Synchronise board governance with risk oversight and resilience

Regulatory context

Each supervisory framework places specific obligations on boards and senior management. Understanding the nuances allows organisations to design governance frameworks that satisfy all stakeholders.

Basel Committee: BCBS 239 and operational resilience

BCBS 239 outlines fourteen principles covering governance, risk data aggregation capabilities, risk reporting practices, and supervisory review.^{BCBS 239 (January 2013)} Principle 1 requires a strong governance framework with board ownership of risk data aggregation capabilities. Principle 2 mandates data architecture and IT infrastructure capable of supporting risk aggregation across the organisation. Principles 3–6 demand accuracy, completeness, timeliness, and adaptability of risk data. Principle 7 emphasises accuracy of reporting, while Principle 9 requires comprehensive board reporting. Supervisors assess compliance during on-site inspections and can impose remediation timelines.

The Basel Committee’s Principles for operational resilience define seven principles spanning governance, operational risk management, business continuity, third-party dependency management, scenario analysis, incident management, and ICT.^{Basel Committee Principles for Operational Resilience (March 2021)} Boards must set resilience objectives aligned with risk appetite, oversee testing, and ensure lessons from incidents are integrated into strategic planning.

European Central Bank and European Banking Authority

The ECB’s Guide to internal models provides expectations for banks using internal models to calculate regulatory capital. Chapter 1 emphasises governance, requiring management bodies to approve model strategies, ensure adequate resources, and maintain independent validation.^{ECB Guide to internal models (July 2020)} The guide stresses data quality, model change policies, and reporting to boards. The ECB’s annual supervisory priorities for 2025 include improving data aggregation, operational resilience, and climate risk capabilities, reinforcing board accountability.

The EBA Guidelines on internal governance apply to credit institutions and investment firms, outlining requirements for management bodies, internal control frameworks, risk culture, and information flow.^{EBA Guidelines on internal governance (July 2021)} Section 24 emphasises the need for comprehensive management information systems providing timely, accurate, and relevant information to boards. Section 27 requires internal control functions to have direct access to the board and audit committee.

UK supervisors echo these expectations. The Prudential Regulation Authority’s Supervisory Statement SS1/21 on operational resilience requires boards to identify important business services, set impact tolerances, and perform scenario testing to remain within tolerances.^{PRA SS1/21 (March 2021)} The UK Financial Reporting Council’s 2018 Corporate Governance Code obliges boards to establish robust risk management systems and disclose how culture is monitored, reinforcing the need for evidence-based oversight.^{UK Corporate Governance Code (2018)}

U.S. prudential regulators

Federal Reserve SR 21-3 consolidates supervisory expectations for large financial institution boards, focusing on oversight effectiveness, risk management, and internal controls.^{Federal Reserve SR 21-3 (February 2021)} It emphasises board responsibilities for setting strategy, aligning risk appetite, overseeing senior management, and supporting risk management and internal control frameworks. The letter references prior guidance, including SR 12-17 on consolidated supervision and SR 08-8 on compliance risk management.

The OCC’s heightened standards (Appendix D to 12 CFR Part 30) apply to large national banks and federal savings associations, requiring a written risk governance framework with three lines of defence, independent risk management, and internal audit.^{OCC Bulletin 2014-52 (September 2014)} Boards must approve the framework, set risk appetite, and ensure escalation protocols. The standards also mandate annual independent reviews and board-level reporting on risk profile, breaches, and remediation.

Canadian regulators provide similar guidance. The Office of the Superintendent of Financial Institutions’ Guideline B-10 on Third-Party Risk Management requires boards to approve third-party strategies, oversee risk assessments, and ensure contingency plans for critical service providers, mirroring OCC expectations.^{OSFI Guideline B-10 (April 2023)} Guideline E-21 on Operational Risk Management also emphasises board oversight of risk appetite and independent assurance.^{OSFI Guideline E-21 (December 2021)}

Global developments

Supervisory focus on climate risk, third-party dependencies, and cyber resilience continues to evolve. The Basel Committee is developing metrics for climate-related financial risks, while the ECB integrates climate stress testing into supervisory expectations. U.S. regulators issued interagency guidance on third-party risk management in June 2023, reinforcing the need for governance over vendor risk throughout the lifecycle. Boards must integrate these themes into oversight agendas.

Operational controls

Translating supervisory expectations into operational controls requires structured governance, rigorous risk management processes, and robust reporting. The following components form the backbone of an effective oversight framework.

Board governance and committees

Define board committee charters that align with BCBS 239, operational resilience principles, and prudential standards. The risk committee should oversee risk appetite statements, aggregation capabilities, stress testing, and resilience metrics. The audit committee should monitor internal control effectiveness, internal audit coverage, and remediation progress. Committees should receive management information packages that satisfy EBA Section 24 requirements for timeliness and relevance.^{EBA Guidelines on internal governance (July 2021)}

Schedule deep-dive sessions on operational resilience scenarios, model risk management, and third-party dependencies. Document board challenge, decisions, and follow-up actions in minutes that link to risk appetite statements and supervisory commitments.

Create annual board education plans referencing regulatory updates, supervisory findings, and emerging risks. Track attendance and comprehension through knowledge assessments and follow-up workshops. Provide directors with curated reading packs summarising Basel Committee papers, ECB speeches, and domestic regulatory developments to maintain situational awareness.

Risk appetite and tolerance

Develop risk appetite statements covering credit, market, liquidity, operational, conduct, model, and strategic risks. Align thresholds with Basel operational resilience tolerances and OCC heightened standards. Ensure statements include qualitative and quantitative measures, escalation triggers, and breach protocols. Review and approve statements annually, with interim updates for material changes in business strategy or risk profile.

Risk data aggregation and reporting

Implement data governance structures that satisfy BCBS 239 Principles 1–6. Maintain a risk data architecture inventory detailing systems, data owners, data quality controls, and lineage. Automate reconciliations between risk and finance data to ensure accuracy and completeness. Establish data quality scorecards measuring completeness, timeliness, and reconciliation breaks, and escalate breaches to the risk committee.^{BCBS 239 (January 2013)}

Design board reporting dashboards that integrate risk exposures, key risk indicators (KRIs), stress results, and resilience metrics. Ensure reporting is timely (daily for critical risks, weekly for standard dashboards) and includes commentary on emerging risks, limit breaches, and mitigation plans. Embed drill-through functionality allowing directors to view underlying data lineage and controls.

Support multi-jurisdictional oversight by tagging reports with applicable regulatory references (e.g., BCBS 239 Principle 9, SR 21-3 board expectations, PRA SS1/21 tolerance statements) so directors can evidence compliance quickly during supervisory dialogues. Maintain a repository of board inquiries and management responses to demonstrate active challenge.

Implement a formal issues management workflow that routes board-raised questions to accountable executives with defined response timelines, evidence requirements, and closure criteria. Track status through dashboards that show overdue actions, dependency risks, and resource constraints. Share periodic summaries with the board to confirm that concerns were addressed and incorporated into policy updates or control redesign.

Operational resilience controls

Align resilience programmes with Basel principles by identifying critical operations, mapping interdependencies, and setting tolerance levels for disruption.^{Basel Committee Principles for Operational Resilience (March 2021)} Conduct scenario analyses covering cyber incidents, third-party outages, and physical disruptions. Document lessons learned and integrate them into strategic planning, budget allocations, and technology roadmaps.

Coordinate resilience testing with ECB expectations for internal model governance and with U.S. regulators’ focus on business continuity. Align third-party risk management with the OCC’s requirement for ongoing monitoring, contract management, and contingency planning.^{OCC Bulletin 2014-52 (September 2014)}

Incorporate cross-border crisis management groups and resolution planning into resilience exercises. Engage with host supervisors to validate playbooks, ensuring alignment with Financial Stability Board guidance on crisis management groups and recovery planning. Record outcomes, remediation tasks, and accountability owners for each test.

Model risk management

Establish model risk frameworks that satisfy the ECB guide and Federal Reserve expectations. Maintain an enterprise model inventory with classification by materiality, usage, and owner. Ensure independent model validation with documented methodologies, testing results, limitations, and recommendations.^{ECB Guide to internal models (July 2020)} Implement model performance monitoring with thresholds for recalibration, redevelopment, or retirement.

Report model risk metrics to the board, including validation status, remediation progress, and model changes. Align U.S. operations with SR 11-7 (referenced in SR 21-3) expectations for model risk management, ensuring board awareness of limitations and compensating controls.

Augment oversight with independent model risk reviews commissioned periodically from external experts, especially for high-impact models such as IRB credit models, IFRS 9 expected credit loss models, and advanced market risk engines. Document scope, findings, and board challenge, and integrate recommendations into remediation tracking tools.

Third-party risk oversight

Implement third-party governance aligned with Basel operational resilience Principle 5 and OCC heightened standards. Maintain a complete inventory of third parties, categorised by criticality and service type. Conduct due diligence covering financial stability, cyber security, regulatory compliance, and concentration risk. Document contract clauses addressing audit rights, data protection, and termination assistance.^{Basel Committee Principles for Operational Resilience (March 2021)OCC Bulletin 2014-52 (September 2014)}

Establish monitoring dashboards tracking service level agreements, incident reports, audit findings, and remediation. Integrate third-party risk into overall risk appetite statements and escalate breaches to the board.

Link third-party governance to OSFI B-10 and PRA SS2/21 outsourcing expectations for entities operating in Canada or the UK. Capture cross-border regulatory notifications, contract exit strategies, and sub-outsourcing approvals. Provide boards with heat maps showing critical service dependencies and jurisdictional obligations.

Risk culture and remediation

EBA guidelines emphasise risk culture programmes that promote accountability, challenge, and openness.^{EBA Guidelines on internal governance (July 2021)} Implement culture assessments, training, and whistleblowing channels. Track remediation plans for audit and supervisory findings, ensuring timely closure and verification. Provide periodic updates to the board on risk culture indicators, such as survey results, disciplinary actions, and escalation volumes.

Tooling

Technology enables consistent oversight and traceability. Tooling should integrate data aggregation, reporting, resilience management, and supervisory engagement.

Risk data platforms

Deploy risk data platforms capable of ingesting data from finance, trading, operations, and third-party systems. Ensure platforms support data lineage, reconciliation, and quality controls aligned with BCBS 239. Implement metadata repositories that record data definitions, transformation logic, and ownership. Provide sandbox environments for stress testing and scenario analysis aligned with Basel resilience principles.

Board reporting suites

Implement board reporting suites that deliver interactive dashboards, narrative commentary, and drill-down to supporting evidence. Include features for secure collaboration, agenda management, and decision tracking. Integrate with document management systems to archive board packs, questions, and responses, supporting supervisory examinations.

Resilience management tools

Adopt resilience management platforms that map critical services, dependencies, technology assets, and third parties. Configure scenario testing modules, incident response workflows, and impact tolerance tracking. Align outputs with Basel operational resilience principles and national regulatory reporting formats. Automate evidence collection for testing results, lessons learned, and remediation actions.

Model governance systems

Leverage model lifecycle management systems to track model development, validation, approvals, and performance monitoring. Configure alerts for upcoming validations, parameter breaches, and documentation updates. Provide audit trails showing compliance with ECB governance expectations and U.S. SR 11-7 requirements. Integrate with data catalogues to ensure input data quality and lineage.

Regulatory engagement and commitments

Maintain regulatory engagement platforms capturing supervisory findings, remediation commitments, and submission deadlines. Track correspondence with the ECB, Federal Reserve, OCC, and other authorities. Link actions to responsible owners, budgets, and milestones. Provide dashboards summarising status for board oversight.

Integrate obligations tracking with enterprise risk management systems so that regulatory commitments influence risk appetite calibration, capital planning, and resolution planning. Store copies of supervisory letters, board responses, and evidence packages to demonstrate timely compliance during examinations.

Metrics and reporting

Boards require a balanced metrics suite covering risk profile, resilience, data quality, and governance effectiveness. Metrics must align with regulatory expectations and support proactive decision-making.

Risk profile and appetite adherence

Monitor key risk indicators for each risk category relative to appetite thresholds. Include exposure metrics (e.g., credit concentration, market VaR, liquidity coverage ratios), limit utilisation, and breaches. Provide scenario analysis outputs showing projected performance under stress, aligned with Basel and ECB requirements.

Data quality and aggregation metrics

Track completeness, accuracy, timeliness, and reconciliation rates for risk data. Report the number of manual adjustments required for board reports, lineage gaps, and system outages affecting data availability. Highlight progress on remediation actions linked to BCBS 239 findings.

Benchmark data quality performance against peer institutions by leveraging supervisory benchmarking exercises or industry utilities. Present trend charts showing improvements in reconciliation break reduction, automated data feeds, and manual adjustment elimination.

Resilience and incident metrics

Measure incident frequency, severity, recovery times, and adherence to tolerance levels. Track completion of resilience testing scenarios, outstanding remediation, and dependency mapping coverage. Include third-party incident statistics and contract compliance.

Incorporate near-miss analysis, capturing events that did not breach impact tolerances but revealed vulnerabilities. Document corrective actions, owner accountability, and time-to-close. Provide boards with summaries of external incidents (e.g., industry outages) to contextualise internal resilience performance.

Model risk metrics

Report validation status, number of models with outstanding issues, timeline for remediation, and performance monitoring results. Include backtesting outcomes and overrides, ensuring the board understands residual model risk.

Governance effectiveness and culture

Track board meeting attendance, training completion, challenge instances, and time-to-close supervisory findings. Monitor risk culture indicators such as employee survey results, whistleblower cases, and disciplinary actions. Align reporting with EBA expectations for information flow and culture programmes.^{EBA Guidelines on internal governance (July 2021)}

Supplement quantitative metrics with qualitative assessments such as independent board effectiveness reviews, director peer feedback, and culture interviews. Present results alongside action plans, deadlines, and responsible owners so regulators can see that insights translate into tangible governance enhancements.

Global regulatory alignment for board oversight

Operational resilience expectations now span multiple jurisdictions and require directors to evidence integrated risk governance. The EU’s Digital Operational Resilience Act obliges financial entities to maintain ICT risk management frameworks, classify critical functions, conduct threat-led penetration testing, and report major incidents within tight timelines, all under direct board accountability.^{Regulation (EU) 2022/2554 (DORA)} U.S. prudential regulators expect similar rigor: Federal Reserve SR 21-3 stresses senior management oversight of third-party risk, resilience testing, and incident escalation, while the OCC’s heightened standards require large banks to maintain risk governance frameworks with clear board roles.^{Federal Reserve SR 21-3OCC Bulletin 2014-52}

Canada’s OSFI Guideline B-10 updates third-party risk expectations by requiring boards to approve risk appetite, review material outsourcing arrangements, and monitor resilience metrics for critical suppliers.^{OSFI Guideline B-10 (2023)} The Basel Committee’s Principles for Operational Resilience reinforce these obligations by emphasising board-approved tolerance statements, scenario testing, and cross-functional crisis management.^{BCBS Principles for Operational Resilience} Align your oversight calendar with these publications to ensure the board receives timely updates on resilience metrics, third-party dependencies, and incident response readiness.

Case studies reinforcing governance expectations

The PRA and FCA’s joint £48.65 million fine against TSB Bank following its 2018 migration incident highlighted deficient board oversight of outsourcing, change management, and resilience testing.^{PRA enforcement action against TSB} Regulators stressed that boards must challenge management on scenario planning, service continuity, and customer communications.

In the United States, the OCC’s 2023 enforcement action against Citibank required the bank to remedy data governance, risk reporting, and operational resilience weaknesses identified during supervisory examinations.^{OCC Consent Order against Citibank (2023)} The order mandates board oversight of transformation programs, milestone tracking, and independent validation of remediation outcomes.

Singapore’s Monetary Authority imposed additional capital requirements on DBS Bank after repeated digital banking outages, citing shortcomings in risk governance, incident escalation, and board monitoring of service availability.^{MAS supervisory actions on DBS Bank} Boards should use this example to assess their own crisis dashboards, escalation protocols, and accountability frameworks.

Board scorecards and assurance tooling

Construct board scorecards that link BCBS 239 risk data aggregation requirements with resilience, cyber, and third-party metrics. Include indicators for data quality, lineage, and timeliness to demonstrate compliance with BCBS 239 principles.^{BCBS 239} Supplement these metrics with incident reporting timelines aligned to the Financial Stability Board’s Cyber Incident Reporting Toolkit, ensuring directors can assess whether regulatory notifications were triggered on time and whether remediation plans reflect scenario testing outcomes.^{FSB Cyber Incident Reporting Toolkit}

Adopt assurance tooling—such as GRC platforms, model risk management systems, and operational resilience dashboards—that integrates with data lineage, change management, and service mapping repositories. Ensure the audit committee receives automated evidence packs summarising control effectiveness, independent validation results, and regulatory exam feedback. Where DORA or OSFI B-10 require board attestations, use digital signatures and versioned documentation to prove review dates, signatories, and challenge outcomes.

Oversight cadence and escalation protocols

Define an oversight calendar that coordinates board, risk committee, audit committee, and technology committee agendas. Align quarterly sessions to review resilience scenarios, third-party concentration risk, climate risk exposures, and digital transformation milestones. Use monthly dashboards to surface key risk indicators (KRIs) such as service availability, incident severity, regulatory findings, and policy exceptions. Ensure escalation protocols align with SR 21-3 and DORA notification timelines, with pre-defined playbooks for informing regulators, investors, and customers.

Integrate executive remuneration, accountability frameworks, and director training into the cadence. The UK’s Senior Managers and Certification Regime, MAS’s Individual Accountability and Conduct Guidelines, and OSFI’s culture risk expectations all reinforce the need to document responsibilities and evaluate performance against governance objectives.^{FCA Senior Managers & Certification RegimeMAS Individual Accountability Guidelines}

Future watchlist

Boards should monitor forthcoming developments to keep oversight frameworks aligned with emerging expectations.

• Basel Committee climate risk guidance. The Basel Committee’s 2024 consultation on climate-related financial risk scenarios will influence risk appetite statements, stress testing, and board reporting.
• ECB digital transformation priorities. The ECB’s 2025 supervisory priorities emphasise digitalisation and data management, requiring boards to oversee technology investments and data governance enhancements.^{ECB Guide to internal models (July 2020)}
• U.S. interagency third-party risk management guidance implementation. The June 2023 joint guidance from the Federal Reserve, FDIC, and OCC requires alignment of third-party governance with life-cycle management, resilience testing, and termination strategies.
• EBA Guidelines on ICT and security risk management updates. The EBA plans to update its ICT guidelines to align with DORA, affecting board oversight of technology risk.
• Global resolution and recovery planning. Updates to recovery and resolution planning expectations will require boards to integrate playbooks with resilience and risk reporting frameworks.

Consult Zeph Tech’s Basel climate risk disclosure briefing and third-party risk harmonisation guidance for ongoing updates.