USA Law and Practice Contributed by: Edward P. O’Keefe, Neil T. Bloomfield, John A. Stoker and Kathryn (Kate) G. Wellman, Moore & Van Allen, PLLC
changes in economic conditions and the financial system from climate-related risks. The principles also discuss the need for banks to address the impact of climate-related risks on various existing risk types, including credit risk, liquidity risk, financial risk, operational risk, legal and compliance risk, and other non-financial risks like strategic and reputational risk.
of other risk and complexity indicators (such as cross-border activity, short-term wholesale fund - ing, nonbank assets, or off-balance sheet expo - sures)). Rather than setting new requirements or guidance in this area, the issuing agencies used the paper to serve as a source of reference and to emphasise the need for organisations to prioritise the operational resilience of their criti - cal operations and core business lines for the organisation and its material entities. The paper sets out expectations with respect to: • corporate governance: the role and account - abilities for the organisation’s board of direc - tors and senior management with respect to risk appetite, staffing and resourcing, inde - pendent risk management, identification of critical operations and core business lines, and information systems and controls; • effective operational risk management practices: the implementation of processes and controls, risk mitigation strategies, risk exposure assessments, testing practices, risk identification, audit assessments, and effec - tive co-ordination between operational risk management functions and business continu - ity and resolution and recovery planning; • effective business continuity planning prac - tices: business impact testing and training, periodic reviews and plan updating, plan testing and enhancements, IT systems testing and evaluation, and identification of critical personnel and technologies, remote-access contingency locations, training, recovery and resolution planning, and development of stress scenario response measures; • effective third-party risk management prac - tices: identification of critical third-party relationships, documentation and ongoing oversight of third-party relationships, periodic reviews and testing, identification of critical
10. DORA 10.1 DORA Requirements
In the United States, there is no single source of regulatory requirements or agency guidance governing operational resilience. Instead, the regulatory framework governing expectations for organisations to have the capability to prepare for, adapt to, withstand, and recover from, inter - nal or external operational risks that may cause wide-scale disruptions can be found embedded in various legal requirements or regulatory guid - ance – such as resolution and recovery plan - ning requirements, information security incident notification requirements, safety and soundness standards for information security, and business continuity and pandemic planning guidance. Collectively, these and related materials set out expectations for organisations to strengthen their operational resilience when faced with technology failures, cyber incidents, pandemics or natural disasters. Operational resilience has become an area of increasing supervisory focus, with the Federal Reserve, OCC and FDIC issuing an interagency paper in 2020 on Sound Practices to Strength - en Operational Resilience that is applicable to large banking organisations (those with at least (i) USD250 billion of total assets or (ii) at least USD100 billion of total assets and USD75 billion
635 CHAMBERS.COM
Powered by FlippingBook