Basel Principles for Operational Resilience

On 31 March 2021 the Basel Committee on Banking Supervision (BCBS) published its Principles for Operational Resilience (POR) alongside revised Principles for the Sound Management of Operational Risk (PSMOR). The documents respond to disruptions observed during the COVID-19 pandemic and escalating cyber threats, setting supervisory expectations for banks to maintain critical operations through severe but plausible events. While the principles are not legally binding, BCBS members committed to implement them within their jurisdictions by 1 January 2023, making them a de facto global standard for operational resilience governance.

The POR centers on seven principles covering governance, operational risk management, business continuity, mapping of interconnections, third-party dependency management, incident management, and scenario testing. The updated PSMOR refreshes guidance on governance, risk appetite, change management, and information and communication technology (ICT) security. Together they emphasize that resilience extends beyond business continuity plans to an enterprise-wide discipline that must be embedded in risk culture, board oversight, and capital planning.

Governance and risk appetite

Principle 1 requires banks to ensure that boards of directors approve an operational resilience strategy aligned with the bank’s overall risk appetite. Boards must define tolerance levels for disruption of critical operations, review metrics, and hold senior management accountable for execution. Governance structures should include dedicated resilience committees or integrate resilience oversight into existing board risk committees, supported by clear reporting lines to chief risk officers and chief operating officers.

Principle 2 reinforces the role of the operational risk management function. Banks must identify, assess, and mitigate risks that could impair delivery of critical operations, incorporating resilience considerations into the Operational Risk Appetite Statement. The PSMOR update stresses culture, requiring leadership to promote risk awareness, escalation without fear of reprisal, and incentives aligned with resilience objectives.

Identification and mapping of critical operations

Principle 3 requires banks identify critical operations, the supporting business services, and the internal and external dependencies required to deliver them. Banks must map people, processes, technology, information, and facilities, including third-party providers and intragroup arrangements. This mapping should be granular enough to support impact tolerances and scenario testing.

Supervisors expect banks to maintain dynamic inventories, updated through change management processes. Mapping must link to asset management, configuration repositories, and service-level agreements so that resilience considerations inform technology changes and outsourcing decisions. Many banks integrated mapping efforts with regulatory initiatives such as the UK Prudential Regulation Authority’s operational resilience policy (SS1/21) and the EU’s forthcoming Digital Operational Resilience Act (DORA), aligning taxonomies and data models to avoid duplication.

Setting impact tolerances

Principle 4 introduces impact tolerances—quantitative or qualitative thresholds for the maximum disruption a bank is willing to tolerate for each critical operation. Banks should consider customer harm, market integrity, safety and soundness, and financial stability. Tolerances must be approved by the board and expressed in measurable terms such as duration, volume, or service level degradation. Impact tolerances complement, but do not replace, risk appetite and regulatory capital requirements.

Implementing impact tolerances requires data collection on historical outages, near misses, and scenario analysis outputs. Banks developed dashboards to track performance against tolerances, enabling escalation when incidents threaten to breach thresholds. Tolerances also inform investment prioritization, ensuring that remediation budgets target operations with the most severe consequences.

Scenario testing and business continuity

Principle 5 elevates scenario testing from periodic exercises to a continuous discipline. Banks must design severe but plausible scenarios that challenge assumptions about resilience, including concurrent events (for example, cyberattack during a pandemic), third-party failures, and geopolitical disruptions. Testing should validate that impact tolerances can be met, identify vulnerabilities, and lead to actionable remediation plans.

Principle 6 updates business continuity expectations. Plans must cover staffing strategies, alternate sites, remote work capabilities, and dependencies on utilities and telecommunications. Banks should integrate learnings from COVID-19, such as prolonged remote operations, supply chain constraints, and cross-border coordination hurdles. Supervisors expect alignment between business continuity plans, crisis management frameworks, and recovery and resolution planning.

Third-party dependencies and ICT risk

Principle 7 focuses on managing third-party and intragroup dependencies. Banks must maintain full inventories of third-party services supporting critical operations, assess concentration risk, and ensure contracts include resilience clauses covering service levels, exit strategies, audit rights, and access to data during disruptions. The PSMOR revisions add depth on ICT risk management, instructing banks to implement secure development practices, vulnerability management, and incident response capabilities consistent with frameworks like NIST CSF and ISO/IEC 27001.

Regulators expect banks to align outsourcing governance with other regimes, such as the European Banking Authority’s outsourcing guidelines and U.S. Federal Reserve SR 13-19. Institutions should conduct periodic resilience assessments of key vendors, including penetration testing, business continuity evaluations, and review of subcontracting arrangements. Banks with significant cloud adoption were advised to develop multi-region deployment strategies, exit plans, and data portability solutions.

Incident management and communications

The principles call for structured incident management frameworks with defined roles, escalation triggers, and post-incident review processes. Banks should maintain playbooks for cyberattacks, technology failures, fraud events, and operational errors, ensuring alignment with regulatory notification requirements. Communication plans must cover internal teams, customers, regulators, and market infrastructures, providing timely updates during disruptions.

Post-incident reviews should document root causes, lessons learned, and remediation actions. Findings must feed into scenario testing cycles and be tracked through governance committees until closure. Regulators now request evidence of such reviews during supervisory examinations.

Rollout plan

To meet the 2023 supervisory expectations, banks initiated multi-year resilience programs:

1. Program governance. Establish executive sponsors, program management offices, and cross-functional working groups spanning risk, operations, technology, and compliance.
2. Service mapping. Build data models linking critical operations to assets, vendors, and recovery plans. Integrate mapping into change management so updates occur automatically when systems change.
3. Impact tolerance setting. Develop methodologies combining quantitative metrics (transaction volumes, recovery time objectives) with qualitative assessments. Present tolerances for board approval and embed them in risk reporting dashboards.
4. Scenario testing. Design annual testing calendars covering cyber, third-party, and physical scenarios. Incorporate red-team exercises, tabletop simulations with senior executives, and cross-border coordination with subsidiaries.
5. Remediation tracking. Create centralized issue logs, focus on investments, and monitor remediation through key risk indicators (KRIs) and key performance indicators (KPIs).

Banks also aligned capital planning with resilience investments, recognizing that Basel III operational risk capital frameworks reward lower loss experience stemming from strong controls. By embedding operational resilience into strategic planning, banks can better withstand disruptions, satisfy supervisory scrutiny, and maintain trust with customers and market participants.

Related articles

Curated signals from the same pillar or overlapping topics.

Policy · Credibility 92/100 · May 10, 2022

EU DORA Provisional Agreement

EU lawmakers reached a provisional agreement on DORA in May 2022, setting harmonized ICT risk, incident reporting, testing, and third-party oversight rules for financial institutions and critical ICT providers ahead of…

Policy · Credibility 91/100 · January 16, 2023

Digital Operational Resilience Act enters into force

DORA entered into force on January 16, 2023, giving EU financial services two years to prepare. The application date was January 17, 2025. This was the starting gun for ICT risk management standardization across the…

Policy · Credibility 86/100 · September 9, 2025

Policy — Operational resilience

DORA's third-party ICT register requirements are now operational for EU financial entities. Maintain comprehensive records of ICT service providers, including risk assessments, contractual arrangements, and concentration…

Policy · Credibility 92/100 · September 10, 2020

Compliance — Singapore

Implementation roadmap for MAS's Individual Accountability and Conduct Guidelines, detailing responsibility mapping, conduct risk controls, outsourcing governance, and leadership actions.

Policy · Credibility 86/100 · January 17, 2025

Digital Operational Resilience Act (DORA)

DORA is live as of January 17, 2025. If you are in EU financial services, you now have to prove you can withstand ICT disruptions—incident reporting, resilience testing, and third-party oversight are all mandatory. The…

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• AI Policy Implementation Guide

  Coordinate governance, safety, and reporting programmes that meet EU Artificial Intelligence Act timelines and U.S. National AI Initiative Act mandates while sustaining product…

• Digital Markets Compliance Guide

  Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

• Semiconductor Industrial Strategy Policy Guide

  Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

Coverage intelligence

Published

March 31, 2021

Coverage pillar

Policy

Source credibility

92/100 — high confidence

Topics

Basel Committee · Operational Resilience · Financial Services

Sources cited

3 sources (bis.org)

Reading time

5 min

References

1. Principles for Operational Resilience — Bank for International Settlements
2. Revised Principles for the Sound Management of Operational Risk — Bank for International Settlements
3. Basel Committee sets out principles for operational resilience — Bank for International Settlements