英国金融业运营韧性资料中文简译:审慎监管局运营韧性政策说明
写在前面 :越来越多的人们开始关注运营韧性。事实上,虽然该领域还在快速的发展中,但已经凝聚了一些共识。金融行业是最为关注运营韧性的行业之一,近几年来,英美等国的金融监管机构以及巴塞尔银行监管委员陆续发布/修订了运营韧性(Operational Resilience)和业务连续性管理方面的正式文件。为让更多的专业人员者和爱好者了解国外运营韧性领域的进展,学习并实践运营韧性的良好实践,在2021年中期,我组织了一个公益翻译小组,对运营韧性相关资料进行翻译,并于去年发布了以下资料: 《运营韧性原则》中文简译 (2021年11月23日) 《操作风险稳健管理原则修订》中文简译 (2021年11月29日)
之后,我再次组织了一个公益翻译小组,对英国金融监管机构的运营韧性资料进行翻译,今年春节前后,翻译小组成员陆续将翻译文稿发送给我,经历了种种耽搁和拖延之后,我近日终于将这些资料审校完成,接下来会陆续在公众号发布出来。
以下是参与本系列资料的公益翻译小组成员 (排名不分前后,按姓氏拼音排序): 安晓冬(上海, anton_6@163.com ) 陈阳(中国银行欧洲信息中心, chenyang@bankofchina.com ) 马骏(大连埃森哲, patrick.ma2018@outlook.com ) 彭水娟(江阴长电先进, shuijuan2006@126.com ) 孙宁莉(韧安咨询, resil-safe@outlook.com ) 王舵(大连,BCM咨询Freelancer, prepkids@163.com ) 吴小林(苏州银行, 66886629@163.com ) 巫文湘(开泰银行(中国)有限公司, michael_woo_sz@hotmail.com ) 徐文静(DNV, wen.jing.xu@dnv.com ) 翟红波(北京, 25354646@qq.com ) 周可政(上海, wikikivv@gmail.com ) 王曙(新常安科技, kevinwang@vip.sina.com )
感谢公益翻译小组的各位专业人员在疫情期间抽出个人休息时间进行翻译工作。以下译文由我负责最终统一审校定稿,因为对英国金融业了解深度不够,如译文中有任何不准确或理解错误的地方,都是由于我的原因造成,与诸位翻译人员无关。如对译文有意见或修改建议,请给我留言。
王曙(kevinwang) 2022.11.25
下文是英国审慎监管局(PRA)运营韧性政策声明附件3 – 审慎监管局运营韧性政策说明,由英国审慎监管局于2021年3月29日发布,原文见: https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/statement-of-policy/2021/operational-resilience-march-2021.pdf
政策说明 “运营韧性” Statement of Policy ‘Operational Resilience’
1 引言(Introduction)
1.1 本政策说明(SoP)适用于以下所有方面: 英国银行、建房互助会和PRA指定的投资公司(以下简称银行);和 英国偿付能力II机构、劳合社社团,及其管理代理公司(以下简称保险公司)。 1.1 This Statement of Policy (SoP) is relevant to all: UK banks, building societies, and PRA-designated investment firms (hereafter banks); and UK Solvency II firms, the Society of Lloyd’s, and its managing agents (hereafter insurers).
1.2 银行和保险公司统称为“机构”。 1.2 Banks and insurers are collectively referred to as ‘firms’.
1.3 审慎监管局(PRA)认为,机构若要具备运营韧性,它们应当能够在切实可行的范围内预防扰断发生;调整系统和流程,以便发生事件时继续提供服务和功能;扰断结束后,立即恢复正常运行;并从事故和未遂事件中学习和进步。因此,运营韧性是由PRA监管框架几个部分支持的结果。 1.3 The Prudential Regulation Authority (PRA) considers that for firms to be operationally resilient, they should be able to prevent disruption occurring to the extent practicable; adapt systems and processes to continue to provide services and functions in the event of an incident; return to normal running promptly when a disruption is over; and learn and evolve from both incidents and near misses. Therefore, operational resilience is an outcome that is supported by several parts of the PRA’s regulatory framework.
1.4 PRA规则手册:运营韧性部分和监管声明1/21运营韧性:重要业务服务的影响容限分别要求并期望机构确定重要业务服务并为这些服务设定影响容忍度。机构必须采取行动,确保他们能够在其影响容忍度范围内交付重要业务服务。针对严重但合理可信的运营扰断场景进行测试,使机构能够发现漏洞并采取缓解措施。PRA的运营韧性政策要求董事会和高级管理层在发现缺陷的地方推动改进。 1.4 The Operational Resilience Parts of the PRA Rulebook and SS1/21 ‘Operational resilience: Impact tolerances for important business services’ respectively require and expect firms to identify important business services and set impact tolerances for these services. Firms must take action to ensure they are able to deliver their important business services within their impact tolerances. Testing against severe but plausible operational disruption scenarios enables firms to identify vulnerabilities and take mitigating action. The PRA’s operational resilience policy requires boards and senior management to drive improvement where deficiencies are found.
1.5 重要业务服务的背景和影响容忍度也影响PRA对PRA监管框架其他部分的处理方法。本政策说明阐述了PRA如何在其监管框架内实施一致且有针对性的方法。 1.5 The context of important business services and impact tolerances influences the PRA’s approach to other parts of the PRA’s regulatory framework as well. This SoP sets out how the PRA implements a consistent and targeted approach across its regulatory framework.
1.6 政策说明澄清了PRA的运营韧性政策如何影响其方法,特别对监管框架的4个关键领域(以下图1描述了这些政策之间的关系): 治理; 操作风险管理; 业务连续性规划;和 外包关系管理。 1.6 The SoP clarifies how the PRA’s operational resilience policy affects its approach to four key areas of the regulatory framework in particular (the relationship between these policies is depicted in Figure 1 below): governance; operational risk management; business continuity planning (BCP); and the management of outsourced relationships.
1.7 有一系列有价值的其他相关的现有政策和指南(如欧洲银行管理局(EBA)关于信息科技(ICT)风险的指南,以及EBA关于信息科技和安全风险管理的指南)。PRA在其运营韧性政策的背景下考虑其所有政策和相关国际准则,而不仅仅是此处概述的政策和准则。PRA的运营弹性政策将补充现有政策,无意与之冲突或修订。 1.7 There is a valuable set of other relevant existing policies and guidelines (eg the European Banking Authority’s (EBA’s) guidelines on information and communication technology (ICT) risks, and the EBA’s guidelines on ICT and security risk management). The PRA considers all of its policies and relevant international guidelines in the context of its operational resilience policy, not just those outlined here. The PRA’s operational resilience policy will complement existing policies and is not intended to conflict with or amend them.
图1:PRA运营韧性政策与PRA监管框架的其他关键领域之间的关系(Figure 1: The relationship between the PRA’s operational resilience policy with other key areas of the PRA’s regulatory framework)
框架包括:确定重要业务服务;设定影响容忍度;并采取行动保持在影响容忍度范围内,制定了PRA期望机构选中的战略方向。为了实现这个战略,机构必须: 映射资源; 测试其保持在影响容忍度范围内的能力; 落实BCP要求; 落实操作风险管理要求; 落实外包要求。 治理是上述每个要素的固有组成部分,自评估着眼于所有这些要素如何结合起来,以建立机构的韧性。 The framework of: identifying important business services; settiing impact tolerances; and taking actions to be able to remain within impact tolerances set the strategic direction that the PRA expect firms to take. To achieve the strategy, firms must: map resources; test their ability to remain within impact tolerances; implement BCP requirements implement operational risk management requirements; and implement outsourcing requirements. Governance is an inherent part of each of the above elements, and self-assessment looks at how all of these elements combine to build the resilience of a firm.
2 运营韧性与治理的关系(The relationship between operational resilience and governance)
2.1 机构董事会和高级管理层的作用是PRA运营韧性政策的核心。董事会对机构确定重要业务服务、影响容忍度和自评估负责,并应当予以批准。 2.1 The role of firms’ boards and senior management is central to the PRA’s operational resilience policy. Boards are accountable for, and should approve, the identification of their firm’s important business services, impact tolerances, and self-assessment.
2.2 机构在其影响容忍度范围内交付重要业务服务的能力取决于整个机构的适当报告和问责制。在发现局限性的情况下,机构董事会和高级管理层的领导作用对于排定提高运营韧性所需的投资和文化变革优先级必不可少。 2.2 The ability of firms to deliver their important business services within their impact tolerances depends upon appropriate reporting and accountability to be in place throughout the firm. Where limitations are identified, leadership from the firms’ board and senior management is essential to prioritise the investment and cultural change required to improve operational resilience.
与其它董事会责任的相互关系(Interaction with other board responsibilities)
2.3 PRA在评估机构的安排对交付董事会其他期望时的充分性时,会考虑机构是否正在实现运营韧性的结果。当PRA在其运营韧性政策和监管框架的其他方面考虑其对董事会的期望时,它会考虑,例如,董事会是否: 拥有适当的管理信息,以了解对运营韧性有影响的决策; 拥有足够的知识、技能和经验,以便向高级管理层提出建设性质疑,并履行其在运营韧性方面的监督责任;和 明确说明并维护整个组织的风险意识和道德行为文化,这影响机构的运营韧性。 2.3 The PRA considers whether firms are delivering the outcome of operational resilience when assessing the adequacy of a firm’s arrangements to deliver other expectations of boards. When the PRA considers its expectations for boards in its operational resilience policy and elsewhere in its regulatory framework, it considers, for example, if boards: have appropriate management information available to inform decisions which have consequences for operational resilience; have adequate knowledge, skills, and experience in order to provide constructive challenge to senior management and meet their oversight responsibilities in relation to operational resilience; and articulate and maintain a culture of risk awareness and ethical behaviour for the entire organisation, which influences the firm’s operational resilience.
与其它管理层职责的相互关系(Interaction with other management responsibilities)
2.4 首席运营高级管理职能(SMF)24(如适用),包括对机构运营韧性的责任。PRA的运营韧性政策为机构的这一责任提供进一步的细节。 2.4 The Chief Operations Senior Management Function (SMF) 24, where it applies, includes responsibility for the firm’s operational resilience. The PRA’s operational resilience policy provides further detail to firms on this responsibility.
3 运营韧性与操作风险的关系(The relationship between operational resilience and operational risk)
政策(Policy)
3.1 操作风险管理既支持运营韧性,也支持财务韧性。机构应当建立有效的风险管理体系,以管理整合到其组织结构和决策过程中的操作风险。 3.1 Operational risk management supports both operational resilience and financial resilience. Firms should have effective risk management systems in place to manage operational risks that are integrated into their organisational structures and decision-making processes.
3.2 在评估机构的操作风险管理时,PRA会考虑机构在以下方面的程度:降低运营事故发生的可能性;发生严重但合理可信的事件时,限制损失;以及当操作风险明确时,它们是否持有足够的资本来减轻影响。 3.2 When assessing a firm’s operational risk management, the PRA considers the extent to which firms: have reduced the likelihood of operational incidents occurring; can limit losses in the event of severe business disruption; and whether they hold sufficient capital to mitigate the impact when operational risks crystallise.
3.3 PRA的运营韧性政策对机构提出了额外要求,要求机构在扰断发生时限制扰断的影响,无论扰断的原因是什么,这从两个关键方面发展了PRA应对操作风险的方法: 假定会发生失败,它增加了机构对其应对和从扰断中恢复的能力的关注;而且 它解决了机构在做投资决策建立其运营韧性时可能不一定考虑公众利益的风险。PRA的运营韧性政策要求机构采取行动,以便在严重但合理可信的扰断中,能够在其影响容忍度范围内提供其重要业务服务。 3.3 The additional requirements the PRA’s operational resilience policy places on firms to limit the impact of disruptions when they occur, whatever their cause, develops the PRA’s approach to operational risk in two key ways: it increases firms’ focus on their ability to respond to and recover from disruptions, assuming failures will occur; and it addresses the risk that firms may not necessarily consider the public interest when making investment decisions to build their operational resilience. The PRA’s operational resilience policy requires firms to take action so they are able to provide their important business services within their impact tolerances through severe but plausible disruptions.
风险偏好和影响容忍度(Risk appetite and impact tolerances)
3.4 影响容忍度与风险偏好的不同之处在于,它假设特定风险已经明确,而不是专注于操作风险发生的可能性和影响。能够保持在其影响容忍度范围内的机构增加了其在严重但合理可信的扰断中生存的能力,但在这些情况下,风险偏好可能会被超出(见下图2)。影响容忍度设定仅与对金融稳定、机构安全和稳健的影响以及(就保险公司而言)对投保人的适当保护程度相关。 3.4 Impact tolerances differ from risk appetites in that they assume a particular risk has crystallised instead of focusing on the likelihood and impact of operational risks occurring. Firms that are able to remain within their impact tolerances increase their capability to survive severe but plausible disruptions, but risk appetites are likely to be exceeded in these scenarios (see Figure 2 below). Impact tolerances are set only in relation to impact on financial stability, the firm’s safety and soundness and, in the case of insurers, the appropriate degree of policyholder protection.
图2显示了机构的风险偏好和影响容忍度的影响与可能性之间的关系。风险偏好和影响容忍度都有助于确保机构的运营韧性。 粗实线表示风险偏好,随着影响和可能性的变化而变化。绿色、黄色和红色表示机构在不同程度的影响和可能性下对中断的偏好(绿色表示在机构的风险偏好范围内,黄色表示在机构风险偏好范围外,而红色表示明显超出机构的风险偏好)。 黑虚线表示影响容忍度,它被设置在一个较高的影响水平,假设已发生扰断,因此与可能性无关。绿色、黄色和红色与影响容忍度无关。 Figure 2 shows the relationship between impact and likelihood for a firm’s risk appetite and impact tolerance. Both risk appetite and impact tolerances help ensure a firm’s help ensure a firm’s operational resilience. The thick solid line represents the risk appetite, which changes with impact and likelihood. Green, yellow, and red illustrate the firm’s appetite towards disruption at different levels of impact and likelihood (green is within the firm’s risk appetite, yellow is outside of the firm’s risk appetite, and red is significantly outside of the firm’s risk appetite). The dashed dark line represents the impact tolerance, which is set at a high level of impact and assume disruption has occurred, so is indifferent to likelihood. The green, yellow, and red are not related to the impact tolerance.
财务韧性(Financial resilience)
3.5 机构应当持有资本,以确保其能够吸收如欺诈、物理资源损坏或业务扰断和系统故障等操作风险造成的损失。然而,PRA的运营韧性政策没有相关的资本要求。因此,它不会影响PRA对操作风险资本政策的方法,也不会在机构进行资本计算时增加额外的考虑。 3.5 Firms are required to hold capital to ensure they can absorb losses resulting from operational risks such as fraud, damage to physical resources, or business disruption and system failures. However, the PRA’s operational resilience policy does not have an associated capital requirement. As such, it does not affect the PRA’s approach to operational risk capital policy or add additional considerations for firms when they make capital calculations.
事件管理(Incident management)
3.6 在PRA的一般通知规则中,机构需要在以下情况下通知PRA:事件可能导致机构无法满足一个或多个阈值条件;事件可能对机构声誉产生重大不利影响;事件可能影响机构继续向其客户提供充分服务的能力;或者事件可能对英国更广泛的金融部门或其他机构造成严重的金融后果。 3.6 In the PRA’s general notification rules firms are required to notify the PRA where an incident: could lead to the firm failing to satisfy one or more of the threshold conditions; could have a significant adverse impact on the firm’s reputation; could impact the firm’s ability to continue to provide adequate services to its customers; or could result in serious financial consequences to the UK’s wider financial sector or to other firms.
3.7 PRA会考虑机构是否满足了PRA在其运营韧性政策中的通知要求和PRA的期望。例如,如果事件会破坏机构在其影响容忍度范围内交付重要业务服务的能力,PRA期望事件满足通知的测试。这包括已经发生、可能发生或可能在可预见的将来发生的事件。 3.7 The PRA considers whether a firm has met the PRA’s notification requirements alongside the PRA’s expectations in its operational resilience policy. For example the PRA expects incidents to meet the test for notification if the incident would disrupt the firm’s ability to deliver its important business services within its impact tolerances. This includes incidents which have occurred, may have occurred or may occur in the foreseeable future.
4 运营韧性与业务连续性规划(BCP)的关系(The relationship between operational resilience and Business Continuity Planning (BCP))
4.1 PRA要求银行“制定适当的应急和业务连续性计划,以确保在严重业务扰断的情况下,机构能够持续运营,并且损失都是有限的”。同样,保险公司需要“采取合理步骤,确保其活动的连续性和规律性,包括制定应急计划”。这些要求和PRA的运营韧性政策有助于机构的应对和恢复能力。 4.1 The PRA requires a bank to ‘have in place adequate contingency and business continuity plans aimed at ensuring that in the case of a severe business disruption the firm is able to operate on an ongoing basis and that any losses are limited’.Similarly, an insurer is required to ‘take reasonable steps to ensure continuity and regularity in the performance of its activities, including the development of contingency plans’. These requirements and the PRA’s operational resilience policy contribute to firms’ response and recovery capabilities.
4.2 BCP政策和PRA的运营韧性政策密切相关。然而,PRA的运营韧性政策关注的是机构交付重要业务服务的能力,而不是单点故障。在监管机构时,PRA同时考虑这两项政策。例如,当评估银行是否符合PRA在监管声明21/15“内部治理”中的期望时,PRA考虑银行是否: 其运营的恢复优先级优先在影响容忍度范围内交付重要业务服务; 业务连续性规划的资源分配和通信规划,重点关注重要业务服务的交付;和 对业务连续性计划的测试补充了扰断情景的测试,并与影响容忍度相关。 4.2 BCP policies and the PRA’s operational resilience policy are closely linked. However, the PRA’s operational resilience policy focuses on a firm’s ability to deliver its important business services rather than single points of failure. The PRA considers both policies together when supervising firms. For example, when assessing whether banks are meeting the PRA’s expectations in SS21/15 ‘Internal governance’, the PRA considers if banks’: recovery priorities for their operations prioritise the delivery of important business services within impact tolerances; allocation of resources and communications planning for business continuity planning focuses on the delivery of important business services; and tests of business continuity plans complement the testing of disruption scenarios and relate to impact tolerances.
5 运营韧性与外包的关系(The relationship between operational resilience and outsourcing)
5.1 根据PRA的外包规则,当功能外包给第三方时,机构仍对其负责。在PRA的运营韧性政策中,PRA期望机构在任何外包安排或使用第三方的情况下都具有运营韧性。当全部或部分由第三方交付其重要业务服务时,机构不应允许其在其影响容忍度范围内交付重要业务服务的能力受到损害,无论这些第三方是集团内的其它实体还是外部供应商。 5.1 As set out in the PRA’s outsourcing rules, firms remain responsible for their obligations when functions are outsourced to a third party. In the PRA’s operational resilience policy, the PRA expects firms to be operationally resilient regardless of any outsourcing arrangements or use of third parties. Firms should not allow their ability to deliver their important business services within their impact tolerances to be undermined when they are delivered wholly or in part by third parties, whether these third parties are other entities within their group or external providers.
5.2 PRA的外包和第三方风险管理监管框架现代化政策(监管声明2/21“外包和第二方风险管理”)补充了PRA的运营韧性政策。监管声明2/21反映了云计算和其它新技术对机构的重要性。PRA的方法是综合考虑监管声明SS2/21和PRA的运营韧性政策。 5.2 The PRA’s policy for modernising the regulatory framework on outsourcing and third party risk management (SS2/21 ‘Outsourcing and third party risk management’)15 complements the PRA’s operational resilience policy. SS2/21 reflects the increased importance to firms of cloud computing and other new technologies. The PRA’s approach is to consider SS2/21 and the PRA’s operational resilience policy in combination.
本公众号(ID: bcmplus)专注于业务连续性和运营韧性知识的传播和普及,关注业务连续性、应急和危机管理的朋友可关注本公众号。
由于公众号注册时腾讯已调整政策,未能开通留言功能,希望交流和讨论业务连续性管理问题,或获取相关资料的朋友,可长按以下二维码加入知识星球留言和讨论(公众号1月只能发4次文章,也会有一些观点直接在知识星球而不在公众号发布)。
原文发表于公众号”业务连续性+” | 原文链接