Operational Resilience in the United States
SR 20-24
Introduction to SR 20-24
SR 20-24 is supervisory guidance issued by the Federal Reserve to enhance the operational resilience of large financial institutions. This guidance consolidates best practices to help firms effectively prepare for, withstand, and recover from disruptions caused by cyber threats, technology failures, natural disasters, and other operational risks. It emphasizes the need for a structured approach to risk management, governance, and business continuity while reinforcing existing regulatory requirements.
Key Requirements of SR 20-24
1. Governance
- Institutions must establish a structured governance framework for operational resilience, ensuring oversight from the board and senior management.
- The board must set and periodically review the firm’s risk appetite and tolerance for disruptions.
- Senior management must implement operational resilience initiatives, allocate resources, and promote a risk-aware culture.
2. Operational Risk Management Framework
- Firms must implement a comprehensive operational risk management framework to identify, assess, mitigate, and report risks.
- The framework should align with the institution’s broader risk strategy and be tailored to its size, complexity, and operations.
- Regular reviews and updates are necessary to address evolving threats.
3. Business Continuity Management (BCM)
- Institutions must maintain robust business continuity plans (BCPs) to ensure critical functions continue during disruptions.
- Regular scenario analysis and simulation exercises must be conducted to evaluate resilience capabilities.
- Key risks addressed include cyberattacks, IT failures, natural disasters, and operational errors
4. Third-Party Risk Management
- Firms must implement stringent third-party risk management measures due to increasing reliance on outsourcing.
- Before engaging vendors, firms must conduct due diligence and ensure compliance with regulatory and security standards.
- Contracts must define service level agreements (SLAs), security obligations, and contingency plans in case of provider failure.
- Ongoing monitoring and audits of third-party providers are required to maintain compliance.
5. Scenario Analysis and Resilience Testing
- Firms must conduct regular resilience testing to assess their ability to recover from severe operational disruptions.
- Testing scenarios should include cyberattacks, third-party service failures, data breaches, and supply chain disruptions.
- Industry-wide resilience exercises should be leveraged to benchmark preparedness against peers.
6. Secure & Resilient Information Systems
- Information systems supporting critical operations must be secure, resilient, and regularly tested.
- Institutions should adopt strong access controls, encryption, and cybersecurity protocols to mitigate data risks.
- Regular cybersecurity audits and assessments should be performed to ensure compliance with industry standards.
7. Surveillance & Reporting
- Institutions must establish real-time surveillance and reporting to detect and mitigate operational risks.
- Continuous monitoring of cyber threats, anomalies, and operational disruptions is essential.
- Senior management and board members must receive timely reports to facilitate informed decision-making.
WHO DOES IT IMPACT?
SR 20-24 is designed to be scalable, allowing financial institutions to implement resilience measures proportionate to their size, complexity, and operational footprint. While smaller institutions have some flexibility in their approach, larger and systemically important entities are expected to adopt more sophisticated frameworks to meet heightened regulatory expectations. The guidance ensures that various types of financial institutions take necessary steps to enhance operational resilience.
These include: SR 20-24 applies to:
Why is SR 20-24 Important?
1. Enhances Financial Stability
Ensuring firms can continue operations despite major disruptions helps maintain the overall stability of the financial system and prevents widespread economic impact.
2. Reduces Systemic Risk
Operational failures at large institutions can have ripple effects across the economy. SR 20-24 mitigates these risks by strengthening resilience measures.
3. Strengthens Cyber Resilience
With increasing cyber threats like ransomware and data breaches, SR 20-24 ensures firms implement strong cybersecurity measures to protect critical operations.
4. Improves Risk Management Frameworks
Institutions face complex risks from internal operations and third-party service providers. SR 20-24 enhances their ability to identify, assess, and mitigate these risks effectively.
5. Ensures Regulatory Compliance
Adhering to SR 20-24 helps financial institutions align with Federal Reserve expectations and industry best practices, avoiding regulatory penalties and improving operational efficiency.
8 Key points of SR 20-24
1
Governance
Board Oversight: Boards must define resilience strategies and risk appetite.
Senior Management Responsibility: Executives must integrate resilience within operational plans.
Decision-Making Frameworks: Governance structures should align with risk tolerance.
2
Operational Risk Management Framework
Operational Risk Taxonomy: Define categories such as cyber threats, IT failures, and third-party dependencies.
Integration with Existing Frameworks: Align SR 20-24 requirements with ISO 22301 (Business Continuity) and NIST (Cybersecurity Framework).
Scenario-Based Testing: Implement real-world stress testing to assess resilience to systemic shocks and cyber incidents.
RegTech Solutions: Utilize AI-driven compliance tools to automate risk assessments and reporting mechanisms.
3
Business Continuity Management (BCM)
Business Impact Analysis: Identify critical business functions and their dependencies.
Resilience Playbooks: Create predefined action plans for various disruption scenarios.
Alternative Work Arrangements: Establish remote work and off-site operational contingencies.
Periodic Drills: Conduct industry-wide and internal crisis simulations.
4
Third-Party Risk Management
Vendor Due Diligence: Assess financial and operational resilience of third-party providers.
Contractual Safeguards: Define service level agreements (SLAs) with clear continuity expectations.
Ongoing Monitoring: Establish key performance indicators (KPIs) for third-party resilience.
Exit Strategies: Develop contingency plans for vendor failure or service disruptions.
5
Scenario Analysis & Resilience Testing
Severe but Plausible Scenarios: Simulate financial, operational, and cyber crises.
Cross-Departmental Participation: Involve IT, operations, legal, and risk teams in testing exercises.
Lessons Learned Implementation: Apply insights from testing to enhance resilience strategies.
Annual Review Cycles: Update stress-testing methodologies to reflect evolving threats.
6
Secure & Resilient Information Systems
Zero Trust Architecture: Implement strict access controls to minimize exposure.
Incident Detection & Response: Establish automated monitoring for early risk identification.
Data Encryption & Backup: Ensure critical data is securely stored and recoverable.
Emerging Threat Mitigation: Stay ahead of cybersecurity risks through continuous updates.
7
Surveillance & Reporting
Operational Risk Dashboards: Implement centralized risk tracking and analytics.
Incident Escalation Protocols: Ensure timely reporting to leadership and regulators.
Industry Benchmarking: Compare resilience metrics against sector peers.
Regulatory Reporting Compliance: Align with Federal Reserve expectations for incident disclosures.
8
Regulatory Compliance & Adaptation
Compliance Audits: Conduct regular internal reviews to ensure adherence.
Policy Evolution: Adapt resilience policies to accommodate new risks.
Training & Awareness: Ensure employees understand regulatory expectations.
Engagement with Regulators: Maintain open dialogue with supervisory authorities.
Want to hire
SR 20-24 Expert?
Book a call with our experts
