On 4 September 2024, the European Central Bank (ECB) published a speech by a member of its executive board, Frank Elderson.

The speech is entitled The art of bending without breaking – banking on operational resilience.

In his speech Mr Elderson focuses on operational resilience and provides examples which underscore a fundamental point – financial resilience alone is a necessary but not sufficient condition to weather operational headwinds. Banks can have ample capital and liquidity but still face major operational issues or even fail if they lack robust contingency planning for operational shocks that are impossible to avoid.

Mr Elderson also reminds banks that operational resilience is one of the 2024-2026 supervisory priorities for the Single Supervisory Mechanism. This means, for instance, conducting on-site inspections of banks’ cybersecurity management or targeted analysis of banks’ outsourcing arrangements with third-party providers, including potential concentrations of risk in certain providers.

Mr Elderson covers another important factor challenging banks’ operational resilience – IT and cyber risk. In order to help banks pinpoint their vulnerabilities to cyber risks, earlier this year the ECB conducted a cyber resilience stress test. The cyber resilience stress test showed that, although banks do have high-level response and recovery frameworks in place, there is room for improvement. Banks need to ensure that their recovery capabilities are sufficient to handle even worst-case scenarios, and that they can protect customers’ assets and data, and in doing so maintain confidence in the banking system.

Another key challenge for banks’ operational resilience is their use of cloud services. For banks under ECB supervision, Mr Elderson states that there is room for improvement in their cloud outsourcing strategies. The ECB has already acted on this by publishing for public consultation a guide that sets out its supervisory expectations and provides recommendations on the outsourcing of cloud services. The guide also outlines specific good practices that banks can use as a basis for tackling cloud outsourcing risk.

In the final part of his speech Mr Elderson considers how banks can strengthen their operational resilience. He points out that in contrast to financial resilience, operational resilience cannot be bolstered by accumulating additional basis points of Common Equity Tier 1. Rather, Mr Elderson states that it is “mastering the art of bending without breaking under operational headwinds requires multi-year investment in capability-building.” He explains that this means, for instance,replacing legacy systems with state-of-the-art IT infrastructure, including in the areas of IT risk management and cyber hygiene, as well as ensuring that business continuity plans, and third-party dependency management are implemented consistently. He also adds that investment in human capital is essential and that employees at all levels of the organisation have the appropriate skillset, whether they are experts or managers. The ECB notes that there are still boards that lack in-depth IT expertise which may ultimately put into question the collective suitability of the board.

Mr Elderson concludes by stating:

“Financial resilience alone is far from sufficient to weather operational headwinds – you need operational resilience. And in order to bolster and maintain operational resilience banks must continue investing in future-proof systems, processes and people. This is not a steady state exercise. Operational resilience demands continuous attention and must keep pace with the changing risk environment.”