Operational Resilience in the United States

SR 20-24

Introduction to SR 20-24

SR 20-24 is supervisory guidance published by the Federal Reserve to improve the operational resilience of large financial institutions. The guidance distills leading practices to assist firms in adequately preparing for, adapting to, and recovering from disruptions resulting from cyber tensions, technology outages, natural disasters, or other operational risks, and reinforces the importance of a disciplined risk management, governance, and business continuity. This guidance supplements existing regulatory expectations.

Key Requirements of SR 20-24

1. Governance
  • Institutions should set up a structured governance framework for operational resilience, providing board and senior management oversight.
  • The board should set and review, at least annually, the institution’s risk appetite and tolerance for disruption.
  • Senior management should lead the implementation of operational resilience work, provide resourcing and foster a culture of awareness to operational risk.
2. Operational Risk Management Framework
  • Firms must implement a comprehensive operational risk management framework to identify, assess, mitigate, and report risks.
  • It should be consistent with the broader risk strategies of the institution, and appropriate to its size, complexity, and activities.
  • The framework should be subject to regular review and updates in response to the evolving threat environment.
3. Business Continuity Management (BCM)
  • Robust business continuity plans (BCPs) should be maintained in institutions, to ensure continuity of critical operations in the event of a disruption.
  • Regular scenario analysis and simulation exercises should be carried out to test the effectiveness of resilience arrangements.
  • Cyber-attacks, IT outages, natural catastrophes, and operations incidents are some of the frequent risks in focus.
4. Third-Party Risk Management
  • Due to the increased reliance on outsourcing, robust third-party risk management should be implemented by institutions.
  • Prior to engaging with vendors, institutions should conduct due diligence and ensure conformity with regulatory and security requirements.
  • Contracts entered into should include service level agreements (SLAs), terms on security and fallback solutions in the event of provider default.
  • The ongoing monitoring and auditing of third-party suppliers are to be conducted for compliance purposes.
5. Scenario Analysis and Resilience Testing
  • Regular resilience testing should be conducted to determine the ability to recover from significant operational disruptions.
  • Common scenarios to test are cyber-attacks, failures of third-party services, data breaches, significant staff disruption & supply chain interruptions.
  • Cross-firm resilience exercises ought to be employed for comparison purposes against industry peers.
6. Secure & Resilient Information Systems
  • Information systems, supporting critical operations, need to be secure, resilient, and regularly tested.
  • Strong access controls, encryption and cyber security methods are encouraged to minimize data exposures.
  • Routine cyber security audits should be undertaken to confirm the conformity with industry benchmarks.
7. Surveillance & Reporting
  • Real-time surveillance and reporting should be established in institutions to identify and manage operational risk.
  • Monitoring of cyber threats, incidents and operational break-downs ought to be continuous.
  • Frequent updates to senior management and board members should facilitate timely decision-making.

WHO DOES IT IMPACT?

SR 20-24 is scalable in nature for financial institutions in that it addresses resilience levels commensurate with size, complexity, and interconnectedness of operations. Among the smaller institutions there will be room for flexibility, but as institutions grow in size or complexity, or become more systemically important, more sophisticated management and governance expectations will be expected by the regulator. The guidance aims to make sure that all relevant financial institutions will act upon achieving operational resilience.

These include: SR 20-24 applies to:

Systemically Important Financial Institutions (SIFIs)
Banks under Federal Reserve supervision
Bank Holding Companies (BHCs)
Savings and Loan Holding Companies (SLHCs)
Financial Institutions reliant on Critical 3rd Party Service Providers
National and State-Chartered Banks

Why is SR 20-24 Important?

1. Enhances Financial Stability

Preserving the ability of firms to perform critical activities in the face of severe operational disruption contributes to the overall stability of the financial system by minimizing widespread economic disruption.

2. Reduces Systemic Risk

Disruption at a single, major firm may have multiple, cascading consequences throughout the economy. SR 20-24 addresses this risk by increasing the degree of operational resilience.

3. Strengthens Cyber Resilience

In light of evolving cyber threats (e.g. ransomware and data breaches), SR 20-24 promotes the adoption of robust cybersecurity capabilities to safeguard key operations.

4. Improves Risk Management Frameworks

Firms encounter inherent risk both from their internal operations and third-party service providers. SR 20-24 improves the capability to identify, assess, and address such risks in an effective manner.

5. Ensures Regulatory Compliance

Compliance with SR 20-24 allows financial institutions to meet Federal Reserve expectations and industry standards, thus avoiding regulatory fines and enhancing operational performance.

8 Key points of SR 20-24

1

Governance

Board Oversight: Boards must define resilience strategies and risk appetite.

Senior Management Responsibility: Executives must integrate resilience within operational plans.

Decision-Making Frameworks: Governance structures should align with risk tolerance.

2

Operational Risk Management Framework

Operational Risk Taxonomy: Define categories such as cyber threats, IT failures, and third-party dependencies.

Integration with Existing Frameworks: Align SR 20-24 requirements with ISO 22301 (Business Continuity) and NIST (Cybersecurity Framework).

Scenario-Based Testing: Implement real-world stress testing to assess resilience to systemic shocks and cyber incidents.

RegTech Solutions: Utilize AI-driven compliance tools to automate risk assessments and reporting mechanisms.

 

3

Business Continuity Management (BCM)

Business Impact Analysis: Identify critical business functions and their dependencies.

Resilience Playbooks: Create predefined action plans for various disruption scenarios.

Alternative Work Arrangements: Establish remote work and off-site operational contingencies.

Periodic Drills: Conduct industry-wide and internal crisis simulations.

4

Third-Party Risk Management

Vendor Due Diligence: Assess financial and operational resilience of third-party providers.

Contractual Safeguards: Define service level agreements (SLAs) with clear continuity expectations.

Ongoing Monitoring: Establish key performance indicators (KPIs) for third-party resilience.

Exit Strategies: Develop contingency plans for vendor failure or service disruptions.

5

Scenario Analysis & Resilience Testing

Severe but Plausible Scenarios: Simulate financial, operational, and cyber crises.

Cross-Departmental Participation: Involve IT, operations, legal, and risk teams in testing exercises.

Lessons Learned Implementation: Apply insights from testing to enhance resilience strategies.

Annual Review Cycles: Update stress-testing methodologies to reflect evolving threats.

6

Secure & Resilient Information Systems

Zero Trust Architecture: Implement strict access controls to minimize exposure.

Incident Detection & Response: Establish automated monitoring for early risk identification.

Data Encryption & Backup: Ensure critical data is securely stored and recoverable.

Emerging Threat Mitigation: Stay ahead of cybersecurity risks through continuous updates.

7

Surveillance & Reporting

Operational Risk Dashboards: Implement centralized risk tracking and analytics.

Incident Escalation Protocols: Ensure timely reporting to leadership and regulators.

Industry Benchmarking: Compare resilience metrics against sector peers.

Regulatory Reporting Compliance: Align with Federal Reserve expectations for incident disclosures.

8

Regulatory Compliance & Adaptation

Compliance Audits: Conduct regular internal reviews to ensure adherence.

Policy Evolution: Adapt resilience policies to accommodate new risks.

Training & Awareness: Ensure employees understand regulatory expectations.

Engagement with Regulators: Maintain open dialogue with supervisory authorities.

Want to hire

SR 20-24 Expert?

Book a call with our experts

Hire US