key business functions.

How can T3 help with SR 20-24?

At T3 Consultants, we specialize in helping financial institutions navigate complex regulatory requirements, including SR 20-24. Our expertise includes:

Conducting Operational Resilience Assessments to identify vulnerabilities.

Developing Business Continuity Plans (BCP) and Disaster Recovery Strategies.

Ensuring alignment with Federal Reserve guidelines and global best practices.

Facilitating gap analysis and compliance roadmaps for seamless integration of SR 20-24 standards.

We bring a proactive approach to resilience, ensuring that your institution not only complies with SR 20-24 but also strengthens its ability to withstand disruptions with confidence.

Want to hire

SR 20-24 Expert?

Book a call with our experts

Hire US

Frequently Asked Questions

What are the most effective cost reduction strategies for SMEs?

For SMEs, strategies such as renegotiating supplier contracts, automating repetitive tasks, and improving workflow efficiency are especially effective. We tailor solutions to your unique size and sector to ensure you achieve measurable, sustainable cost savings.

What are the 5 steps of change management?

Plan: Set clear goals and strategy.
Communicate: Share the vision and benefits with everyone involved.
Implement: Roll out changes in a structured, supportive way.
Review: Check progress, gather feedback, and make improvements.
Sustain: Lock in changes by embedding them into daily routines and culture.

What are the 5 C’s of change?

Clarity: Make the purpose and benefits of change obvious.
Communication: Keep everyone informed, involved, and heard.
Consistency: Align actions and messages across all levels.
Commitment: Secure buy-in from leadership and the wider team.
Celebration: Recognize and reward milestones and success.

What are the 7 R’s of change management?

Reason: Why is this change needed?
Risk: What could go wrong – and how do we handle it?
Resources: Do we have what we need to succeed?
Return: What’s the benefit or payoff?
Responsibility: Who’s accountable for each part?
Relationship: How will this affect people and teams?
Results: How will we know we’ve succeeded?

How does T3 Consultants ensure operational efficiency improvements are sustained?

We embed best practices into your processes and train your teams for ongoing success. Our approach combines technology, process reengineering, and change management, ensuring improvements are lasting and aligned with your organizational goals.

Can lean management principles be applied outside manufacturing?

Absolutely. Lean management can drive value in service industries, healthcare, financial services, and beyond. Our team has a proven track record applying lean management across sectors, always customizing our approach to your needs.

What results can we expect from a T3 Consultants engagement?

Results vary by client, but our interventions typically result in cost reductions between 10-20%, process cycle time reductions, improved compliance, and higher employee satisfaction.