《运营韧性跨行业指南》中文简译
写在前面 :越来越多的人们开始关注运营韧性。事实上,虽然该领域还在快速的发展中,但已经凝聚了一些共识。金融行业是最为关注运营韧性的行业之一,近几年来,多个发达国家/地区的金融监管机构和巴塞尔银行监管委员会陆续发布/修订了运营韧性(Operational Resilience)和业务连续性管理方面的正式文件。为让更多的专业人员和爱好者了解国际运营韧性领域的进展,学习并实践运营韧性的良好实践,在过去两年,我组织了两期公益翻译活动,翻译了巴塞尔银行监管委员会和英国金融监管机构的运营韧性相关资料,包括: 《运营韧性原则》中文简译 (巴塞尔银行监管委员会)(2021年11月23日) 《操作风险稳健管理原则修订》中文简译 (巴塞尔银行监管委员会)(2021年11月29日) 《运营韧性:重要业务服务的影响容忍度》中文简译 (英格兰银行、英国审慎监管局(PRA)和英国金融行为监管局(FCA)联合说明文件)(2022年11月26日) 《政策声明|PS6/21 – 运营韧性:重要业务服务的影响容忍度》中文简译 (英国审慎监管局(PRA)运营韧性政策声明)(2022年11月27日) 《PRA规则手册:CRR机构,Solvency II机构:运营韧性文书2021》中文简译 (英国审慎监管局(PRA)运营韧性政策声明附件1 — PRA规则手册运营韧性部分)(2022年11月28日) 《PRA监管声明|SS1/21 “运营韧性:重要业务服务的影响容忍度”》中文简译 (英国审慎监管局(PRA)运营韧性政策声明附件2 — PRA监管声明SS1/21)(2022年12月1日) 《PRA“运营韧性”政策说明》中文简译 (英国审慎监管局(PRA)运营韧性政策声明附件3 — 运营韧性政策说明)(2022年12月2日)
今年3月,我再次组织了一个公益翻译小组,对美国、爱尔兰、澳大利亚、新加坡和香港等地金融监管机构的运营韧性相关资料进行翻译。7月份前后,翻译小组成员陆续将翻译文稿发送给我,近期我会将这些资料审校完成,陆续在公众号发布。
以下是参与第三期运营韧性资料公益翻译小组的成员 (排名不分前后,按姓氏拼音排序): 高洋(ICBC,william.yang.gao@gmail.com) 江磊(深圳龙华,2014595@qq.com) 刘琪岳(北京) 刘宇(深圳,13316880733@189.cn) 刘元锋(北京农商银行总行,liuyf@bjrcb.com) 林喆(广州,674441632@qq.com) 马骏(埃森哲/大连,patrick.ma2018@outlook.com) 孙宁莉(深圳市韧安咨询服务有限公司,115947186@qq.com) 王舵(大连童安应急管理科技有限公司,prekids@163.com) 徐文静(DNV,wen.jing.xu@dnv.com) 薛春娟(浙江省舟山市,793571689@qq.com) 张锋(北京,zhangfeng76@wo.cn) 周可政(上海,wikikivv@gmail.com) 王曙(新常安科技,kevinwang@vip.sina.com)
感谢公益翻译小组的各位专业人员抽出个人时间进行翻译工作。以下译文由我负责最终统一审校定稿,如译文中有任何不准确或理解错误的地方,都是由于我的原因造成,与诸位翻译人员无关。如对译文有意见或修改建议,请给我留言。
王曙(kevinwang) 2023.10.26
这份文件由爱尔兰中央银行于2021年12月发布,旨在向行业传达如何为影响关键或重要业务服务的运营扰断做好准备、应对、恢复和学习,原文见: https://www.centralbank.ie/docs/default-source/publications/consultation-papers/cp140/cross-industry-guidance-on-operational-resilience.pdf
《运营韧性跨行业指南》从业务运营的视角来看待可能影响关键或重要业务服务交付的多类型风险,围绕三大支柱“确定和准备”“响应和适应”“恢复和学习”构建统一的总体运营韧性框架,将业务连续性管理(BCM)、第三方风险管理、信息通信技术(ICT)和网络韧性、事件管理、危机管理计划以及恢复和处置规划整合起来,并给出来15条具体的指导意见(详见附表1)。《指南》并不取代现有的行业立法、法规或指南,但旨在补充和支持它们。
运营韧性跨行业指南 Cross Industry Guidance on Operational Resilience
A. 引言(A. Introduction)
根据爱尔兰中央银行(以下称中央银行)的战略承诺,即增强我们保持金融体系韧性的能力 [1] ,必须继续解决现有的脆弱性和弱点,降低金融体系中的风险,以确保其能够更好地抵御未来的冲击和危机,并限制此类事件的影响。就《运营韧性跨行业指南》(以下称《指南》)征求了意见,并收到了众多行业机构和受监管实体的回应。在最终确定《指南》时考虑了收到的反馈意见,对反馈意见的答复详见随附的反馈声明。本指南旨在向行业传达如何为影响关键或重要业务服务交付的运营扰断做好准备、应对、恢复和学习。 In keeping with the Central Bank of Ireland’s (the Central Bank’s) strategic commitment of strengthening our ability to maintain the resilience of the financial system 1 , it is important to continue to address existing vulnerabilities and weaknesses, and mitigate risks in the financial system to ensure that it can better withstand future shocks and crises and to limit the impact of such events. The Cross Industry Guidance on Operational Resilience (the Guidance) was consulted on and responses were received from a wide number of industry bodies and regulated entities. The feedback received was considered when finalising the Guidance and responses to the feedback are detailed in the accompanying feedback statement. The objective of this Guidance is to communicate to industry how to prepare for, respond to, recover and learn from an operational disruption that affects the delivery of critical or important business services.
金融服务业在日益复杂和相互关联的环境中运作,促进了本地和国际服务的提供。在许多情况下,机构依靠国际外包服务提供商(OSP)来支持其运营。在国际上,金融服务机构已经经历了各种扰断事件的挑战,包括技术故障、网络事件、COVID-19大流行和自然灾害。机构将建立以行业立法、监管要求和指南为基础的风险管理流程和治理安排。然而,认识到并非所有潜在危险都可以预防,中央银行认为,灵活、务实和相称的运营韧性方法将加强行业应对此类事件并从中恢复的能力。《指南》旨在增强运营韧性,并认识到金融体系内部因机构经营环境复杂多变而产生的相互关联和相互依赖。 The financial services industry operates in an increasingly complex and interconnected environment, facilitating the provision of services locally and internationally. In many cases, firms rely on international outsourced service providers (OSPs) to support their operations. Internationally, financial services firms have experienced challenges from various disruptive events including technology failures, cyber incidents, the COVID-19 pandemic and natural disasters. Firms will have established risk management processes and governance arrangements underpinned by sectoral legislation, regulatory requirements and guidance. However, recognising that not all potential hazards can be prevented, the Central Bank believes that a flexible, pragmatic and proportionate approach to operational resilience will strengthen the industry’s ability to respond to and recover from such events. The Guidance aims to enhance operational resilience and recognise the interconnections and interdependencies, within the financial system, that result from the complex and dynamic environment in which firms operate.
更具体地说,《指南》的目的是: 向受监管的金融服务提供商(RFSP)的董事会和高级管理层传达中央银行对运营韧性设计和管理的期望; 在考虑运营韧性作为风险管理和投资决策的一部分时,强调董事会和高级管理层的责任;和 要求董事会和高级管理层采取适当措施,确保其运营韧性框架设计良好、运行有效并且足够稳健。这应当确保机构运营连续性的风险不会传导到金融市场,并确保客户和市场参与者的利益在业务扰断期间得到保障。 More specifically, the purpose of the Guidance is to: Communicate to the boards and senior management of Regulated Financial Service Providers (RFSPs), the Central Bank’s expectations with respect to the design and management of operational resilience; Emphasise board and senior management responsibilities when considering operational resilience as part of their risk management and investment decisions; and Require that the boards and senior management take appropriate action to ensure that their operational resilience frameworks are well designed, are operating effectively, and are sufficiently robust. This should ensure that the risks to the firm’s operational continuity do not transmit into the financial markets and that the interests of the customers and market participants are safeguarded during business disruptions.
《指南》无意详细阐述机构与运营韧性相关的法律和监管义务的各个方面,应当结合相关立法、法规以及相关行业团体、监管机构或中央银行发布的其它指南或标准来阅读。《指南》并不取代现有的行业立法、法规或指南,但旨在补充和支持它们。中央银行可能会根据未来的监管要求不时更新或修订该指南。 The Guidance does not purport to address, in detail, every aspect of a firm’s legal and regulatory obligations relating to operational resilience and should be read in conjunction with the relevant legislation, regulations, and other guidance or standards issued by the relevant industry bodies, supervisory authorities or the Central Bank. The Guidance does not supersede existing sectoral legislation, regulations, or guidance but is intended to complement and support them. The Central Bank may update or amend the Guidance from time to time, in light of future regulatory requirements
B. 定义(B. Definitions)
术语Term 定义Definition 运营韧性 Operational Resilience 机构和整个金融服务行业确定和准备、响应和适应运营扰断,以及从中恢复和学习的能力。 The ability of a firm, and the financial services sector as a whole, to identify and prepare for, respond and adapt to, recover and learn from an operational disruption. 业务服务 Business Service 机构向外部最终用户提供的服务。业务服务向可识别的用户交付特定的结果或服务,应当与业务线或职能区分开来,后者是服务和活动的集合。 A service that a firm provides to an external end user. Business services deliver a specific outcome or service to an identifiable user and should be distinguished from business lines or functions, which are a collection of services and activities. 关键或重要业务服务 Critical or Important Business Service 机构向外部最终用户或市场参与者提供的服务,如果服务提供扰断可能会导致客户重大损害;危害市场完整性;损害投保人保障;或威胁机构的生存能力、安全性和稳健性或财务稳定性。 A service provided by a firm to an external end user or market participant where a disruption to the provision of the service could cause material customer detriment; harm market integrity; compromise policyholder protection; or threaten a firm’s viability, safety and soundness, or financial stability. 外包服务提供商 Outsourced Service Provider 根据外包安排承担外包流程、服务或活动(或其部分)的第三方实体。这既指外部第三方服务提供商,也指集团内部/集团间的服务提供商。 A third-party entity that is undertaking an outsourced process, service or activity, or parts thereof, under an outsourcing arrangement. This refers to both external third party service providers and intra/inter group service providers. 影响容忍度 Impact Tolerance 影响容忍度决定了关键或重要业务服务的最大可接受扰断级别。 Impact tolerances determine the maximum acceptable level of disruption to a critical or important business service. 映射 Mapping 映射是识别、记录和理解交付关键或重要业务服务的活动链的过程。这包括识别所有相互依赖和相互关联,包括人员、流程、信息、技术、设施和第三方服务提供商。 Mapping is the process of identifying, documenting and understanding the chain of activities involved in delivering critical or important business services. This incorporates the identification of all interdependencies and interconnections including people, processes, information, technology, facilities, and third parties service providers. 情景测试 Scenario Testing 情景测试是评估机构在其运营发生严重但合理的扰断时,它每个关键或重要业务服务保持在其影响容忍度范围内的能力。 Scenario testing is the assessment of a firm’s ability to remain within its impact tolerance for each of its critical or important business services in the event of a severe, but plausible disruption of its operations. 董事会 Board 已经公认,一些规模较小、不太复杂的机构可能没有董事会。在这些情况下,使用“董事会”一词时,它旨在指代这些受监管机构的相关管理团队或结构。 It is acknowledged that some smaller, less complex firms may not have a board of directors. In these cases, where the term ‘board’ is used, it is intended to address the relevant management bodies or structures of these regulated firms.
C. 运营韧性的概念(C. Concept of Operational Resilience)
中央银行认为,运营韧性是机构和整个金融服务行业确定和准备、响应和适应,从运营扰断中恢复和学习的能力。 The Central Bank considers operational resilience to be the ability of a firm, and the financial services sector as a whole, to identify and prepare for, respond and adapt to, recover and learn from an operational disruption.
一家具有运营韧性的机构能够从重大的意外扰断中恢复其关键或重要业务服务,同时将影响降至最低,并保护其客户和金融体系的完整性。 An operationally resilient firm is able to recover its critical or important business services from a significant unplanned disruption, while minimising impact and protecting its customers and the integrity of the financial system.
实现运营韧性的第一步是接受扰断事件会发生,并且需要有效管理这些事件。机构需要制定有前瞻性的计划,应用于一系列潜在的扰断。机构应当积极准备,以承受和适应不可避免的扰断。 The first step in becoming operationally resilient is accepting that disruptive events will occur, and that these events will need to be managed effectively. A firm needs to have forward looking plans that can be applied across a range of potential disruptions. A firm should proactively prepare to withstand and adapt to disruptions that will inevitably occur.
中央银行将机构的操作风险和韧性管理视为一种整合到机构治理结构中的统一方法。运营韧性是操作风险和业务连续性管理的演变,因此,应当与这些领域现有或发展中的框架保持一致。 The Central Bank sees the management of a firm’s operational risk and resilience as an aligned approach that is integrated into the firm’s governance structures. Operational resilience is an evolution of operational risk and business continuity management and, as such, should be aligned with existing or developing frameworks in these areas.
操作风险管理的重点是通过制定控制措施来减少运营事件发生的影响和概率,从而将风险降低至最低。运营韧性不仅如此,还促进了对机构业务及交付其关键或重要业务服务涉及的所有步骤/活动的更深入理解。它聚焦于建设风险事件发生时处理风险事件的能力,而不是仅仅专注于建立防御以防止风险事件的发生。 Operational risk management is focused on minimising risk, through development of controls that reduce the impact and probability of an operational event occurring. Operational resilience goes beyond this and promotes a deeper understanding of a firm’s business and all the steps/activities involved in delivering its critical or important business services. It focuses on building capabilities to deal with risk events when they materialise, rather than purely focusing on building defences to prevent risk events from occurring.
关键或重要业务服务的连续性是运营韧性的重要组成部分,尽管运营韧性远不止于连续性和恢复。运营韧性需要风险管理、业务连续性管理(BCM)、事件管理、第三方风险管理、信息通信技术(ICT)和网络风险以及恢复和处置规划之间的协调。 Continuity of critical or important business services is an essential component of being operationally resilient, although operational resilience is much wider than just continuity and recovery. Operational resilience requires coordination between risk management, business continuity management (BCM), incident management, third party risk management, Information Communication Technology (ICT) and cyber risk, and recovery and resolution planning.
机构的运营韧性战略应当与原因无关,并且足够灵活以适应不同类型的扰断。韧性不是关于机构会发生什么,而是机构如何在事件发生时能够承受和应对。 A firm’s operational resilience strategy should be cause agnostic and flexible enough to adapt to different types of disruption. Resilience is not about what happens to a firm, but rather, how a firms is able to withstand and respond to an incident when it does occur.
D. 运营韧性的价值(D. Value of Operational Resilience)
运营扰断可能会威胁到单个机构的生存能力,影响客户和其他市场参与者,并最终影响财务稳定。机构在评估其提供的业务服务的适当韧性水平时,需要考虑所有这些风险。运营韧性通过增强机构保持可行的持续经营的能力而使机构自身受益。无论是单个机构层面还是行业层面,运营韧性对于支持客户服务和支持更广泛的经济都至关重要。 An operational disruption can threaten the viability of individual firms, impact customers and other market participants, and ultimately affect financial stability. A firm needs to consider all of these risks when assessing the appropriate levels of resilience of the business services it provides. Operational resilience benefits the firm itself by strengthening its ability to remain a viable ongoing concern. At both an individual firm level and a sectoral level, operational resilience is critical to supporting services to customers and supporting the wider economy.
具有韧性的金融体系是能够吸收冲击而不是助长冲击的金融体系。金融体系需要一种应对操作风险和韧性的方法,包括预防措施和能力(在人员、流程、技术和组织文化方面),以在发生扰断时恢复和适应。 A resilient financial system is one that can absorb shocks rather than contribute to them. The financial system needs an approach to operational risk and resilience that includes preventative measures and the capabilities – in terms of people, processes, technology, and organisational culture – to recover and adapt when disruptions occur.
近年来,对技术的依赖性增加,加上变革的步伐加快,导致各行各业的运营事件有所增加。这引起了围绕机构需要提高运营韧性的讨论。运营扰断可能是由如信息技术(IT)威胁(例如网络攻击、变更管理问题)的人为原因、恐怖主义威胁、国内动乱,内部威胁(例如内部套利、内幕交易)、第三方依赖或自然原因(例如风暴、大流行病)引起的。 The increased dependence on technology, coupled with an accelerated pace of change has led to a rise in operational incidents across all sectors in recent years. This has brought to the fore, the discussion around the need for firms to become more operationally resilient. Operational disruptions can result from man-made causes such as Information Technology (IT) threats (e.g. cyber-attacks, change management issues), terrorist threats, civil disturbances, insider threats (e.g. internal arbitrage, insider trading), third party dependencies or natural causes (e.g. storms, pandemics).
COVID-19大流行考验了机构的运营韧性,并凸显了提高运营韧性的重要性。疫情的长期性质改变了机构的运营方式,并增加了对技术的需求。这包括广泛的远程工作,员工开展了以前认为不适合在办公室环境之外进行的活动。这给IT基础设施和能力提出了巨大的需求,以促进这种新的工作方式。 The COVID-19 pandemic has put firms’ operational resilience to the test and highlighted the importance of being more operationally resilient. The protracted nature of the pandemic has altered the way firms operate and has increased demands on technology. This has included widespread remote working, with staff undertaking activities not previously considered suitable to be conducted outside of the office environment. Significant demands are being placed on IT infrastructure and capabilities to facilitate this new way of working.
此外,不断变化的客户行为正在给机构带来增强其数字化产品的压力,并对机构的运作方式带来不同类型的压力。 In addition, changing customer behaviour is putting pressure on firms to enhance their digital offerings and has placed a different type of stress on how firms operate.
运营韧性是一个改善决策和价值创造的机会,通过将投资定向到对机构和经济至关重要的服务上,并专注于在不可用时可能产生最大实质影响的服务。 Operational resilience is an opportunity to improve decision-making and value creation by targeting investment into the services that are critical or important to a firm and the economy, and focus on services that could have the most material impact if unavailable.
E. 国际协同(E. International Alignment)
随着多个司法管辖区提出和/或发布新的标准和征求意见,运营韧性格局正在不断发展。在制定《指南》时,中央银行与我们的国际监管同行进行了沟通,并仔细研究了欧盟、英国、亚洲、澳大利亚和美国等地较重要和创新的监管提案。 The operational resilience landscape is evolving with new standards and consultations being proposed and/or published across multiple jurisdictions. In developing the Guidelines, the Central Bank engaged with our international regulatory colleagues and reviewed the more significant and innovative regulatory proposals across the European Union (EU), the UK, Asia, Australia, and the USA.
成熟的政策包括: 巴塞尔银行监督委员会(BCBS)的《运营韧性原则》; [2] 英格兰银行(BoE)、审慎监管局(PRA)和金融行为监管局(FCA)关于其在整个金融服务行业的运营韧性方法的联合政策声明; [3] 和 此外,欧盟委员会于2020年9月发布了其关于数字运营韧性的法规提案,即《数字运营韧性法案》(DORA) [4] 。 The more developed principles include: the Basel Committee on Banking Supervision’s (BCBS) ‘Principles for operational resilience’ 2 ; the joint Bank of England (BoE), Prudential Regulatory Authority (PRA) and the Financial Conduct Authority (FCA) policy statement on their approach to operational resilience across the financial services sector 3 ; and Furthermore, in September 2020, the European Commission published its proposed legislation in digital operational resilience, the ‘Digital Operational Resilience Act’ (DORA). 4
虽然不同司法管辖区的各种政策方法可能有所不同,但全球监管机构在运营韧性的基础和核心原则上是一致的。他们仍然专注于确保由于机构运营的复杂性以及与更广泛的金融生态系统的相互关联性而对机构运营连续性的风险不会在整个金融体系内传递,并确保客户和市场参与者的利益在业务扰断期间得到保障。 While aspects of the various policy approaches may differ across jurisdictions, global regulators are aligned on the fundamentals and core principles of operational resilience. They remain focused on ensuring that the risks to a firm’s operational continuity, due to the firm’s operational complexity and interconnectedness with the broader financial ecosystem, are not transmitted across the financial system and that the interests of the customers and market participants are safeguarded during business disruptions.
美国联邦储备委员会(FRB)、英国审慎监管局(PRA)和欧洲中央银行(ECB)已就运营韧性达成协调声明,这些声明已发给所有全球系统重要性银行(GSIB)和非GSIB。在声明中,监管当局承诺积极合作,完善运营韧性方法,以确保他们在风险演变过程中全面考虑风险。 The US Federal Reserve Board (FRB), the UK’s PRA, and the European Central Bank (ECB) have agreed coordinated statements on operational resilience, which have been issued to all Global Systemically Important Banks (GSIBs), and non-GSIBs. In the statement, the authorities commit to actively work together to refine the approaches to operational resilience to ensure that they comprehensively consider risks as they evolve.
目前,金融服务行业的运营韧性并没有受益于一个明确的、详细的国际标准。中央银行在制定本《指南》时,力求制定一种与主流的国际思维相一致的整体方法,并使在多个司法管辖区开展业务的机构能够灵活地制定适用于所有运营的运营韧性框架。本《指南》发布后,中央银行将继续关注国际发展,并进一步增强整个金融服务行业的运营韧性。 Operational resilience for the financial services sector does not, at present, benefit from one clear, detailed international standard. The Central Bank, in developing this Guidance, has sought to develop a holistic approach that aligns with the prominent international thinking and that will allow firms with a presence in more than one jurisdiction the flexibility to develop an operational resilience framework that can be applicable across all operations. The Central Bank will continue to monitor international developments after the issuance of this Guidance and further enhance operational resilience across the financial services sector.
F. 应用范围(F. Scope of Application)
本《指南》适用于《中央银行法》(1942年) [5] 第2节所定义的所有受监管的金融服务提供商。这体现了运营韧性对单个机构、客户和更广泛的经济的重要性。《指南》有意不规定细节,以便于实际应用。因此,它被设计为灵活的,机构可以根据其业务的性质、规模和复杂程度以相称的方式应用它。 This Guidance applies to all regulated financial service providers, as defined in Section 2 of the Central Bank Act 1942 5 . This recognises the importance of operational resilience for individual firms, customers and the wider economy. The Guidance is intentionally not prescriptive or at a granular level of detail to allow for a pragmatic application. As such, it is designed to be flexible and can be applied by firms in a proportionate manner based on the nature, scale and complexity of their business.
G. 实施(G. Implementation)
中央银行期望RFSPs的董事会和高级管理层仔细研究《指南》,并采取适当措施,以加强和改进其运营韧性框架,并根据本《指南》对运营韧性进行有效管理,受监管的机构应当能够证明它们已经在适当的时间表内应用了《指南》。 It is the Central Bank’s expectation that the boards and senior management of RFSPs review the Guidance and adopt appropriate measures to strengthen and improve their operational resilience frameworks and their effective management of operational resilience in line with this Guidance. Regulated firms should be able to demonstrate that they have applied the Guidelines within an appropriate timeframe.
中央银行认为,“适当的时间表”取决于一系列因素,包括机构业务的性质、规模和复杂程度,以及机构对客户和更广泛经济的整体影响。我们期望机构积极、及时地解决运营韧性漏洞,并能够在《指南》发布后最迟两年内证明应用《指南》的行动/计划。 The Central Bank considers that an ‘appropriate timeframe’ will depend on a range of factors including nature, scale and complexity of a firm’s business and the firm’s overall impact on customers and the wider economy. We expect firms to be actively and promptly addressing operational resilience vulnerabilities and be in a position to evidence actions/plans to apply the Guidance at the latest within two years of its being issued.
H. 监督方式(H. Supervisory Approach)
中央银行的使命是通过维护货币和金融稳定,并努力确保金融体系的运作符合消费者和更广泛经济的最佳利益,从而为公众利益服务。我们的监管目标是通过努力确保 RFSP按以下方式运作来保护消费者和金融稳定: 以消费者最佳利益行事; 财务状况良好,管理安全,财务资源充足; 得到适当的治理和控制,具有明确和嵌入的风险偏好,从而推动有效的文化;和 制定框架,确保有序处置破产或濒临破产的提供商。 The Central Bank’s mission is to serve the public interest by safeguarding monetary and financial stability and by working to ensure that the financial system operates in the best interests of consumers and the wider economy. Our supervisory objectives are to protect consumers and financial stability by seeking to ensure that RFSPs: Act in the best interests of consumers; Are financially sound and safely managed with sufficient financial resources; Are governed and controlled appropriately, with clear and embedded risk appetites, which drive an effective culture; and Have frameworks in place to ensure failed or failing providers go through orderly resolution.
附表1中概述的《指南》旨在加强中央银行的监管框架,将机构的注意力集中在其最关键或最重要的业务服务上,这些服务如果扰断,可能会对审慎或消费者造成损害,或对整体金融稳定产生影响。 The Guidance outlined in Schedule 1 seeks to enhance the Central Bank’s regulatory framework by focusing firms’ attention on their most critical or important business services, which, if disrupted, could cause prudential or consumer harm or have an impact on overall financial stability.
中央银行期望RFSP的董事会和高级管理层仔细研究《指南》,并采取适当措施增强和改善其治理和风险框架,以及对运营韧性的有效管理。RFSP应当能够证明其已考虑到本《指南》中规定的监管期望,并制定了实现《指南》的计划。 The Central Bank expects boards and senior management of RFSPs to review the Guidance and adopt appropriate measures to strengthen and improve their governance and risk frameworks and their effective management of operational resilience. A RFSP should be able to demonstrate that it has considered the supervisory expectations set out in this Guidance and developed a plan to meet the Guidance.
中央银行将利用基于风险的监管参与来评估机构的运营韧性核心原则,并推动整个金融体系增强和成熟运营韧性。这将包括对下方面的评估: 董事会对机构运营韧性战略和框架的所有权和问责,以及机构证明对其关键或重要业务服务的敏锐理解的能力。中央银行将寻找证据表明董事会正在寻求必要信息,使其能够理解机构的风险和韧性状况,并做出有针对性的投资决策,以支持持续的韧性工作; 机构对其自身关键或重要业务服务交付、支持该交付的人员、活动、信息、技术和第三方以及这些服务对更广泛的金融体系的重要性的理解; 机构为其关键或重要业务服务确定适当影响容忍度的能力,并测试其在严重但合理的情况下保持在这些影响容忍度范围内的能力; 机构在其响应和恢复过程中对第三方的考虑,并对其进行有效性协调和测试。 The Central Bank will utilise risk-based supervisory engagement to assess the core principles of operational resilience in firms and drive to enhance and mature operational resilience across the financial system. This will include an assessment of: Board ownership and accountability for the firm’s operational resilience strategy and framework and the firm’s ability to demonstrate a keen understanding of its critical or important business services. The Central Bank will look for evidence that the board is seeking the required information to enable it to understand the risk and resilience profile of the firm and make targeted investment decisions to support on-going resilience efforts; The firm’s understanding of the delivery of its own critical or important business services, the people, the activities, information, technology, and third parties that support that delivery, and the criticality of those services to the wider financial system; A firm’s ability to determine appropriate impact tolerances for its critical or important business services and that they test their ability to remain within those impact tolerances under severe but plausible scenarios; and The firm’s consideration of third parties in its response and recovery processes and that they are aligned and tested for effectiveness.
作为基于风险的监管方法的一部分,中央银行将加强与机构在运营韧性层面的接触。在就本《指南》征求意见之前,中央银行向整个金融体系中的一大批机构发出了运营韧性成熟度评估。评估的目的是加深对机构面临的共同问题的理解,并深入了解机构的韧性能力。在制定本《指南》时考虑了对评估的回应。 As part of the risk-based supervisory approach, the Central Bank will increase its engagement with firms on their levels of operational resilience. The Central Bank issued an Operational Resilience Maturity Assessment to a large cohort of firms across the financial system in advance of the consultation on this Guidance. The objective of the assessment was to develop an understanding of the common issues faced by firms and to provide an insight into firms’ resilience capabilities. The responses to the assessment were considered when developing this Guidance.
中央银行将根据我们的监督和管理经验以及国际发展,不断审查其监管框架和监管方法,以提高运营韧性。我们意识到,随着DORA的拟议引入,欧盟内部的监管框架正在进一步发展。我们认为,拟议的《指南》符合国际最佳实践,并与DORA以及“网络和信息系统安全指令”(NIS2)兼容/互补。我们的目标是随着运营韧性政策的发展,使我们监管方法的预期结果与之保持一致并进行更新。 The Central Bank will keep its regulatory framework and supervisory approach to operational resilience under review, based on our regulatory and supervisory experience and international developments. We are conscious that the regulatory framework within the EU is developing further with the proposed introduction of DORA. We believe that the proposed Guidance is in line with international best practice and compatible with/complementary to DORA and the ‘Directive on Security of Network and Information Systems’ (NIS2). Our aim is to align and update the intended outcomes of our supervisory approach with the operational resilience policy developments as they evolve.
附表1(1Schedule 1)
运营韧性指导意见(Operational Resilience Guidelines)
简介(Introduction)
运营韧性的首要原则是接受会发生扰断,机构需要准备好做出相应的响应,并采取措施控制影响。机构需要确保它们已经做好了有效的准备,并具有承受、吸收、响应、适应、恢复和从扰断中学习的灵活性,同时对其关键或重要业务服务的影响最小。 The overarching principle of operational resilience is the acceptance that disruptions will occur and that firms need to be prepared to respond accordingly and have measures in place to limit the impacts. A firm needs to ensure that they have prepared effectively, and have the flexibility to withstand, absorb, respond, adapt, recover and learn from disruptions with minimal impact on their critical or important business services.
从业务服务的视角来看待运营韧性,鼓励机构优先考虑对其机构和金融体系至关重要的事情,并了解交付这些服务所涉及的相互关联和相互依赖。最终,这将使机构能够确定扰断将对其提供的服务产生的更广泛影响。 Approaching operational resilience through a business service lens encourages a firm to prioritise what is critical or important to their firm and the financial system, and understand the interconnections and interdependencies involved in delivering those services. Ultimately, this will allow firms to determine the wider impact a disruption will have on the services that it provides.
机构应当对自己的运营韧性负责,并根据对自己、客户和金融稳定性的潜在影响进行优先排序。 A firm should take ownership of its own operational resilience and prioritise based on the potential impacts to itself, its customers and financial stability.
任何运营韧性框架的核心原则是: 董事会和高级管理层对运营韧性框架的所有权; 确定关键或重要业务服务以及交付这些服务涉及的所有活动、人员、流程、信息、技术和第三方; 为每个已确定的服务设定影响容忍度,并测试机构在严重但合理的运营扰断情景中保持在这些影响容忍度范围内的能力;和 持续审查机构如何响应和适应扰断或潜在扰断事件,以便将经验教训纳入运营改进,不断提高机构的运营韧性。 The core principles of any operational resilience framework are: Board and senior management ownership of the Operational Resilience Framework; The identification of critical or important business services and all activities, people, processes, information, technologies and third parties involved in the delivery of these services; The setting of impact tolerances for each of these identified services, and the testing of the firm’s ability to stay within those impact tolerances during a severe but plausible operational disruption scenario; and The continuous review of how a firm responded and adapted to disruptive or potentially disruptive events so that lessons learned can be incorporated into operational improvements to continually enhance the operational resilience of the firm.
因此,中央银行《指南》围绕运营韧性的三大支柱制定: 确定和准备; 响应和适应; 恢复和学习。 As such, the Central Bank Guidance is built around three pillars of Operational Resilience: Identify and Prepare; Respond and Adapt; Recover and Learn.
这三大支柱支持采用整体方法来管理运营韧性和相关风险,并创建一个反馈回路,促进将经验教训永久嵌入到机构为运营扰断的准备中。 These three pillars support a holistic approach to the management of operational resilience and related risks and create a feedback loop that fosters the perpetual embedding of lessons learned into a firm’s preparation for operational disruptions.
运营韧性的三大支柱(Three Pillars of Operational Resilience)
支柱1:确定与准备(Pillar 1: Identify and Prepare)
- 治理1 Governance
指导意见1:董事会对机构的运营韧性负最终责任。 Guideline 1: The Board has ultimate responsibility for the Operational Resilience of a firm.
机构董事会对机构运营韧性框架的批准和监督负有最终责任。自上而下的领导应当确保韧性从本质上融入机构的战略决策,并允许董事会优先考虑活动和目标投资,使关键或重要业务服务更具韧性。自上而下的运营韧性方法创建了统一的流程,并提高了整个组织在批准的影响容忍度范围内开展业务的责任的清晰度。 A firm’s board has the ultimate responsibility for the approval and oversight of the firm’s Operational Resilience Framework. Leadership from the top down should ensure that resilience is intrinsically built into a firm’s strategic decisions and allow boards to prioritise activities and target investment towards making critical or important business services more resilient. A top-down approach to operational resilience creates a uniform process flow and enhances clarity on the responsibilities throughout the organisation to conduct business within approved impact tolerances.
所有董事会成员都应当有足够的了解,以便对机构的运营韧性进行有效的监督和质疑。应当向高级管理层提供所需的财务、技术和其他资源,以支持机构在董事会监督下的整体运营韧性工作。 All board members should have sufficient understanding to provide effective oversight and challenge of the firm’s operational resilience. Senior management should be given the financial, technical and other resources needed in order to support the firm’s overall operational resilience efforts under the oversight of the board.
董事会和高级管理层应当对韧性活动、趋势和纠正措施进行准确和充分的监督,使他们能够就投资和风险敞口做出业务决策。机构应当定期和发生扰断的情况下向其董事会提供正式的运营韧性管理信息(以下称MI)。运营韧性MI应当嵌入到现有的报告结构中,使其充分、有意义和及时。应当建立当发现漏洞或发生意外扰断时的升级路线。 The board and senior management should have accurate and adequate oversight of resilience activity, trends and remediation measures, which allows them to make the business decisions regarding investments and risk exposure. A firm should provide formal operational resilience management information (MI) to its board on a regular basis and in the event of a disruption. The operational resilience MI should be embedded into the existing reporting structure making it adequate, meaningful and timely. Escalation routes should be established for when vulnerabilities are identified or when an unexpected disruption occurs.
董事会负责批准运营韧性框架,并批准关键或重要业务服务、影响容忍度、业务服务映射、确定机构保持在影响容忍度范围内的能力的情景测试,以及沟通计划。董事会应当每年至少审查一次运营韧性框架的组成部分,以确认没有未被发现的发展中的弱点。 The board has responsibility for the approval of the operational resilience framework and approval of the critical or important business services, impact tolerances, business service maps, scenario testing to ascertain the firm’s ability to remain within impact tolerances, and communications plans. The board should review the components of the Operational Resilience Framework at least annually to confirm that there are no undetected developing weaknesses.
董事会应当监督高级管理层对运营韧性框架组成部分的评估。董事会负责每年审查、质疑和批准对其关键或重要业务服务、影响容忍度、业务服务映射和情景分析的评估,和/或作为扰断发生后经验教训练习的一部分。 The board should oversee senior management assessments of the components of the Operational Resilience Framework. The board is responsible for review, challenge and approval of the assessments of its critical or important business services, impact tolerances, business service maps and scenario analysis annually and/or as part of the lessons learned exercise after a disruption has occurred.
机构为提高运营韧性而采取的措施,包括通过其投资决策,应当根据扰断的潜在影响、时间紧迫性和能够保持在影响容忍度范围内所需的进度等因素确定优先顺序。 The actions a firm takes to improve operational resilience, including through its investment decisions, should be prioritised based on factors such as the potential impact of disruptions, time criticality and progress required to be able to remain within impact tolerances.
指导意见2:运营韧性框架应当与机构的整体治理与风险管理框架保持一致。 Guideline 2: The Operational Resilience Framework should be aligned with a firm’s overall Governance and Risk Management Frameworks.
在实施有效的运营韧性框架时,机构应当利用其现有的治理和风险管理结构。机构需要确保其现有的治理框架和委员会结构包括与业务运营韧性相关的责任。 A firm should utilise its existing governance and risk management structures when implementing an effective Operational Resilience Framework. A firm will need to ensure that its existing governance frameworks and committee structures include responsibilities with respect to operational resilience.
中央银行将机构操作风险和韧性管理视为一个统一的目标,通过统一的框架或一个整体框架来实施。运营韧性是操作风险的演变,为管理关键或重要业务服务的扰断提供了一种全机构的整体方法。机构应当制定一个与操作风险和业务连续性框架一致的成文的运营韧性框架,或将这些风险领域纳入一个整体框架中。 The Central Bank views the management of a firm’s operational risk and resilience as a unified objective, enacted through aligned frameworks or one holistic framework. Operational resilience is an evolution of operational risk and provides a holistic firm-wide approach to managing disruptions to critical or important business services. A firm should develop a documented Operational Resilience Framework aligned with the Operational Risk and Business Continuity Frameworks, or include these risk areas in one holistic framework.
运营韧性应当由高级管理层在整个业务中战略性地实施,包括运营、风险和财务支柱。由于运营韧性抽取了业务连续性、第三方风险管理、ICT和网络风险管理、事件管理以及更广泛的操作风险管理中的要素,因此,如果机构要增强其业务服务的韧性,无论扰断类型如何,都必须采用整体方法。运营韧性的三大支柱方法将所有这些要素整合到一个有效的运营韧性框架中。 Operational resilience should be strategically implemented across the business by senior management throughout the Operations, Risk and Finance pillars. As operational resilience draws from elements of business continuity, third party risk management, ICT & cyber risk management, incident management, and wider aspects of operational risk management, a holistic approach is essential if a firm is to enhance the resilience of its business services, regardless of the type of disruption. The three pillar approach to operational resilience aligns all of these elements into an effective Operational Resilience Framework.
2 确定关键或重要业务服务(2 Identification of Critical or Important Business Service)
指导意见3:董事会审查和批准关键或重要业务服务的准则。 Guideline 3: The Board reviews and approves the criteria for critical or important business services.
任何机构提高其运营韧性的起点都是制定定义其关键或重要业务服务的准则。董事会有责任批准明确定义和成文的准则,以确定业务服务如何被归类为关键或重要。 The starting point for any firm in enhancing its operational resilience is to set the criteria for defining its critical or important business services. It is the responsibility of the board to approve clearly defined and documented criteria to determine how business services are classified as critical or important.
准则应当使机构能够确定其关键或重要业务服务,并对它们进行优先(在发生扰断时)排序。这应当通过考虑扰断对客户、机构的生存能力、安全性与稳健性以及整体财务稳定性的风险来实现。 The criteria should enable a firm to identify its critical or important business services and prioritise them in the event of a disruption. This should be achieved by considering the risk a disruption poses to customers, to the firm’s viability, safety and soundness, and to overall financial stability.
董事会每年或在对涉及额外关键或重要业务服务的业务进行重大变更时审查和批准关键或重要业务服务的确定准则。 The criteria for the identification of critical or important business services should be reviewed and approved by the board annually or at the time of implementing material changes to the business that would involve additional critical or important business services.
指导意见4:机构应当确定其关键或重要业务服务。 Guideline 4: A firm should identify its critical or important business services.
一旦机构制定了准则,机构应当确定其关键或重要的业务服务。传统上,机构专注于保护单个系统、流程和功能,而不是关注交付特定业务服务所需的完整的端到端的活动集。运营韧性要求机构重新思考其如何看待其运营,采取措施保护其最关键的业务服务,并确保在整个扰断期间继续向外部最终用户或市场参与者交付这些服务。 Once a firm has set its criteria, the firm should identify its critical or important business services. Traditionally, firms have focused on protecting individual systems, processes and functions rather than looking at the complete end-to-end set of activities required to deliver a particular business service. Operational resilience challenges a firm to rethink how it views its operations and put in place measures to protect its most critical business services and ensure the continued delivery of those services to external end users or market participants throughout a disruption.
机构在确定其关键或重要业务服务并排定优先顺序时,应当利用其现有业务功能的知识。由于关键或重要业务服务在各个机构和行业会有所不同,机构应当采用基于结果的方法来确定这些服务。最终,董事会负责至少每年审查和批准所有被归类为“关键”或“重要”的业务服务。 A firm should leverage its existing business functions’ knowledge when identifying and prioritising their critical or important business services. As critical or important business services will differ between individual firms and sectors, firms should take an outcomes based approach to identification of these services. Ultimately, it will be the responsibility of the board to review and approve all business services classified as ‘critical’ or ‘important’ on at least an annual basis.
应当确定关键或重要业务服务,使机构能够根据最大可接受扰断水平明确地确定影响容忍度,对业务服务的端到端交付进行映射,包括任何对第三方的任何依赖关系,并根据严重但合理的情景进行测试。 Critical or important business services should be identified to enable a firm to clearly determine impact tolerances based on maximum acceptable levels of disruption, perform mapping of the end-to-end delivery of the business service, including any dependence on third parties, and test based on severe but plausible scenarios.
此外,机构应当考虑关键或重要业务服务的数量是否与其业务的性质、规模和复杂程度相称。 Furthermore, a firm should consider whether the number of critical or important business services is proportionate to the nature, scale and complexity of its business.
3影响容忍度(3 Impact Tolerances)
指导意见5:应当批准每个关键或重要业务的影响容忍度。 Guideline 5: Impact tolerances should be approved for each critical or important business service.
机构应当在假设会发生扰断性事件的基础上,为其每个关键或重要业务制定影响容忍度。影响容忍度的目的是确定关键或重要业务服务扰断的最大可接受水平。 A firm should develop impact tolerances for each of its critical or important business services on the assumption that disruptive events will happen. The purpose of an impact tolerance is to determine the maximum acceptable level of disruption to a critical or important business service.
影响容忍度应当设定在对机构业务服务扰断将对(或可能对)机构的生存能力、安全性和稳健性、财务稳定性构成风险或可能对客户造成重大损害的程度。 Impact tolerances should be set at the point at which disruption to the firm’s business service would pose, or have the potential to pose, a risk to the firm’s viability, safety and soundness, to financial stability or could cause material detriment to customers.
影响容忍度应当用作机构的规划工具,而不是衡量监管合规的工具。影响容忍度将使机构能够了解其在发生意外扰断时的运营韧性水平。影响容忍度旨在确定机构在发生扰断后应当能够恢复关键或重要业务服务交付的时间表。 Impact tolerances should be used as a planning tool for a firm rather than as a tool to measure regulatory compliance. Impact tolerances will enable a firm to understand its level of operational resilience in the event of an unplanned disruption. Impact tolerances are designed to determine the schedule by which a firm should be able to restore the delivery of critical or important business service after a disruption has occurred.
影响容忍度需要针对严重但合理的情景进行测试,以确定其适当性—即确定机构是否能够在扰断期间保持在规定的影响容忍度范围内。 Impact tolerances need to be tested against severe but plausible scenarios to determine their appropriateness – i.e. to determine whether the firm is able to stay within the defined impact tolerances during a disruption.
董事会应当至少每年或在发生扰断时审查和批准影响容忍度,以确定最初批准的影响容忍度是否仍然适用。 A board should review and approve impact tolerances at least annually or when a disruption occurs to determine if the original approved impact tolerances are still fit for purpose.
虽然影响容忍度应当与公司的风险偏好相一致,但影响容忍度是一种单独且独特的容忍度衡量方法。风险偏好侧重于风险事件发生的影响和概率,通常参考机构的战略目标设定。风险偏好是“ 组织为实现其战略目标和业务计划而愿意在其风险能力范围内承担的总风险水平和类型 ”。 [6] While impact tolerances should be aligned to a firm’s risk appetite, impact tolerances are a separate and distinct tolerance measurement. Risk appetite focuses on the impact and probability of a risk event occurring and is typically set with reference to a firm’s strategic goals. Risk appetite is ‘ the aggregate level and types of risk an organisation is willing to assume within its risk capacity to achieve its strategic objectives and business plan’ . 6
影响容忍度假设风险事件已经具体化,因此,风险偏好的概率因素被移除。当扰断影响到关键或重要业务服务时,风险偏好就已经被突破了。 Impact tolerances assume that the risk event has already crystallised and, therefore, the probability element of risk appetite is removed. When a disruption has impacted a critical or important business service the risk appetite will have already been breached.
影响容忍度是机构应当能够保持在其范围内的标准,董事会和高级管理层应当使用它来提高其运营韧性。机构可以灵活地确定其关键或重要业务服务的影响容忍度,包括利用任何适当的预先确定和批准的标准作为其它实践的一部分。例如,这可能包括用于业务影响分析(BIA)、恢复时间目标(RTO)、恢复点目标(RPO)和最大可容忍中断(MTO)的流程,其中这些衡量单点故障扰断的指标会影响关键业务服务的交付。 Impact tolerances are a standard that a firm should be able to remain within and which the board and senior management should use to drive improvements to their operational resilience. Firms have the flexibility to determine impact tolerances for their critical or important business services, including leveraging any appropriate pre-determined and approved criteria as part of other practices. For example, this may include processes used for Business Impact Analysis (BIA), Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs) and Maximum Tolerable Outage (MTO) where these metrics that measure disruption of single points of failure feed into the delivery of a critical business service.
指导意见6:机构应当制定明确的影响容忍度指标。 Guideline 6: A firm should develop clear impact tolerance metrics.
机构应当为其每个关键或重要业务设置至少一个影响容忍度指标。影响容忍度指标需要明确且可衡量,既可以是定性的,也可以是定量的。为了实现这一点,它们应当参考具体的结果和衡量标准。如果影响容忍度被突破,机构应当能够确定结果。 A firm should set at least one impact tolerance metric for each of its critical or important business services. Impact tolerance metrics need to be clear and measurable, and can be both qualitative and quantitative. To achieve this, they should reference specific outcomes and measurements. A firm should be able to determine the outcome if the impact tolerances are exceeded.
至少应当有一个基于时间的指标来表示关键或重要业务服务能够承受扰断的最长可接受持续时间。基于时间的指标确保机构将其应对扰断的重点放在其关键或重要业务的连续性上。 At a minimum, there should be a time-based metric indicating the maximum acceptable duration a critical or important business service can withstand a disruption. A time-based metric ensures that a firm focuses its response to a disruption on the continuity of its critical or important business service.
为了准备承受不止一种类型的扰断,机构应当考虑制定额外的影响容忍度指标,例如,这些指标可以基于: 受扰断影响的最大可容忍客户数量; 受扰断影响的最大交易量;或 受影响交易的最大价值。 To be prepared to withstand more than one type of disruption a firm should consider having additional impact tolerance metrics, which for example, could be based upon: the maximum tolerable number of customers effected by a disruption; the maximum number of transactions affected by a disruption; or the maximum value of transactions impacted.
这并不是一个详尽的列表,机构应当根据其特定的关键或重要业务服务,考虑机构的性质、规模和复杂程度,制定和批准影响容忍度指标。 This is not an exhaustive list, and firms should set and approve impact tolerance metrics based on their specific critical or important business services taking into account the nature, scale and complexity of the firm.
4 映射相互关联和相互依赖(4 Mapping of Interconnections and Interdependencies)
指导意见7:机构应当了解并映射其关键或重要业务服务的交付方式。 Guideline 7: A firm should understand and map out how its critical or important business services are delivered.
为了确保关键或重要业务服务能够保持在其影响容忍度范围内,机构需要了解服务的交付方式,以及每项业务是如何扰断的。机构需要了解有助于每个交付其关键或重要业务服务的活动链,以便能够识别出任何关键或单点故障、依赖关系或关键漏洞。 To ensure that a critical or important business service can remain within its impact tolerance(s), a firm needs to understand how the services are delivered and how each service can be disrupted. A firm will need to understand the chain of activities that contribute to the delivery of each of its critical or important business services, in order to be able to identify any critical or single points of failure, dependencies, or key vulnerabilities.
机构应当识别、记录和映射交付其每个关键或重要业务所需的必要人员、流程、信息、技术、设施和第三方服务供应商。这项工作应当在整个业务中协同进行,以确保映射的全面性。 A firm should identify, document and map the necessary people, processes, information, technology, facilities, and third parties service providers required to deliver each of its critical or important business services. This exercise should be undertaken collaboratively across the business to ensure comprehensive mapping.
应当在能够确定有助于服务每个阶段交付的资源及其重要性的详细程度上进行映射。机构应当了解这些资源是如何融合起来一起并协同工作以交付关键或重要业务服务的。机构应当确定哪些业务部门拥在每种资源以及从哪里提供这些资源。 Mapping should be conducted at a level of detail that enables the identification of the resources that contribute to the delivery of each stage of the service, and their importance. A firm should understand how these resources blend and work in combination to deliver the critical or important business service. A firm should identify which business units own each resource and from where it is provided.
映射的方法和颗粒度水平应当足以让机构识别漏洞和关键依赖关系,并支持测试其在每个关键或重要业务服务的指定影响容忍度范围内的能力。 The approach and level of granularity of mapping should be sufficient for a firm to identify vulnerabilities and key dependencies, and to support testing of its ability to stay within the assigned impact tolerances for each critical or important business service.
服务的全面映射将使机构能够查明关键或重要业务服务交付方式中的漏洞,并确定在哪些方面可以利用恢复和处置计划。此类漏洞的例子可能包括集中度风险、单点故障、关键人员风险和资源可替代性不足。 Comprehensive mapping of a service will enable a firm to pinpoint vulnerabilities in how critical or important business services are being delivered and determine where recovery and resolution plans can be leveraged. Examples of such vulnerabilities could include concentration risk, single points of failure, key man risk, and inadequate substitutability of resources.
指导意见8:机构应当在映射关键或重要业务服务时表现第三方依赖关系。 Guideline 8: A firm should capture third party dependencies in the mapping of critical or important business services.
机构运营模式的日益复杂以及对第三方交付其关键或重要业务服务的关键要素的依赖性增加,通常会导致机构依赖许多不同的第三方供应商(包括其他RFSP)的大量资源来交付关键或重要业务服务。 The increasing complexity of firms’ operating models and the increased reliance on third parties for the delivery of key elements of their critical or important business services can often result in a firm being dependent on a multitude of resources, across many different third party providers, including other RFSPs, for the delivery of critical or important business services.
外部相互关联和相互依赖的复杂网络增加了与使用第三方相关的风险。如果扰断性事件发生在这个相互关联的活动网络中的任何地方,即使该事件不是发生在其自己的系统内,机构也可能受到影响。复杂的外包活动网络会降低了关键或重要业务服务交付中潜在漏洞的可见性。这可能会阻碍机构为运营扰断做准备,因此,在映射过程中表现这些依赖关系将成为管理运营扰断的关键工具。 A complex network of external interconnections and interdependencies increases the risks related to the use of third parties. If a disruptive event occurs anywhere within this network of interconnected activities, the firm can be impacted, even if the event did not occur within its own systems. A complicated network of outsourced activities reduces visibility over potential vulnerabilities in the delivery of critical or important business services. This can hamper a firm in preparing for an operational disruption and therefore, capturing these dependencies as part of the mapping process will be a key tool in managing operational disruptions.
董事会和高级管理层应当认识到这样一个事实,即在签订外包安排时,他们正在为机构的韧性创造对第三方的依赖。机构应当管理其对关系的依赖,包括与关键或重要业务交付相关的第三方关系。在关键或重要业务服务的映射中,应当明确识别和详细说明依赖关系。机构的关键或重要业务服务应当能够保持在影响容忍度范围内,包括在它们依赖OSP时。机构应当在签订外包安排之前对其OSP进行尽职调查,以确保第三方安排具有适当的运营韧性条件,使机构能够保持在其影响容忍度范围内。 Boards and senior management should be cognisant of the fact that when entering into outsourcing arrangements they are creating a dependency on a third party for the resilience of their firm. A firm should manage its dependencies on relationships, including those of third parties, involved in the delivery of critical or important business services. Dependencies should be clearly identified and detailed in the mapping of critical or important business services. A firm’s critical or important business services should be able to remain within impact tolerances, including when they rely on OSPs. A firm should undertake due diligence in respect of its OSPs prior to entering into an outsourcing arrangement, to ensure that third party arrangements have appropriate operational resilience conditions that enable the firm to remain within its impact tolerances.
机构应当确保与第三方签订具有法律约束力的书面协议,详细说明在扰断期间如何维护关键或重要业务,以及在无法维护服务时的退出策略。机构还应当考虑第三方的地理位置,这可能会根据事件的性质或地点影响服务的提供。 A firm should ensure that legally binding written agreements are in place with third parties that detail how the critical or important services will be maintained during a disruption and an exit strategy if/when the service cannot be maintained. A firm should also take into account the geographical location of the third party, which may impact on the provision of service depending on the nature or location of the event.
机构还应当了解任何存在的连环外包,并应相应地进行管理和监控。连环外包可能会使关键或重要业务服务的有效管理复杂化,机构应就任何可能影响关键或重要业务服务提供的连环外包签订明确的书面协议。 A firm should also be aware of any chain outsourcing that exists and should manage and monitor accordingly. Chain outsourcing can complicate the effective management of the critical or important business service and a firm should have clear written agreements in place regarding any chain outsourcing that may impact the provision of a critical or important business service.
本《指南》应当与中央银行的 “跨行业外包指南” [7] 和即将出台的有关ICT OSP的DORA一起阅读。 This Guideline should be read in conjunction with the Central Bank’s “ Cross Industry Guidance on Outsourcing ” 7 and the forthcoming DORA in relation to ICT OSPs.
5 信息通信技术和网络弹性(5 ICT and Cyber Resilience)
指导意见9:机构应当制定ICT和网络韧性战略,该战略是其关键或重要业务运营韧性不可或缺的一部分。 Guideline 9: A firm should have ICT and Cyber Resilience strategies that are integral to the operational resilience of its critical or important business services.
技术和信息是大多数机构商业模式的关键驱动力和推动者,因此,技术基础设施的韧性和信息资产的保护应当是任何运营韧性框架的组成部分。 Technology and information are key drivers and enablers of most firms’ business models and, as such, the resilience of the technology infrastructure and the protection of the information assets should be integral to any operational resilience framework.
机构应当确保其信息和通信技术稳健并且有韧性,并遵循行业最佳实践实施保护、检测、响应和恢复计划。作为映射过程的一部分,机构应当确定技术在关键或重要业务服务交付中的作用。如果IT系统或技术资源由第三方提供,机构需要采取指导意见7和指导意见8中概述的必要步骤。 A firm should ensure that its information and communication technology is robust and resilient and is subject to protection, detection, response and recovery programmes in line with industry best practice. As part of the mapping process, a firm should identify where technology is part of the delivery of a critical or important business service. A firm needs to take the necessary steps outlined in Guideline 7 and Guideline 8 where IT systems or technology resources are provided by a third party.
作为IT安全、网络安全和韧性测试的一部分,应当使用严重但合理的情景定期测试已识别的系统,以确保关键或重要业务服务在严重扰断期间的连续性。 The identified systems should be regularly tested as part of IT security, cyber-security and resilience testing, using severe but plausible scenarios, to ensure continuity of critical or important business services during severe disruptions.
持续的威胁情报和态势感知计划应当流入运营韧性计划,并与机构的IT风险管理、IT安全管理、IT事件管理和IT连续性/灾难恢复计划保持一致。 On-going threat intelligence and situational awareness programmes should feed into the operational resilience programme and align with the firm’s IT risk management, IT security management, IT incident management and IT continuity/disaster recovery programmes.
本《指南》应当与中央银行的《 技术和网络安全风险的跨行业指南 》 [8] 、任何相关的欧洲监管机构指南(包括《EBA ICT和安全风险管理指南》 [9] 、《EIOPA ICT安全和治理管理指南》 [10] 以及即将发布的DORA和NIS2)一起阅读。 This guideline should be read in conjunction with the Central Bank’s ‘ Cross Industry Guidance in respect of Technology and Cybersecurity Risks ’ 8 , any relevant European Supervisory Authority Guidance, including the EBA Guidelines for ICT and Security Risk Management 9 , the EIOPA Guidelines for ICT Security and Governance 10 , and the forthcoming DORA and NIS2.
6 情景测试(6 Scenario Testing)
指导意见10:机构应当记录并测试其在严重但合理的情景中保持在影响容忍度范围内的能力。 Guideline 10: A firm should document and test its ability to remain within impact tolerances through severe but plausible scenarios.
机构应当通过严重但合理的情景来测试其对每个关键或重要业务服务保持在其影响容忍度范围内的能力。只有为关键或重要业务服务开发了清晰详细的映射,测试才能有效。 A firm should test its ability to remain within its impact tolerances, for every critical or important business service, through severe but plausible scenarios. Testing can only be effective once clear and detailed maps have been developed for critical or important business services.
在进行情景测试时,机构应当确定与其业务和风险状况相关的不同性质、严重程度和持续时间的适当范围的不利情况,并考虑在这些情况下机构关键或重要业务交付的风险。映射有助于识别单个机构的特殊风险,并允许开发适当的测试。 In carrying out the scenario testing a firm should identify an appropriate range of adverse circumstances of varying nature, severity and duration relevant to its business and risk profile and consider the risks to delivery of the firm’s critical or important business services in those circumstances. Mapping facilitates the identification of an individual firm’s idiosyncratic risks and allows for the development of appropriate testing.
测试的性质和频率应当与机构的规模和复杂程度相称。灵活的方法允许机构在适当的级别进行情景测试,以识别其关键或重要业务服务的活动链中的漏洞。更经常实施变革的机构应当进行更频繁的测试。所有机构应当每年至少完成一次。机构应当考虑各种测试方法,例如对一些关键或重要业务进行书面或模拟测试。 The nature and frequency of testing should be proportionate to firm size and complexity. A flexible approach allows a firm to carry out scenario testing at an appropriate level to identify vulnerabilities within the chain of activities of their critical or important business services. A firm that implements change more regularly should undertake more frequent testing. This should at least be completed annually for all firms. A firm should consider various testing methods such as paper based or simulation testing on a number of critical or important business services.
情景测试将识别任何漏洞或对第三方的依赖。其结果应当将投资重点放在脆弱要素的可解决性上,确定备用交付渠道或确定在扰断时可以替代的要素。此外,研究结果可以确定哪些领域需要增加能力、减少人工干预,哪些工作人员需要适当培训,以及哪些外包安排需要审查。 A scenario test will identify any vulnerabilities or reliance on third parties. The results of which should focus investment in the resolvability of a vulnerable element, determine alternative channels of delivery or identify the elements that can be substituted if disrupted. Additionally, the results can identify areas where an increase in capacity is required, a reduction in manual intervention, where staff need appropriate training and what outsourcing arrangements need to be reviewed.
机构应当设计一个测试计划,并记录演练的范围、演练期间采取或考虑的步骤,并应从演练中吸取经验教训和采取行动。这将提供更大的保证,即机构具备足够充分的应急计划,以确定和准备、响应和适应,并从中运营扰断中恢复和学习。 A firm should design a test plan and document the scope of the exercise, the steps taken or considered during the exercise, and should capture and act upon the lessons learned from the exercise. This will provide greater assurance that a firm has adequate contingency plans in place, to identify and prepare for, respond and adapt to, recover and learn from an operational disruption.
机构董事会应当审查对关键或重要业务服务进行的所有情景测试的结果。如果情景测试发现了可能突破影响容忍度的情况,那么董事会和高级管理层有责任采取行动提高业务服务的韧性,并在需要时集中投资。补救计划的设计和实施由高级管理层负责,之后董事会应当审查和批准补救计划的结果。 A firm’s board should review the results of all scenario testing carried out on critical or important business services. If scenario testing identifies a situation where impact tolerances may be breached then it would be the responsibility of the board and senior management to take action to improve the resilience of the business service and focus investment where needed. The design and implementation of remediation plans are the responsibility of senior management and the results of the remediation plans should be reviewed and approved by the board thereafter.
支柱2:响应和适应(Pillar 2: Respond and Adapt)
7 业务连续性管理(7 Business Continuity Management)
指导意见11:业务连续性管理应当完全整合到总体运营韧性框架中,并与公司的风险偏好挂钩。 Guideline 11: Business Continuity Management should be fully integrated into the overarching Operational Resilience Framework and linked to a firm’s risk appetite.
业务服务的连续性是运营韧性的一个重要、前瞻性的组成部分。虽然运营韧性比传统的业务连续性管理(BCM)和恢复要广泛得多,但已批准的业务连续性计划应当作为对扰断的整体响应的一部分。 Continuity of business services is an essential, forward-looking, component of being operationally resilient. While operational resilience is much broader than traditional business continuity management (BCM) and recovery, approved business continuity plans should be utilised as part of the holistic response to a disruption.
传统的BCM侧重于单点故障,例如单个系统、人员或流程,而运营韧性更进一步,它确定了这些单点故障如何有可能影响关键或重要业务服务的端到端交付。 Where traditional BCM focuses on single points of failure, such as individual systems, people or processes, operational resilience goes a step further by determining how these single points of failure have the potential to affect the end-to-end delivery of critical or important business services.
当机构的关键或重要业务发生扰断时,应制定业务连续性计划(BCP)作为响应过程的一部分。要使BCM和运营韧性框架保持一致,BCP应当通过严重但合理的情景进行测试,并包括任何第三方相互依赖或相互关联。为了有效应对扰断,整合的BCP应当包括启用流程、影响分析、恢复策略、培训计划和危机管理计划,以指导扰断的管理并限制影响。 When a disruption occurs to a firm’s critical or important business services, the Business Continuity Plan (BCP) should be enacted as part of the response process. For BCM to be aligned with the Operational Resilience Framework, the BCPs should be tested through severe but plausible scenarios and include any third party interdependencies or interconnections. To respond effectively to a disruption, an integrated BCP should incorporate invocation processes, impact analyses, recovery strategies, training programmes and crisis management programmes to guide the management of a disruption and limit the impact.
机构应当通过映射关键或重要业务服务(在第4节中讨论),对BCM采用整体方法,并根据批准的影响容忍度制定恢复计划。 A firm should adopt a holistic approach to BCM by mapping critical or important business services (discussed in section 4) and develop a recovery plan in line with approved impact tolerances.
应当确定关键人员并完成必要的培训。培训和意识计划应当根据具体角色进行定制,以确保员工在应对扰断时能够有效执行应急计划。 Key personnel should be identified and have completed the necessary training. Training and awareness programmes should be customised based on specific roles to ensure that staff can effectively execute contingency plans when responding to a disruption.
如果已确定在关键或重要业务服务交付方面与第三方的相互依赖,则应当验证这些安排是否具有适当的运营弹性条件,以确保机构能够保持在其影响容忍度范围内。这些安排应每年至少进行一次审查和测试。机构应当考虑确定在发生意外扰断时可以替代的依赖关系。 Where interdependencies on third parties for the delivery of critical or important business services have been identified, it should be verified that these arrangements have appropriate operational resilience conditions to ensure the firm can remain within its impact tolerances. The arrangements should be reviewed and tested at least annually. The firm should consider identifying the dependencies that can be substituted in the event of an unexpected disruption.
8 事件管理(8 Incident Management)
指导意见12:事件管理战略应当完全整合到总体运营韧性框架中。 Guideline 12: The Incident Management Strategy should be fully integrated into the overarching Operational Resilience Framework.
事件管理是运营韧性的重要组成部分。运营韧性要求机构采用涵盖事件整个生命周期的方法,从触发批准响应程序的事件分类,到测试事件管理程序,以及反思从事件发生中吸取的经验教训。 Incident management is an essential component of being operationally resilient. Operational resilience requires a firm to have an approach to incidents that covers the full life cycle of an event, from the classification of incidents that trigger approved response procedures, to testing the incident management procedures and reflecting on lessons learned from the occurrence of incidents.
为了使事件管理与运营韧性框架保持一致,机构应当制定并实施响应和恢复的计划和程序,以管理可能干扰关键或重要业务服务交付的事件。在应对事件时,应当制定事件管理计划,以考虑扰断如何影响机构的风险偏好和影响容忍度指标。 For incident management to be aligned with the Operational Resilience Framework, a firm should develop and implement response and recovery plans and procedures to manage incidents that have the potential to disrupt the delivery of critical or important business services. When responding to an incident, the incident management plans should be developed to consider how a disruption can affect a firm’s risk appetite and impact tolerance metrics.
机构应当维护清单以支持机构的响应和恢复能力,包括扰断期间遵循的事件响应和恢复步骤、可能受到影响的内部和第三方资源以及遵循的沟通计划。 A firm should maintain an inventory to support the firm’s response and recovery capabilities that includes the incident response and recovery steps followed during a disruption, internal and third party resources potentially impacted, and communication plans followed.
事件响应和恢复程序应当每年至少审查、测试和更新一次。应当确定并管理根本原因,以防止事件再次发生。在更新事件管理计划时,应当反映从以前的事件(包括其他方经历的事件)中吸取的经验教训,并且应当将事件中的经验教训视为情景测试的一部分。机构的事件管理计划应当管理所有影响或可能影响机构的事件。 Incident response and recovery procedures should be reviewed, tested and updated at least annually. Root causes should be identified and managed to prevent the serial recurrence of incidents. Lessons learned from previous incidents, including incidents experienced by others, should be reflected when updating the incident management program and learnings from incidents should be considered as part of scenario testing. A firm’s incident management program should manage all incidents impacting or potentially impacting the firm.
9 沟通计划(9 Communication Plans)
指导意见13:内部和外部危机沟通计划应当完全整合到总体运营韧性框架中。 Guideline 13: Internal and External Crisis Communication plans should be fully integrated into the overarching Operational Resilience Framework.
危机沟通计划应当作为机构运营韧性框架的一部分制定,或包含在BCM/恢复计划中,以便在扰断期间进行有效沟通。 A crisis communication plan should be developed either as part of a firm’s Operational Resilience Framework or contained in the BCM/recovery plans to communicate effectively during a disruption.
有效的危机沟通计划的一个关键部分是确定和准备关键资源和专家,以便在发生扰断时加以利用。通过这样做,将减轻扰断期间造成的伤害。 A key part of an effective crisis communications plan is the identification and preparation of key resources and experts that can be leveraged when a disruption occurs. By doing so, this will mitigate the harm caused during a disruption.
机构应当制定内部和外部沟通计划以及相关方映射,以便在扰断期间实施。内部沟通计划应当包含如何在必要时与关键决策者、运营人员和第三方沟通的升级路线。外部沟通计划应当概述机构在扰断期间将如何与客户、相关方和监管机构进行沟通。 The firm should develop internal and external communication plans and stakeholder maps that can be implemented during a disruption. The internal communication plan should contain escalation routes on how to communicate with key-decision makers, operational staff and third parties if necessary. The external communication plan should outline how the firm will communicate with their customers, stakeholders and regulators during a disruption.
支柱3:恢复和学习(Pillar 3: Recover and Learn)
10 经验教训练习和持续改进(10 Lessons Learned Exercise and Continuous Improvement)
指导意见14:在关键或重要业务扰断后,机构应当进行经验教训练习,以提高机构适应和应对未来运营事件的能力。 Guideline 14: A lessons learned exercise should be conducted after a disruption to a critical or important business service to enhance a firm’s capabilities to adapt and respond to future operational events.
机构应当在关键或重要业务服务发生任何扰断后,进行经验教训练习。这包括影响关键或重要业务服务交付的第三方供应商的任何潜在重大扰断。 A firm should conduct a lessons learned exercise after any disruption to a critical or important business service. This includes any potential material disruption to a third party provider that feeds into the delivery of a critical or important business service.
经验教训练习应当利用作为事件管理或灾难恢复过程一部分收集的信息。在整个事件管理过程中被确定为适当的决策和恢复过程应当构成经验教训练习的基础。 The lessons learned exercise should utilise the information gathered as part of the incident management or disaster recovery process. The decisions and recovery processes determined to be appropriate throughout the incident management process should form the basis of the lessons learned exercise.
经验教训练习使机构能够反思运营韧性的三大支柱方法,并允许对前两大支柱进行反馈回路,从而鼓励改进机构如何为扰断做好准备和从中恢复。 A lessons learned exercise allows a firm to reflect on the three-pillar approach to operational resilience and allows for a feedback loop into the first two pillars that encourages improvement in how a firm prepares for and recovers from disruptions.
机构应当有预先确定的准则或问题,它们构成了经验教训练习的基础。这些问题应当查明导致服务连续性失败的缺陷,这些缺陷应当作为优先事项加以解决。具体而言,至少应当考虑以下方面: 事件发生的方式和原因; 已发现的漏洞; 对关键或重要业务服务交付的影响; 风险控制、决策、恢复流程和沟通是否适当;和 恢复速度,以及影响容忍度是否足够。 A firm should have predetermined criteria or questions that form the basis of the lessons learned exercise. These questions should identify deficiencies that caused a failure in the continuity of service and, these deficiencies should be addressed as a matter of priority. Specifically, at a minimum, the following should be considered: How and why the incident occurred; The identified vulnerabilities; The impact on the delivery of critical or important business services; Whether the risk controls, decisions and recovery processes and communications were appropriate; and The speed of recovery and whether the impact tolerances are adequate.
经验教训练习应当确定有效的补救措施,以纠正服务连续性方面的不足和失败。这样做将使机构能够同意补救措施,并在确定的情况下调整任何影响容忍度。所有这些都应当包含在自评估文件中,并提交给董事会,如下一条指导意见所述。 The lessons learned exercises should define effective remediation measures to redress deficiencies and failure in the continuity of service. Doing so will allow a firm to agree remedial actions and adjust any impact tolerances if determined. This should all be contained within a self-assessment document and presented to the board, as outlined in the next Guideline.
指导意见15:随着运营韧性的发展,机构应当推动有效的学习和持续改进的文化。 Guideline 15: A firm should promote an effective culture of learning and continuous improvement as operational resilience evolves.
随着运营方法的变化或技术基础设施日渐成熟,运营韧性的不断提高要求机构从经验中学习。这不仅应当在扰断发生后出现,而且应当成为持续的运营韧性治理讨论的一部分。 Continuous improvements to operational resilience requires a firm to learn from its experiences as changes to its operational approaches, or technology infrastructure mature over time. This should not only occur after a disruption has occurred but should form part of ongoing operational resilience governance discussions.
随着运营韧性的发展,机构应当促进有效的学习和持续改进的文化。运营韧性需要成为机构做出任何战略决策的基础要素。战略或商业模式的任何变化都应当通过业务服务的角度来考虑。机构应当确定战略变化对关键或重要业务服务交付或任何已作为映射工作一部分的成文的活动链的影响。 A firm should promote an effective culture of learning and continuous improvement as operational resilience evolves. Operational resilience needs to be a fundamental element of any strategic decision taken by a firm. Any changes to strategy or the business model should be considered through a business service lens. A firm should determine the impact of strategic changes on the delivery of critical or important business services or any of the chain of activities that have been documented as part of the mapping exercise.
公司应至少每年记录和更新书面自评估,强调公司如何满足当前的运营韧性政策要求。这些审查工作应当涵盖运营韧性三大支柱的所有方面,从确定关键或重要业务服务到经验教训练习,并确保不会忽视新出现的漏洞。 A firm should document and update written self-assessments highlighting how the firm meets current operational resilience policy requirements on at least an annual basis. These reviews should cover all aspects of the three pillars of operational resilience, from the identification of critical or important business services through to lessons learned exercises and ensure that no emerging vulnerabilities are overlooked.
自评估应当详细说明“确定和评估”支柱中所有准则的基本原理。例如,机构应当评估当前的关键或重要业务服务清单,并参考监管期望说明每项确定的原因。应当采用类似的流程,详细说明机构在影响容忍度、映射和情景测试方面的方法,以确定当前的做法是否符合监管指南。 The self-assessment should detail the rationale for determining all criteria from the Identify and Prepare pillar. For example, a firm should evaluate the current list of critical or important business services and state why each has been identified, with reference to regulatory expectations. A similar process, detailing the firms’ approach to impact tolerances, mapping and scenario testing should be applied to determine whether current practice meets regulatory guidelines.
附表2(Schedule 2)
词汇表(Glossary)
BCBS 巴塞尔银行监管委员会 Basel Committee for Banking Supervision BCM 业务连续性管理 Business Continuity Management BCP 业务连续性计划 Business Continuity Plan BoE 英格兰银行 Bank of England DORA 《数字运营韧性法案》 Digital Operational Resilience Act ECB 欧洲中央银行 European Central Bank EU 欧盟 European Union FCA 金融行为监管局 Financial Conduct Authority FRB 联邦储备委员会 Federal Reserve Board GSIB 全球系统重要性银行 Global Systemically Important Bank ICT 信息和通信技术 Information and Communications Technology IT 信息技术 Information Technology MI 管理信息 Management Information NIS2 网络和信息系统安全指令 Directive on Security of Network and Information Systems OSP 外包服务提供商 Outsourced Service Provider PRA 审慎监管局 Prudential Regulatory Authority RFSP 受监管的金融服务提供商 Regulated Financial Service Provider UK 英国 United Kingdom US 美国 United States
https://www.centralbank.ie/docs/default-source/publications/corporate-reports/strategic-plan/our-strategy/centralbank-of-ireland-our-strategy.pdf?sfvrsn=4 ↑ https://www.bis.org/bcbs/publ/d516.pdf ↑ https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/policystatement/2021/march/ps621.pdf?la=en&hash=A15AE3F7E18CA731ACD30B34DF3A5EA487A9FC11 ↑ https://ec.europa.eu/transparency/regdoc/rep/1/2020/EN/COM-2020-595-F1-EN-MAIN-PART-1.PDF ↑ https://www.centralbank.ie/docs/default-source/publications/lrc-legislation/ftr-1-5-en_act_1942_0022.pdf?sfvrsn=6 ↑ https://www.fsb.org/wp-content/uploads/r_130717.pdf ↑ https://www.centralbank.ie/docs/default-source/publications/consultation-papers/cp138/draft-cross-industryguidance-on-outsourcing.pdf ↑ https://www.centralbank.ie/docs/default-source/news-and-media/speeches/cross-industry-guidance-informationtechnology-cybersecurity-risks.pdf ↑ https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-ict-and-security-riskmanagement ↑ https://www.eiopa.europa.eu/sites/default/files/publications/eiopa_guidelines/eiopa-bos-20-600-guidelines-ictsecurity-and-governance.pdf ↑
本公众号(ID:bcmplus)专注于业务连续性和运营韧性知识的普及和传播,关注业务连续性、应急和危机管理的朋友请关注本公众号。
由于公众号注册时腾讯已调整政策,未能开通留言功能,希望交流和讨论业务连续性和运营韧性问题、或获取相关资料的朋友,可长按以下二维码加入知识星球参与讨论(另,公众号每月只能发4次文章,会有一些内容直接在知识星球分享而不在公众号发布)。
原文发表于公众号”业务连续性+” | 原文链接