《加强运营韧性的稳健实践》中文简译
写在前面 :越来越多的人们开始关注运营韧性。事实上,虽然该领域还在快速的发展中,但已经凝聚了一些共识。金融行业是最为关注运营韧性的行业之一,近几年来,多个发达国家/地区的金融监管机构和巴塞尔银行监管委员会陆续发布/修订了运营韧性(Operational Resilience)和业务连续性管理方面的正式文件。为让更多的专业人员和爱好者了解国际运营韧性领域的进展,学习并实践运营韧性的良好实践,在过去两年,我组织了两期公益翻译活动,翻译了巴塞尔银行监管委员会和英国金融监管机构的运营韧性相关资料,包括: 《运营韧性原则》中文简译 (巴塞尔银行监管委员会)(2021年11月23日) 《操作风险稳健管理原则修订》中文简译 (巴塞尔银行监管委员会)(2021年11月29日) 《运营韧性:重要业务服务的影响容忍度》中文简译 (英格兰银行、英国审慎监管局(PRA)和英国金融行为监管局(FCA)联合说明文件)(2022年11月26日) 《政策声明|PS6/21 – 运营韧性:重要业务服务的影响容忍度》中文简译 (英国审慎监管局(PRA)运营韧性政策声明)(2022年11月27日) 《PRA规则手册:CRR机构,Solvency II机构:运营韧性文书2021》中文简译 (英国审慎监管局(PRA)运营韧性政策声明附件1 — PRA规则手册运营韧性部分)(2022年11月28日) 《PRA监管声明|SS1/21 “运营韧性:重要业务服务的影响容忍度”》中文简译 (英国审慎监管局(PRA)运营韧性政策声明附件2 — PRA监管声明SS1/21)(2022年12月1日) 《PRA“运营韧性”政策说明》中文简译 (英国审慎监管局(PRA)运营韧性政策声明附件3 — 运营韧性政策说明)(2022年12月2日)
今年3月,我再次组织了一个公益翻译小组,对美国、爱尔兰、澳大利亚、新加坡和香港等地金融监管机构的运营韧性相关资料进行翻译。7月份前后,翻译小组成员陆续将翻译文稿发送给我,近期我会将这些资料审校完成,陆续在公众号发布。
以下是参与第三期运营韧性资料公益翻译小组的成员 (排名不分前后,按姓氏拼音排序): 高洋(ICBC,william.yang.gao@gmail.com) 江磊(深圳龙华,2014595@qq.com) 刘琪岳(北京) 刘宇(深圳,13316880733@189.cn) 刘元锋(北京农商银行总行,liuyf@bjrcb.com) 林喆(广州,674441632@qq.com) 马骏(埃森哲/大连,patrick.ma2018@outlook.com) 孙宁莉(深圳市韧安咨询服务有限公司,115947186@qq.com) 王舵(大连童安应急管理科技有限公司,prekids@163.com) 徐文静(DNV,wen.jing.xu@dnv.com) 薛春娟(浙江省舟山市,793571689@qq.com) 张锋(北京,zhangfeng76@wo.cn) 周可政(上海,wikikivv@gmail.com) 王曙(新常安科技,kevinwang@vip.sina.com)
感谢公益翻译小组的各位专业人员抽出个人时间进行翻译工作。以下译文由我负责最终统一审校定稿,如译文中有任何不准确或理解错误的地方,都是由于我的原因造成,与诸位翻译人员无关。如对译文有意见或修改建议,请给我留言。
王曙(kevinwang) 2023.10.26
这份文件由美国联邦银行监管机构(美国联邦储备委员会、货币监理署和联邦存款保险公司)于2020年10月30日发布,概述了旨在帮助大型银行加强运营韧性的稳健实践,其风险的示例包括网络攻击、自然灾害和大流行病,原文见: https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20201030a1.pdf 。
《加强运营韧性的稳健实践》概述了从现有法规、指导意见、声明和包括操作风险管理、业务连续性管理、第三方风险管理、网络安全风险管理以及恢复和处置规划等通用行业标准中汇集的加强运营韧性的实践。这些实践以有效的治理和风险管理技术为基础,考虑了第三方风险,并包括了韧性信息系统。这份文件没有修改发文监管机构的现有规则或指导意见。
加强运营韧性的稳健实践 Sound Practices to Strengthen Operational Resilience
引言(Introduction)
美国联邦储备委员会,货币监理署和联邦存款保险公司(以下称“管理机构”)正在发布一份关于 加强运营韧性的稳健实践 的跨机构文件(以下称“稳健实践”)。稳健实践旨在为机构提供加强其运营韧性的方法,以应对如果不加以控制,可能会导致大规模扰断的内部和外部操作风险 [1] 。 The Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation (the agencies) are issuing an interagency paper on Sound Practices to Strengthen Operational Resilience (sound practices). The sound practices seek to provide firms with ways to strengthen their operational resilience in the face of internal and external operational risks 1 that, left unchecked, could lead to a wide-scale disruption.
近年来,机构经历了多种多样破坏性事件带来的重大挑战,包括技术故障、网络事件、大流行病爆发和自然灾害。尽管技术进步提高了机构识别各种类型扰断并从中恢复的能力,但日益复杂的网络威胁和对第三方的日益依赖继续使企业面临一系列操作风险。这些操作风险强化了各种规模的机构加强其运营韧性的重要性。虽然潜在的危险可能无法预防,但管理机构认为,灵活的运营韧性方法可以提高机构准备、适应、承受和从扰断中恢复并继续运营的能力。 In recent years, firms have experienced significant challenges from a wide range of disruptive events including technology-based failures, cyber incidents, pandemic outbreaks, and natural disasters. While advances in technology have improved firms’ ability to identify and recover from various types of disruptions, increasingly sophisticated cyber threats and growing reliance on third parties continue to expose firms to a range of operational risks. These operational risks underscore the importance for firms of all sizes to strengthen their operational resilience. While potential hazards may not be prevented, the agencies consider that a flexible operational resilience approach can enhance the ability of firms to prepare, adapt, withstand, and recover from disruptions and to continue operations.
尽管运营韧性对所有机构都很重要,但本文件中提出的稳健实践是为最大、最复杂的国内机构编写的。本文件描述了来自现有法规和指导意见中的稳健实践,适用于平均合并资产总额大于或等于:(a)2500亿美元,或(b)1000亿美元且平均跨司法管辖区活动、平均加权短期批发融资、平均非银行资产或平均表外风险敞口 [2] 为750亿美元或以上的独立国民银行、州成员银行、州非成员银行、储蓄协会、美国银行控股公司以及储蓄和贷款控股公司。本文件没有为这些机构制定任何新的法规或指导意见,而是将现有法规和指导意见汇集在一起,以帮助制定全面的运营韧性方法。它还强调了运营韧性对机构关键运营和核心业务线的重要性。 Although operational resilience is important to all firms, the sound practices set forth in this paper are written for use by the largest and most complex domestic firms. This paper describes sound practices drawn from existing regulations and guidance for individual national banks, state member banks, state nonmember banks, savings associations, U.S. bank holding companies, and savings and loan holding companies that have average total consolidated assets greater than or equal to: (a) $250 billion, or (b) $100 billion and have $75 billion or more in average cross-jurisdictional activity, average weighted short-term wholesale funding, average nonbank assets, or average off-balance-sheet exposure. 2 This paper does not set forth any new regulations or guidance for these firms, but brings together the existing regulations and guidance in one place to assist in the development of comprehensive approaches to operational resilience. It also highlights the importance of operational resilience with respect to firms’ critical operations and core business lines.
虽然稳健实践优先考虑机构及其重要实体 [3] 的关键运营和核心业务线的运营韧性,但作为其运营韧性规划的一部分,机构还应当确定和处理其它运营、服务和职能的韧性,因为扰断可能会对机构或其客户产生重大不利影响。 关键运营和核心业务线的定义如下: 关键运营是指那些故障或停营将对美国的金融稳定 [4] 构成威胁的机构运营,包括相关的服务、职能和支持 [5] 。 核心业务线是指那些机构认为一旦故障将导致收入、利润或特许权价值重大损失的机构业务线,包括相关的运营、服务、职能和支持。 While the sound practices prioritize the operational resilience of critical operations and core business lines of a firm and its material entities, 3 a firm also should identify and address the resilience of other operations, services, and functions for which a disruption could have a significant adverse impact on the firm or its customers as part of operational resilience planning. Critical operations and core business lines are defined as follows: Critical operations are those operations of the firm, including associated services, functions, and support, 5 the failure or discontinuance of which would pose a threat to the financial stability of the United States. 4 Core business lines are those business lines of the firm, including associated operations, services, functions, and support, that, in the view of the firm, upon failure would result in a material loss of revenue, profit, or franchise value.
本文件所针对的大多数机构已经在其恢复或处置计划 [6] 中确定了其关键运营和核心业务线。这些计划绘制了机构的重要实体、跨业务线以及与重要第三方之间的业务相互联系和相互依赖关系。因此,受恢复或处置规划要求约束的机构可以利用这些计划中的相关信息来管理运营韧性。 Most firms to which this paper is directed already identify their critical operations and core business lines in their recovery or resolution plans. 6 These plans map out operational interconnections and interdependencies among a firm’s material entities, across business lines, and with significant third parties. Accordingly, firms that are subject to recovery or resolution planning requirements can leverage relevant information in these plans for managing operational resilience.
运营韧性是 在任何危险造成的扰断期间交付运营(包括关键运营和核心业务线)的能力。它是有效操作风险管理和充足的财务和运营资源相结合的结果,以准备、适应、承受扰断和从中恢复 。 [7] 一家以安全和稳健方式运营的机构能够识别威胁,响应和适应事件,并从这些威胁和事件中恢复和学习,这样它就能够在扰断期间优先考虑并交付关键运营和核心业务线,以及机构确定的其它运营、服务和职能。 Operational resilience is the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard . It is the outcome of effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions. 7 A firm that operates in a safe and sound manner is able to identify threats, respond and adapt to incidents, and recover and learn from such threats and incidents so that it can prioritize and deliver critical operations and core business lines, along with other operations, services and functions identified by the firm, through a disruption.
加强运营韧性的稳健实践(Sound Practices to Strengthen Operational Resilience)
本文件概述的稳健实践汇集了现有的法规、指导意见和声明以及通用行业标准,并提供了机构可用于加强和保持其运营韧性的综合方法。在该方法中,稳健实践建基于有效的治理之上。健全的操作风险和业务连续性管理成为受到严格情景分析的影响并考虑了第三方风险的稳健实践的支柱。安全和韧性的信息系统支撑了运营韧性方法,并得到全面监督和报告的支持。 The sound practices outlined in this paper bring together existing regulations, guidance, and statements as well as common industry standards and provide a comprehensive approach that firms may use to strengthen and maintain their operational resilience. In this approach effective governance grounds the sound practices. Robust operational risk and business continuity management anchor the sound practices, which are informed by rigorous scenario analyses and consider third-party risks. Secure and resilient information systems underpin the approach to operational resilience, which is supported by thorough surveillance and reporting.
按照其作为操作风险的重要性及其技术性质,附录A提供了管理网络风险的稳健实践的分类收集。附录B提供了这些稳健实践中使用的术语定义表。 Appendix A provides a separate collection of sound practices for managing cyber risk in recognition of its significance as an operational risk, and its technical nature. Appendix B provides a glossary of definitions used in these sound practices.
- 治理(Governance)
有效的治理有助于确保机构不仅以安全和稳健的方式运营,遵守适用的法律法规,而且保持运营韧性。按照现有的法规和指导意见,以下概述的实践促进了有效的治理。 机构董事会批准并定期审查其风险偏好 [8] ,以在企业层面和机构的关键运营和核心业务线抵御操作风险的破坏 [9] 。在设定机构的风险偏好时,董事会考虑机构的风险概况及其支持运营环境 [10] 的能力,阐明机构对扰断的容忍度(“扰断容忍度” [11] )。 机构董事会与高级管理层合作,确认运营韧性实践由具有相关专业知识的人员领导和任职,批准适当的预算和资源,并促进有效风险管理的文化。 机构董事会监督机构在其业务线运营中的操作风险管理、独立的操作风险管理职能和独立的内部(或外部)审计职能。高级管理层负责确保这些领域中的每一个都符合机构的扰断容忍度。 高级管理层负责维护对机构的组织和法律结构的详细、准确和定期更新的概述,以确定机构及其重要实体的关键运营和核心业务线。 高级管理层负责开发、实施和管理有效和韧性的信息系统和控制(酌情),以保持关键运营和核心业务线符合机构的扰断容忍度。 内部(或外部)审计职能负责独立评估机构运营韧性工作的设计和持续有效性。 Effective governance helps ensure that firms not only operate in a safe and sound manner and comply with applicable laws and regulations, but also maintain operational resilience. In keeping with existing regulations and guidance, the practices outlined below promote effective governance. The firm’s board of directors approves and periodically reviews its risk appetite8 for weathering disruption from operational risks, 9 at the enterprise level and for the firm’s critical operations and core business lines. In setting the firm’s risk appetite, the board of directors articulates the firm’s tolerance for disruption considering its risk profile and the capabilities of its supporting operational environment 10 (“tolerance for disruption”). 11 The firm’s board of directors works with senior management to confirm that operational resilience practices are led and staffed by individuals with relevant expertise, approve appropriate budgets and resources, and promote a culture of effective risk management. The firm’s board of directors oversees the firm’s management of operational risk in its business line operations, its independent operational risk management function, and its independent internal (or external) audit function. Senior management is accountable for ensuring that each of these areas adheres to the firm’s tolerance for disruption. Senior management is accountable for maintaining a detailed, accurate, and regularly updated overview of the firm’s organizational and legal structure that identifies the critical operations and core business lines of the firm and its material entities. Senior management is accountable for developing, implementing, and managing effective and resilient information systems and controls, as appropriate, to maintain critical operations and core business lines consistent with the firm’s tolerance for disruption. The internal (or external) audit function is responsible for independently assessing the design and ongoing effectiveness of the firm’s operational resilience efforts.
- 操作风险管理(Operational Risk Management)
通过确定、管理和降低与内部流程、人员、系统、外部威胁和第三方相关的操作风险敞口,机构能够加强其运营韧性。有效的操作风险管理涉及机构高级管理层、业务线运营、独立的操作风险管理职能和独立的内部(或外部)审计职能的密切参与。按照现有的法规和指导意见,以下概述的实践促进了有效的操作风险管理。 机构高级管理层监督操作风险管理流程、系统和控制的实施,以识别和控制扰断的范围,减轻其影响,并根据机构的扰断容忍度对扰断作出决定。 机构业务线运营管理层根据机构的扰断容忍度确定并降低操作风险敞口。 机构操作风险管理职能评估机构及其重要实体的关键运营和核心业务线。它确定机构面临的各种操作风险的暴露程度,或预测机构从扰断中恢复的能力。 机构操作风险管理职能定期审查、测试和更新与机构关键运营和核心业务线(包括由第三方执行的)相关的内部控制。 机构操作风险管理职能实施并维护风险识别和评估方法,以充分表现业务流程及其相关的操作风险,包括技术和第三方风险。 机构独立的内部(或外部)审计职能对机构的操作风险管理职能进行审查和质疑,并评估其是否在机构的扰断容忍度范围内适当运作。 机构的操作风险管理职能与其业务连续性管理和恢复或处置计划职能在运营韧性方面密切合作。 By identifying, managing, and mitigating operational risk exposures related to internal processes, people, systems, external threats, and third parties, a firm is able to strengthen its operational resilience. Effective operational risk management involves close engagement by the firm’s senior management, business line operations, independent operational risk management function, and independent internal (or external) audit function. In keeping with existing regulations and guidance, the practices outlined below promote effective operational risk management. The firm’s senior management oversees the implementation of operational risk management processes, systems, and controls to identify and contain the scope of a disruption, mitigate its effects, and resolve the disruption consistent with the firm’s tolerance for disruption. The firm’s business line operations management identifies and mitigates operational risk exposures in alignment with the firm’s tolerance for disruption. The firm’s operational risk management function assesses the critical operations and core business lines of the firm and its material entities. It determines the extent of exposure to various operational risks the firm faces or forecasts and the firm’s ability to recover from a disruption. The firm’s operational risk management function regularly reviews, tests, and updates internal controls relevant to the firm’s critical operations and core business lines including those performed by third parties. The firm’s operational risk management function implements and maintains risk identification and assessment approaches that adequately capture business processes and their associated operational risks, including technology and third-party risks. The firm’s independent internal (or external) audit function provides a review and challenge of the firm’s operational risk management function and assesses whether it is appropriately operating within the firm’s tolerance for disruption. The firm’s operational risk management function works closely with its business continuity management and recovery or resolution planning functions with respect to operational resilience efforts.
- 业务连续性管理(Business Continuity Management)
业务连续性计划关心市场和企业级的压力和特定风险,这些压力和风险可能危及机构关键运营和核心业务线的连续性,或对金融体系产生更广泛的影响 [12] 。受恢复或处置规划要求约束的机构可以利用这些计划中的信息用于业务连续性管理目的。按照现有的法规和指导意见,以下概述的实践促进了稳健的业务连续性管理。 [13] 机构的业务连续性管理包括业务影响分析 [14] 、测试、培训和意识计划,以及沟通和危机管理政策。 机构定期审查其业务连续性计划,以确保应急策略与当前的运营、风险和威胁、扰断容忍度以及恢复优先级 [15] 保持一致。对于在关键金融市场执行支付、清算和结算活动的机构,应急策略与现有指导意见保持一致。 [16] 机构测试业务连续性计划,审查测试的执行情况,并通过吸取经验教训来改进计划。业务连续性测试和演练包括关键运营和核心业务线对第三方的依赖关系。在可能的情况下,机构与关键运营和核心业务线相关的第三方一起参与灾难恢复和业务连续性测试。 机构确认,用于评估机构IT系统向关键运营和核心业务线提供最低服务容量的能力的功能测试程序与机构的业务连续性目标是一致的。机构的业务连续性管理考虑并纳入了无法达到服务容量和业务连续性目标的情景。 机构确定并管理对执行机构关键运营和核心业务线至关重要的人员的可用性。 [17] 机构拥有一(或多)个备用场地,该场地有足够的资源(包括人员)、技术能力,以及在发生扰断的情况下执行机构关键运营和核心业务线的功能。 [18] 备用场地与主场地距离足够远,从而具有不同的风险状况。 机构的业务连续性管理包括远程访问应急措施,使人员在扰断期间继续提供机构的关键运营和核心业务线。 [19] 应急管理优先考虑关键运营和核心业务线,并为人员提供足够的连接、通信和协作工具,必要的技术资源和对网络系统的访问。这些应急措施包括在扰断解决后将人员转回正常运营。 [20] 机构培训负责执行关键运营和核心业务线的重要人员,以便在发生扰断时发挥后备作用。机构实施运营韧性培训和意识计划,以评估与人员相关的业务连续性安排的有效性,并在发现不足时对该计划进行改进。 机构的恢复或处置规划(如适用)整合到其治理和运营流程中,成为日常业务活动的一部分,包括机构级的风险管理流程。在运营韧性的背景下,恢复或处置方案计划被理解为对现有风险管理和业务连续性管理流程的补充和联系。 机构利用其恢复或处置计划中包含的信息,(适用时)确定应对各种严重但合理的内部和外部压力情景的选择。机构同样利用来确定关键运营和核心业务线、附属公司、子公司和第三方之间的相互联系和相互依赖关系。 Business continuity plans consider market- and enterprise-wide stresses and idiosyncratic risks that can imperil the continuity of a firm’s critical operations and core business lines or otherwise have a broader impact on the financial system. 12 A firm that is subject to recovery or resolution planning requirements can leverage the information in these plans for business continuity management purposes. In keeping with existing regulations and guidance, the practices outlined below promote sound business continuity management. 13 The firm’s business continuity management incorporates business impact analysis, 14 testing, training, and awareness programs, as well as communication and crisis management policies. The firm periodically reviews its business continuity plan to ensure contingency strategies remain consistent with current operations, risks and threats, its tolerance for disruption, and recovery priorities. 15 For a firm that performs payment, clearing, and settlement activities in critical financial markets, contingency strategies align with existing guidance. 16 The firm tests business continuity plans, reviews the execution of tests, and improves plans by incorporating lessons learned. Business continuity tests and exercises incorporate dependencies of critical operations and core business lines on third parties. When possible, the firm participates in disaster recovery and business continuity testing with third parties associated with critical operations and core business lines. The firm confirms that functional testing procedures for assessing the ability of a firm’s IT systems to deliver minimum service capacity to critical operations and core business lines are consistent with the firm’s business continuity objectives. The firm’s business continuity management considers and incorporates scenarios in which service capacity and business continuity objectives cannot be met. The firm identifies and manages the availability of personnel who are essential to the execution of the firm’s critical operations and core business lines. 17 The firm has (an) alternate site(s) that has sufficient resources (including personnel), technology capabilities, and functionality to execute the firm’s critical operations and core business lines in the event of a disruption. 18 The alternate site(s) is (are) located at a sufficient geographical distance from the primary site and has (have) a distinct risk profile. The firm’s business continuity management includes remote-access contingencies that allow personnel to continue delivering the firm’s critical operations and core business lines through a disruption. 19 The management of contingencies prioritize critical operations and core business lines and provide personnel adequate connectivity, communication, and collaboration tools, essential technology resources, and access to network systems. These contingencies incorporate transitioning personnel back to normal operations following the resolution of a disruption. 20 The firm trains essential personnel who have responsibility for executing critical operations and core business lines to perform back-up roles should a disruption occur. The firm implements an operational resilience training and awareness program to evaluate the effectiveness of personnel-related business continuity arrangements and the program is improved as shortcomings are identified. The firm’s recovery or resolution planning, if applicable, is integrated into its governance and operating processes and is part of business-as-usual activities, including firm-wide risk management processes. In the context of operational resilience, recovery or resolution planning is understood as complementary to, and linked with, existing risk management and business continuity management processes. The firm leverages information contained in its recovery or resolution plans, where applicable, to identify options to respond to a wide range of severe but plausible internal and external stress scenarios. The firm similarly leverages the identification of interconnections and interdependencies among critical operations and core business lines affiliates, subsidiaries, and third parties.
4.第三方风险管理(Third-Party Risk Management)
近年来,机构越来越多地使用第三方提供各种服务,包括那些对关键运营和核心业务线不可或缺的服务。重视第三方风险对于运营韧性至关重要,特别是在外包安排涉及执行关键运营或核心业务活动的实体时。按照现有的法规和指导意见,以下概述的实践促进了第三方风险的稳健管理。 [21] 机构识别并分析关键运营和核心业务线的第三方风险。它优先考虑对机构最重要的第三方依赖关系,并理解、管理和减轻其风险。 机构通过正式协议与第三方建立关系。 [22] 机构根据其服务要求和其扰断容忍度管理和监测第三方的绩效。 机构定期审核系统和控制报告以及第三方测试结果的总结或其他等效评估。它建立了监控第三方在扰断期间继续提供服务的能力的流程和基准。 [23] 机构验证第三方是否制定了健全的风险管理实践和控制,用于识别和减轻对运营的危害,并符合机构的扰断容忍度。 机构解决影响机构运营韧性的关键的第三方问题(例如,通过尽职调查、合同谈判、持续监控和终止合同)。 机构识别为其提供公共和关键基础设施服务(如能源和电信)的第三方的风险。机构制定管理这些服务扰断的流程,并酌情更新这些流程,以保持在其扰断容忍度范围内。 机构确定在其现有第三方无法继续提供服务的情况下可以提供帮助的其他第三方。机构评估为机构的关键运营和核心业务线提供服务的第三方的可替代性,包括将服务带回机构内部的可能性。 In recent years, firms have made increasing use of third parties to deliver a variety of services, including those that are integral to critical operations and core business lines. Recognition of third party risk is vital to operational resilience, especially if outsourcing arrangements involve entities that perform critical operations or core business activities. In keeping with existing regulations and guidance, the practices outlined below promote sound management of third-party risk. 21 The firm identifies and analyzes third-party risk of critical operations and core business lines. It prioritizes third-party dependencies that are most significant to the firm and understands, manages, and mitigates its risks. The firm establishes relationships with third parties through formal agreements. 22 The firm’s manages and monitors the performance of third parties against its service requirements and its tolerance for disruption. The firm periodically reviews reports of systems and controls and summaries of test results or other equivalent assessments of third parties. It establishes processes and benchmarks for monitoring a third party’s ability to continue to deliver services during disruptions. 23 The firm verifies that third parties have sound risk management practices and controls in place that serve to identify and mitigate hazards to operations and are consistent with the firm’s tolerance for disruption. The firm addresses key third-party concerns to the extent that these concerns affect the firm’s operational resilience (e.g., through due diligence, contract negotiations, ongoing monitoring, and termination of contracts). The firm identifies risks of third parties that provide it with public and critical infrastructure services, such as energy and telecommunications. The firm has processes to manage disruptions of these services and updates these processes as appropriate to stay within its tolerance for disruption. The firm identifies other third parties that may be available to assist in the event its current third parties are unable to continue delivering services. The firm assesses the substitutability of third parties that provide services supporting the firm’s critical operations and core business lines including the possibility of bringing a service back in-house.
5.情景分析(Scenario Analysis)
情景分析帮助机构开发、验证和校准机构的扰断容忍度。机构可以将分析与灾难恢复和业务连续性管理相结合,用于评估运营韧性。按照现有的法规和指导意见,以下概述的实践促进了有效的情景分析。 [24] 机构的操作风险管理职能、独立的内部(或外部)审计职能、业务连续性管理以及恢复或处置规划活动确定的操作风险,应当纳入(适用时)影响机构关键运营和核心业务线的严重但合理的情景。机构设计这些场景是为了测试机构的扰断容忍度。 机构拥有健全的治理框架和独立的审查职能,以监督情景开发过程的完整性和一致性。 在设计场景时,机构利用其关键运营和核心业务线(包括其恢复或处置计划中表述的第三方风险)绘制的相互联系和相互依赖关系,以及相关的业务影响分析。 机构使用情景分析对过去由各种扰断引起的严重扰断实例进行回溯测试。回溯测试的结果用于改进情景并提高其未来的有效性。 机构通过分析其关键运营和核心业务线内部和之间的相互联系和相互依赖关系,考虑第三方风险,识别潜在的风险传递渠道、集中度和脆弱性。从这些分析中获得的信息为机构的扰断容忍度提供了信息。 Scenario analysis helps a firm to develop, validate, and calibrate a firm’s tolerance for disruption. Firms may integrate the analysis with disaster recovery and business continuity management for use in assessing operational resilience. In keeping with existing regulations and guidance, the practices outlined below promote effective scenario analysis. 24 Operational risks identified by the firm’s operational risk management function, independent internal (or external) audit function, business continuity management, and recovery or resolution planning activities should be incorporated, as applicable, into severe but plausible scenarios affecting the firm’s critical operations and core business lines. The firm designs the scenarios so that they may be used to test the firm’s tolerance for disruption. The firm maintains a robust governance framework and independent review function to oversee the integrity and consistency of the scenario development process. In designing scenarios, the firm leverages both the mapped interconnections and interdependencies of its critical operations and core business lines including its third-party risks, set forth in its recovery or resolution plans, as well as relevant business impact analyses. The firm uses scenario analysis to back-test against past instances of severe disruptions that have arisen from various disruptions. The results of back-testing are used to refine scenarios and increase their effectiveness for future. The firm identifies potential risk transmission channels, concentrations, and vulnerabilities by analyzing the interconnections and interdependencies within and across its critical operations and core business lines considering third-party risks. The information that is obtained from these analyses informs the firm’s tolerance for disruption.
6.安全和韧性的信息系统管理(Secure and Resilient Information System Management)
安全和韧性的信息系统支撑着机构关键运营和核心业务线的运营韧性。信息系统的得当实施、使用和保护可以帮助机构识别和检测运营韧性的风险。它们还增强了其承受扰断或故障的能力,并促进信息流动,以便在扰断期间做出有效决策。按照现有的法规和指导意见,以下概述的实践促进了安全和韧性的信息系统。 [25] 附录A提供了关于网络风险管理的其它稳健实践。 支持机构关键运营和核心业务线的信息系统,包括依赖第三方的要素,都要遵循定期测试的健全的风险识别、保护、检测、响应和恢复计划。信息系统包括适当的态势感知,并及时向管理层提供相关信息。 机构例行应用和评估流程和控制的有效性,以保护机构数据和信息系统的保密性、完整性、可用性和整体安全性。 机构建立控制,以保护关键数据的完整性和可用性,免受破坏性恶意软件(包括勒索软件)或其他类似威胁的影响。从此类事件中恢复可能包括使用协议对关键数据进行安全、不可变的离线存储。 机构根据通用行业标准和最佳实践定期审查信息系统和控制。机构还定期审查和更新其系统和安全控制,以应对不断发展的威胁,包括网络威胁和新兴或新技术。 机构可能受益于使用符合通用行业标准和最佳实践的标准化工具评估其网络安全准备,如附录A所述。 Secure and resilient information systems underpin the operational resilience of a firm’s critical operations and core business lines. The appropriate implementation, use, and protection of information systems can help a firm identify and detect risks to operational resilience. They also enhance its ability to withstand disruptions or failures and facilitate the flow of information to enable effective decision-making during a disruption. In keeping with existing regulations and guidance, the practices outlined below promote secure and resilient information systems. 25 Additional sound practices on cyber risk management are provided in Appendix A. Information systems, including elements that depend on third parties, supporting the firm’s critical operations and core business lines are subject to robust risk identification, protection, detection, and response and recovery programs that are regularly tested. Information systems incorporate appropriate situational awareness and provide management with relevant information on a timely basis. The firm routinely applies and evaluates the effectiveness of processes and controls to protect the confidentiality, integrity, availability, and overall security of the firm’s data and information systems. The firm establishes controls to safeguard the integrity and availability of critical data against the impact of destructive malware, including ransomware, or other similar threats. Recovery from such incidents may include use of protocols for secure, immutable, off-line storage of critical data. The firm reviews information systems and controls on a regular basis against common industry standards and best practices. The firm also regularly reviews and updates its systems and controls for security against evolving threats including cyber threats and emerging or new technologies. The firm may benefit from use of a standardized tool that is aligned with common industry standards and best practices to assess its cybersecurity preparedness as described in Appendix A.
7.监督和报告(Surveillance and Reporting)
运营韧性需要持续监督和报告操作风险,并将这些信息传播给董事会和整个机构的有关相关方。按照现有的法规和指导意见,以下概述的实践促进了稳健的监督和报告。 [26] 机构根据其风险偏好和扰断容忍度来识别和监测当前的操作风险敞口。机构建立并保持适当的沟通和协调程序,以通报机构所有相关领域当前的风险敞口。 机构及时发现可能导致影响机构关键运营和核心业务线扰断的异常活动,并评估该活动的潜在影响以及保护措施的有效性。 机构持续监控并向高级管理层和董事会报告,为及时和适当地决定应对扰断的措施提供足够的数据和信息。 Operational resilience entails ongoing surveillance and reporting of operational risks and dissemination of that information to the board of directors and relevant stakeholders across the firm. In keeping with existing regulations and guidance, the practices outlined below promote sound surveillance and reporting. 26 The firm identifies and monitors ongoing exposure to operational risk relative to its risk appetite and tolerance for disruption. The firm establishes and maintains appropriate communication and coordination procedures to inform all relevant areas of the firm’s ongoing exposures. The firm detects in a timely manner anomalous activity that could lead to a disruption affecting the firm’s critical operations and core business lines, and it assesses the potential impact of the activity together with the effectiveness of protective measures. The firm conducts continuous surveillance and reporting to senior management and the board of directors that provides sufficient data and information for timely and appropriate decisions regarding measures to respond to a disruption
附录A(Appendix A) 网络风险管理稳健实践(Sound Practices for Cyber Risk Management)
为了管理网络风险并评估其关键运营、核心业务线和其他运营、服务和职能的网络安全准备,机构可以选择使用符合通用行业标准和最佳实践的标准化工具。机构可以选择的工具包括FFIEC网络安全评估工具、美国国家标准与技术研究所网络安全框架(NIST)、互联网安全关键安全控制中心和金融服务部门协调委员会网络安全概况。 [27] 虽然管理机构不为使用任何特定工具背书,但下表1列出了网络风险管理的稳健实践,与NIST保持一致,并进行了增强,以强调治理和第三方风险管理。 To manage cyber risk and assess cybersecurity preparedness of its critical operations, core business lines and other operations, services, and functions firms may choose to use standardized tools that are aligned with common industry standards and best practices. Some of the tools that firms can choose from include the FFIEC Cybersecurity Assessment Tool, the National Institute of Standards and Technology Cybersecurity Framework (NIST), the Center for Internet Security Critical Security Controls, and the Financial Services Sector Coordinating Council Cybersecurity Profile. 27 While the agencies do not endorse the use of any particular tool, Table 1 below presents a collection of sound practices for cyber risk management, aligned to NIST and augmented to emphasize governance and third-party risk management.
表1:网络风险管理稳健实践(Table 1: Sound Practices for Cyber Risk Management) 类别Categories 描述Attributes 治理Governance 机构风险偏好和扰断容忍度反映了机构愿意为其关键运营和核心业务线接受或避免的网络风险的范围和水平。 [28] The firm’s risk appetite and tolerance for disruption reflect the scope and level of cyber risk the firm is willing to accept or avoid for its critical operations and core business lines. 28 机构为其关键运营和核心业务线建立、实现和管理网络风险管理流程,并将其整合到操作风险管理流程中。 The firm establishes, implements, and manages cyber risk management processes for its critical operations and core business lines and integrates them into operational risk management processes. 机构已经建立了网络安全流程,以支持在其风险偏好和扰断容忍度范围内运营。 The firm has established cybersecurity processes to support operating within its risk appetite and tolerance for disruption. 机构为网络风险管理方面指定角色和职责,包括负责机构网络安全的人员。 The firm has designated roles and responsibilities for cyber risk management, including an individual responsible for cybersecurity for the firm. 机构制定实施、监控和更新现有流程的网络安全计划。网络安全计划得到持续监控和改进。 The firm has a cybersecurity program that implements, monitors, and updates existing processes. The cybersecurity program is continually monitored and improved. 机构独立的风险管理和独立的内部(或外部)审计职能为网络安全计划提供了适当的监督。 The firm’s independent risk management and independent internal (or external) audit function provides for appropriate oversight of the cybersecurity program. 识别Identification 机构确定和管理支持其关键运营和核心业务线的数据,人员,设备,系统,第三方和设施。 The firm identifies and manages data, personnel, devices, systems, third parties and facilities that enable its critical operations and core business lines. 机构了解其关键运营和核心业务线及其基础数据、人员、设备、系统、第三方以及相关设施面临的网络安全风险。 The firm understands the cybersecurity risks to its critical operations and core business lines, and their underlying data, personnel, devices, systems, third parties, and facilities associated with them. 保护Protection 机构将其关键运营和核心业务线的物理和逻辑资产及相关设施的访问限制为授权用户、流程和设备,并根据未经授权访问的活动和交易的评估风险来管理访问权限。 The firm limits access to physical and logical assets and related facilities for its critical operations and core business lines to authorized users, processes, and devices, and manages access consistent with the assessed risk of unauthorized access to activities and transactions that require authorization. 机构特别为从事关键运营和核心业务线(包括来自第三方的人员)运营的人员提供网络安全意识教育,并充分培训他们按照相关流程和协议履行与信息安全相关的任务和职责。 The firm provides cybersecurity awareness education especially to personnel engaged in the operations of critical operations and core business lines, including those from third parties and adequately trains them to perform their information security-related duties and responsibilities consistent with related processes and agreements. 机构根据其风险偏好和扰断容忍度管理信息和数据,以保护数据和系统的机密性、完整性和可用性。 The firm manages information and data consistent with its risk appetite and tolerance for disruption to protect the confidentiality, integrity, and availability of data and systems. 机构维护的安全流程,以解决组织实体之间的目的、范围、角色、职责、管理承诺和协调;并处理和使用它们来管理信息系统和资产的保护。 The firm maintains security processes that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities; and processes and uses them to manage protection of information systems and assets. 机构对用于交付关键运营和核心业务线的数据进行加密。机构根据信息的关键性和敏感性,保护“静止”和“传输中”的数据。 The firm encrypts data used in the delivery of critical operations and core business lines. The firm protects data at “rest” and “in transit” commensurate with the criticality and sensitivity of the information. 机构创建关键数据的备份,并定期测试这些备份的完整性和可靠性。 The firm creates backups of critical data and regularly tests those backups for completeness and reliability. 机构以安全的方式处置关键资产,以防止未经授权恢复敏感信息。 The firm disposes critical assets in a secure manner in order to prevent unauthorized recovery of sensitive information. 机构管理包含其信息系统韧性要求的配置基线。配置变更的管理对关键运营和核心业务线的交付造成的扰断最小。 The firm manages configuration baselines that incorporate its information systems resilience requirements. The management of configuration changes causes minimal disruption to the delivery of critical operations and core business lines. 该机构按照政策和程序维护和维修工业控制 [29] 和信息系统组件。 The firm maintains and repairs industrial control 29 and information system components consistent with policies and procedures. 机构针对关键运营和核心业务线的信息系统架构结合了机构的网络韧性要求,并且在设计上是安全的。机构还考虑了相互依赖关系、相互关联性、规模和复杂性风险。 The firm’s information systems architecture for critical operations and core business lines incorporates the firm’s cyber resilience requirements and is secure by design. The firm also accounts for interdependency, interconnectivity, scale, and complexity risks. 机构拥有并执行技术采购、开发、测试和集成的既定流程,这些流程将机构的韧性要求纳入整个流程生命周期。 The firm has and enforces defined processes for technology acquisition, development, testing, and integration that incorporate the firm’s resilience requirements throughout the processes’ lifecycles. 机构升级或更换信息系统组件,直到开发人员、供应商或制造商不再提供技术支持。 The firm upgrades or replaces information system components before technical support is no longer available from the developer, vendor, or manufacturer. 技术安全解决方案用于管理系统和资产的安全和韧性,与相关策略、过程和协议保持一致。 Technical security solutions are used to manage the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. 检测Detection 及时发现异常活动,分析和了解异常事件的潜在影响(包括财务影响)。 Anomalous activity is detected in a timely manner and the potential impact (including financial impact) of anomalous events is analyzed and understood. 为识别网络安全事件并验证保护措施的有效性,以离散时间间隔监控信息系统和资产。 Information systems and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures. 维护和测试检测流程和程序,以确保及时采取行动应对异常事件。 Detection processes and procedures are maintained and tested to ensure timely action is taken in response to anomalous events. 响应Response 执行和维护响应流程和程序,以便及时响应发现的网络安全事件。 Response processes and procedures are executed and maintained for timely response to detected cybersecurity incidents. 机构酌情与内部和外部相关方协调响应活动,包括监管和执法机构的外部支持。 The firm coordinates response activities with internal and external stakeholders, as appropriate, including external support from regulatory and law enforcement agencies. 机构进行分析以确保有效响应并支持恢复活动。 The firm conducts analysis to ensure effective response and to support recovery activities. 机构开展活动以防止扰断扩大,减轻其影响,并解决事件。 The firm performs activities to prevent expansion of a disruption, mitigate its effects, and resolve the incident. 机构通过整合从当前和以前的检测/响应活动中吸取的经验教训来改进响应活动。 The firm improves response activities by incorporating lessons learned from current and previous detection/response activities. 恢复Recovery 机构执行和保持业务连续性和灾难恢复计划、流程和程序,以支持及时恢复受网络安全事件影响的系统或资产。 The firm executes and maintains business continuity and disaster recovery plans, processes and procedures to support timely restoration of systems or assets affected by cybersecurity incidents. 机构通过将吸取的经验教训纳入未来的活动来改进恢复计划和流程。 The firm improves recovery plans and processes by incorporating lessons learned into future activities. 机构与内部和外部各方(如互联网服务提供商、受损系统的所有者、其他事件响应团队和供应商)协调恢复活动。 The firm coordinates restoration activities with internal and external parties such as internet service providers, owners of compromised systems, other incident response teams, and vendors. 第三方风险管理Third-party risk management 机构管理其关键运营和核心业务线的风险,并监控与之相关控制的有效性,无论机构是在内部执行还是通过第三方开展活动。 The firm manages the risks to its critical operations and core business lines, and monitors the effectiveness of controls associated with them, regardless of whether the firm performs the activity internally or through a third party. 机构进行稳健的规划和尽职调查,以识别与第三方相关的风险,并建立流程测量、监视和控制与之相关的风险。风险识别和监测控制有效性的流程可能包括与第三方一起测试或审核安全控制。 The firm engages in robust planning and due diligence to identify risks related to third parties and establishes processes to measure, monitor, and control the risks associated with them. The process for risk identification and monitoring controls effectiveness may include testing or auditing of security controls with the third party. 起草机构与第三方之间的协议,明确定义哪一方负责配置和管理系统访问权限、配置功能和部署服务和信息资产。 Contracts between the firm and third parties are drafted to define clearly which party is responsible for configuring and managing system access rights, configuration capabilities, and deployment of services and information assets. 与第三方的关系包括稳健的风险管理实践,以识别和减轻危险。机构采用控制来验证第三方是否制定了韧性运营流程,并符合机构的内部标准。 Relationships with third parties include sound risk management practices to identify and mitigate hazards. The firm employs controls to verify that resilient operational processes are in place at the third party and consistent with the firm’s internal standards. 机构制定了流程,验证用于交付关键运营和核心业务线的第三方系统在扰断期间是否能够运行,或者能够根据机构的扰断容忍度恢复运行。 The firm has processes for validating that third-party systems used for delivering critical operations and core business lines will be operational during disruptions or able to return to operation in accordance with the firm’s tolerance for disruption.
附录B(Appendix B) 术语定义表(Glossary of Definitions)
业务连续性管理 指在发生扰断或危机时促进机构或金融市场持续运营的措施。 Business continuity management . Refers to measures that promote the continuous operation of a firm or financial market in the event of a disruption or crisis.
核心业务线 机构认为一旦故障将导致收入、利润或特许权价值重大损失的业务线,包括相关的运营、服务、职能和支持。 Core business lines . Those business lines of the firm, including associated operations, services, functions and support, that, in the view of the firm upon failure would result in a material loss of revenue, profit, or franchise value.
关键运营 其故障或停营将对美国的金融稳定构成威胁的机构运营,包括相关服务、职能和支持。 Critical operations . Those operations of the firm, including associated services, functions and support, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
网络事件 危害信息系统或该系统处理、存储或传输的信息的网络安全或违反网络安全程序的事件。 Cyber incident . An incident that jeopardizes the cybersecurity of an information system or the information the system processes, stores or transmits or that violates cybersecurity procedures.
网络风险 由于未经授权访问、使用、干扰、修改或破坏系统,导致通过电子方式引入系统的信息和/或运营功能所使用的数字技术出现故障,造成财务损失、运营扰断或损坏的风险。 [30] Cyber risk . Risk of financial loss, operational disruption, or damage, from the failure of the digital technologies employed for informational and/or operational functions introduced to a system via electronic means from the unauthorized access, use, disruption, modification, or destruction of the system.30
重要人员 是其可用性对机构关键运营和核心业务线必需的人员,包括来自第三方的人员。 Essential personnel . Essential personnel are individuals, including those from third parties, whose availability is necessary for the delivery of a firm’s critical operations and core business lines.
信息系统 一组应用程序、服务、信息技术资产或其他信息处理组件,包括操作环境。 Information systems . A set of applications, services, information technology assets or other information-handling components, which includes the operating environment.
管理信息系统 由计算机系统支持,提供管理机构所需信息的机构综合流程。其中包括用于风险管理的系统和应用程序。 Management information systems . A firms’ comprehensive processes, supported by computer-based systems that provide the information necessary to manage the firm. These include systems and applications for risk management.
重要实体 对已确定的关键运营或核心业务线的活动具有重要意义,或对机构的处置具有财务或运营具有重要意义的机构的子公司或外国办事处。 Material entity . A subsidiary or foreign office of a firm that is significant to the activities of an identified critical operation or core business line, or is financially or operationally significant to the resolution of the firm.
运营韧性 在任何危险造成的扰断期间交付运营(包括关键运营和核心业务线)的能力。它是有效操作风险管理和充足的财务和运营资源相结合的结果,以准备、适应、承受扰断并从中恢复。 Operational resilience . The ability to deliver operations, including critical operations and core business lines through a disruption from any hazard. It is the outcome of effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions.
操作风险 因内部流程、人员和系统不足或故障或外部事件造成损失的风险。该定义包括法律风险,但不包括战略和声誉风险。 Operational risk . The risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. This definition includes legal risk, but excludes strategic and reputational risk.
风险偏好 董事会和高级管理层为实现机构的战略业务目标而愿意承担的风险的总体水平和类型,与适用的资本、流动性和其他要求和约束相一致。 Risk appetite . The aggregate level and types of risk the board and senior management are willing to assume to achieve a firm’s strategic business objectives, consistent with applicable capital, liquidity, and other requirements and constraints.
第三方 与机构有商业协议的实体。第三方关系包括涉及外包产品和服务、使用独立顾问、网络安排、商户支付处理服务、附属公司和子公司提供的服务、合资企业,以及机构有持续关系或可能对相关记录负责的其他商业协议的活动。 Third parties . Entities that have a business arrangement with a firm. Third-party relationships include activities that involve outsourced products and services, use of independent consultants, networking arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements where the firm has an ongoing relationship or may have responsibility for the associated records.
扰断容忍度 由机构抵御操作风险导致扰断的风险偏好和考虑到其风险状况及其支持运营环境的能力所决定的。机构的扰断容忍度受现有法规和指导意见 [31] 以及一系列可能影响其关键运营和核心业务线的严重但合理的情景的分析影响。 Tolerance for disruption . Tolerance for disruption is determined by a firm’s risk appetite for weathering disruption from operational risks considering its risk profile and the capabilities of its supporting operational environment. A firm’s tolerance for disruption is informed by existing regulations and guidance 31 and by the analysis of a range of severe but plausible scenarios that would affect its critical operations and core business lines.
根据12 CFR(联邦法规)3.101和217.101(法规Q)的规定,操作风险是因内部流程、人员和系统不足或故障或外部事件造成损失的风险。该定义包括法律风险,但不包括战略和声誉风险。As specified in 12 CFR 3.101 and 217.101 (Regulation Q), operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. This definition includes legal risk but excludes strategic and reputational risk. ↑ 这包括被视为1)全球系统重要性银行控股公司,2)第二类银行控股公司,3)第二类储蓄和贷款控股公司,4)第三类银行控股公司,或5)第三类储蓄和贷款控股公司的美国国内公司。它还包括OCC监管的GSIB存款机构,第二类国民银行和联邦储蓄协会,以及第三类国民银行和联邦储蓄协会(例如,参加12 CFR 3.2和50.3;12 CFR 324.2)。它不适用于美国中间控股公司。This includes U.S. domestic firms that are considered 1) Globally Important Systemic Bank Holding Companies, 2) Category II bank holding companies, 3) Category II savings and loan holding companies, 4) Category III bank holding companies, or 5) Category III savings and loan holding companies. It also includes GSIB depository institutions supervised by the OCC, Category II national banks and Federal savings associations, and Category III national banks and Federal savings associations ( see, e.g. , 12 CFR 3.2 and 50.3; 12 CFR 324.2). It does not apply to U.S. intermediate holding companies. ↑ 重要实体是对已确定的关键运营或核心业务线的活动具有重要意义,或对机构的处置具有财务或运营具有重要意义的机构的子公司或外国办事处。A material entity is a subsidiary or foreign office of a firm that is significant to the activities of an identified critical operation or core business line, or is financially or operationally significant to the resolution of the firm. ↑ 如12 CFR第243部分-处置计划(法规QQ)-定义中所述。并非所有受恢复和处置计划约束的机构都有关镇定运营。As set forth in 12 CFR part 243—Resolution Plans (Regulation QQ)—Definitions. Not all firms subject to recovery or resolution plans have critical operations. ↑ 相关服务、职能和支持包括管理信息服务。这些包括机构的综合流程,由计算机系统支持,为机构管理层提供必要的信息,包括风险管理的系统和应用程序。Associated services, functions, and support include management information services. These encompass a firm’s comprehensive processes, supported by computer-based systems, that provide the information necessary for the firm’s management, including systems and applications for risk management. ↑ 参见12 CFR第243部分(法规QQ);12 CFR第30部分,附录E。See 12 CFR part 243 (Regulation QQ); 12 CFR part 30, Appendix E. ↑ 管理机构指出,金融服务部门使用了几种运营韧性的定义,包括美国国家标准与技术研究院(NIST)、联邦金融机构检查委员会(FFIEC)和巴赛尔银行监管委员会(BCBS)提出的定义。所有定义中一致的主题是,在任何危险造成的扰断期间保持运营交付能力的重要性。The agencies note that there are several definitions of operational resilience used in the financial services sector, including those set forth by the National Institute of Standards and Technology (NIST), the Federal Financial Institutions Examination Council (FFIEC), and the Basel Committee on Banking Supervision (BCBS). The consistent theme in all of the definitions is the importance maintaining the ability to deliver operations through disruption from any hazard. ↑ 如12 CFR第30部分附录D所述,风险偏好被定义为董事会和高级管理层为实现机构的战略业务目标愿意承担的风险的总体水平和类型,与适用的资本、流动性和其它要求和约束相一致。出于运营韧性的目的,风险偏好声明反映了定性考虑并酌情定量测量。As described in 12 CFR part 30, Appendix D, risk appetite is defined as the aggregate level and types of risk the board and senior management are willing to assume to achieve the firm’s strategic business objectives, consistent with applicable capital, liquidity, and other requirements and constraints. For operational resilience purposes, risk appetite statements reflect qualitative considerations and, as appropriate, quantitative measures. ↑ 如12 CFR 3.101和217.101(法规Q)所述,操作风险涵盖一系列事件,分为以下事件类型:内部欺诈;外部欺诈;雇员活动和工作场所安全;客户、产品和业务活动;实物资产损坏;业务中断和系统错误,包括与网络相关的;以及执行、交付和过程管理。As described in 12 CFR 3.101 and 217.101 (Regulation Q), operational risks cover a range of events, which are categorized across event types comprising internal fraud; external fraud; employment practices and workplace safety; clients, products, and business practice; damage to physical assets; business disruption and systems failures, including those related to cyber; and execution, delivery, and process management. ↑ 机构的运营环境可包括,如系统、流程、技术基础设施、风险管理能力和专业知识。The firm’s operational environment would include, for example, systems, processes, technical infrastructure, risk management capabilities, and expertise. ↑ 机构的扰断容忍度通常取决于现有法规和指导意见,以及对一系列可能影响其关键运营和核心业务线的严重但合理的情景的分析。A firm’s tolerance for disruption generally is informed by existing regulations and guidance and by the analysis of a range of severe but plausible scenarios that would affect its critical operations and core business lines. ↑ 请参阅FFIEC IT检查手册“业务连续性管理”分册(2019年11月),其中描述了IT和运营在安全性和稳健性、消费者金融保护以及遵守适用法律法规方面的原则和实践。See FFIEC Information Technology Examination Handbook booklet “Business Continuity Management,” November 2019, which describes principles and practices for IT and operations for safety and soundness, consumer financial protection, and compliance with applicable laws and regulations. ↑ 指导意见包括SR函03-9和OCC公告2003-14“关于加强美国金融体系韧性的稳健实践的跨机构白皮书”(2003年4月8日),其中概述了数据中心和运营的地理多样性和韧性,恢复和复原时间目标,以及对在关键金融市场开展支付、清算和结算活动的机构的相关测试标准。根据该指导意见,术语“恢复”是指在大规模扰断后重新开始清算和结算活动;“复原”是指在大规模扰断后接受和处理新交易和支付的能力。Guidance includes SR letter 03-9 and OCC Bulletin 2003-14 “Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System” (April 8, 2003) which outline practices for geographic diversity and resiliency of data centers and operations, as well as recovery and resumption time objectives and related testing standards for firms that perform payment, clearing, and settlement activities in critical financial markets. Per this guidance, the term recovery refers to the restoration of clearing and settlement activities after a wide-scale disruption; resumption refers to the capacity to accept and process new transactions and payments after a wide-scale disruption. ↑ 参见FFIEC IT检查手册“ 业务连续性管理 ”分册(2019年11月)第III.节A“ 业务影响分析 ”,其中描述了业务影响分析流程。See section III.A. “ Business Impact Analysis ” of the FFIEC Information Technology Examination Handbook booklet “ Business Continuity Management ,” November 2019, which describes the business impact analysis process ↑ 参见 FFIEC IT检查手册 “业务连续性管理”分册(2019年11月)第II.节A“董事会和高级管理层责任”。See Sections II.A. “Board and Senior Management Responsibilities” of the FFIEC Information Technology Examination Handbook booklet “Business Continuity Management” November 2019. ↑ 请参阅SR函03-9和OCC公告2003-14“关于加强美国金融体系韧性的稳健实践的跨机构白皮书”(2003年4月8日)。Refer to SR letter 03-9 and OCC Bulletin 2003-14 “Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System” (April 8, 2003). ↑ 参见FFIEC IT检查手册 “业务连续性管理”分册(2019年11月)第IV.节A.4“人员”。See Section IV.A.4 “Personnel” of the FFIEC Information Technology Examination Handbook booklet “Business Continuity Management” November 2019. ↑ 参见FFIEC IT检查手册 “业务连续性管理”分册(2019年11月)第V.节C“设施和基础设施”。See Section V.C “Facilities and Infrastructure” of the FFIEC Information Technology Examination Handbook booklet “Business Continuity Management”, November 2019. ↑ 机构的操作风险管理和独立的内部(或外部)审计职能也考虑了远程访问和其它相关情况。The firm’s operational risk management and independent internal (or external) audit functions also take into account remote-access and any other related conditions. ↑ 参见FFIEC IT检查手册 “业务连续性管理”分册(2019年11月)第IV节A.4“人员”。See Section IV.A.4 “Personnel” of the FFIEC Information Technology Examination Handbook booklet “Business Continuity Management”, November 2019. ↑ 美联储SR 13-19“外包风险管理指南”(2013年12月5日);OCC公告2013-29“第三方关系:风险管理指南”(2013年10月30日);“第三方风险:管理第三方风险”,FDIC FIL-44-2008(2008年6月6日)。Federal Reserve SR 13-19 “Guidance on Managing Outsourcing Risk” (December 5, 2013); OCC Bulletin 2013- 29 “Third Party Relationships: Risk Management Guidance” (October 30, 2013); Third Party Risk: Guidance for Managing Third Party Risk,” FDIC FIL-44-2008 (June 6, 2008). ↑ 12 U.S.C. 1867(c)(2)要求机构将服务关系通知管理机构。12 U.S.C. 1867(c)(2) requires firms to notify the Agencies of service relationships. ↑ FFIEC 《大流行病规划跨机构声明》(2020年3月6日)和FFIEC IT检查手册“业务连续性管理”分册(2019年11月)。FFIEC Interagency Statement on Pandemic Planning (March 6, 2020) and FFIEC Information Technology Examination Handbook booklet “Business Continuity Management”, November 2019. ↑ 根据《联邦保险法》(12 U.S.C. 1831p-1)第39条通过的《建立安全性和稳健性标准的跨机构指导意见》为机构制定了标准,拥有提供有效风险评估的系统,以确定其活动、产品和资产负债表组成部分的性质、范围和风险。存款机构应当参考其主要联邦监管机构通过的跨机构指导意见,具体如下:对于国民银行和联邦储蓄协会,附录A至12 CFR第30部分;对于州成员银行,附录D-1至12 CFR第208部分;对于州非成员银行、州储蓄协会和外国银行的受保国家许可分行,附录A至12 CFR第364部分。另见SR 15-19美联储对大型和非复杂机构资本规划和头寸的监督评估,附录G(2015年12月18日)。The Interagency Guidelines Establishing Standards for Safety and Soundness, adopted pursuant to Section 39 of the Federal Deposit Insurance Act (12 U.S.C. 1831p-1), set forth standards for institutions to have systems that provide for an effective risk assessment that identifies the nature, scope, and risk of its activities, products, and balance-sheet components. Depository institutions should refer to the Interagency Guidelines adopted by their primary federal regulator as follows: For national banks and federal savings associations, Appendix A to 12 CFR part 30; for state member banks, Appendix D-1 to 12 CFR part 208; and for state nonmember banks, state savings associations, and insured state-licensed branches of foreign banks, Appendix A to 12 CFR part 364. See also SR 15-19 Federal Reserve Supervisory Assessment of Capital Planning and Positions for Large and Noncomplex Firms, Appendix G (December 18, 2015). ↑ 与2019年11月15日的FFIEC IT检查手册(2019年12月12日修订)一致。Consistent with FFIEC Information Technology Examination Handbook, November 15, 2019, revised December 12, 2019. ↑ 参见FFIEC IT检查手册 “业务连续性管理”分册(2019年11月)第IV节B“通信”。See Section IV.B “Communications” of the FFIEC Information Technology Examination Handbook booklet “Business Continuity Management”, November 2019. ↑ 请参阅FFIEC《鼓励采用标准化方法评估网络安全准备》(2019年8月26日)。See FFIEC Encourages Standardized Approach to Assessing Cybersecurity Preparedness, August 26, 2019, (https://www.ffiec.gov/press/pr082819.htm). ↑ 机构的操作风险偏好声明在运营韧性稳健实践的治理部分进行了讨论。The firm’s operational risk appetite statements are discussed in the governance section of the operational resilience sound practices. ↑ 机构经常使用工业控制系统来自动化供暖、通用和冷却系统、电力系统等。根据NIST,工业控制系统是用于控制工业过程(例如制造、产品处理、生产和分销)的信息系统。Firms often use industrial controls systems to automate heating, ventilation, and cooling systems, power systems, etc. According to NIST, industrial control systems are information systems used to control industrial processes such as manufacturing, product handling, production, and distribution. https://csrc.nist.gov/glossary/term/industrial_control_system. ↑ 根据美国国家标准与技术研究院的定义。As defined by the National Institute of Standards and Technology (https://csrc.nist.gov/glossary/term/cyber_risk). ↑ 例如FRB SR函03-9和OCC公告2003-14“关于加强美国金融系统韧性的稳健实践的跨机构白皮书”(2003年4月8日)。Such as FRB SR Letter 03-9 and OCC Bulletin 2003-14 “Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System” (April 8, 2003). ↑
本公众号(ID:bcmplus)专注于业务连续性和运营韧性知识的普及和传播,关注业务连续性、应急和危机管理的朋友请关注本公众号。
由于公众号注册时腾讯已调整政策,未能开通留言功能,希望交流和讨论业务连续性和运营韧性问题、或获取相关资料的朋友,可长按以下二维码加入知识星球参与讨论(另,公众号每月只能发4次文章,会有一些内容直接在知识星球分享而不在公众号发布)。
原文发表于公众号”业务连续性+” | 原文链接