D10/2021 Directive on Operational Resilience

P O Box 427 Pretoria 0001 South Africa 370 Helen Joseph Street Pretoria 0002 +27 12 313 3911 / 0861 12 7272 www.resbank.co.za 1 Ref.: 15/8/1/3 D10/2021 To: All banks, branches of foreign institutions, controlling companies, eligible institutions and auditors of banks or controlling companies Directive issued in terms of section 6(6) of the Banks Act, 1990 Principles for operational resilience Executive summary Emerging, complex and inter-connected business models expose organisations to new and evolving risks. Recent events such as natural disasters, pandemics, technology failures and cyber-attacks have demonstrated the consequences of operational failures in a more connected world. Banks, controlling companies and branches of foreign institutions (hereinafter collectively referred to as 'banks') are required to have in place an enterprise-wide and systematic approach to operational resilience in order to adapt to the changing environment and to sustain core business services. In March 2021 the Basel Committee on Banking Supervision (BCBS) issued a paper on principles for operational resilience1. The principles aim to strengthen banks' ability to withstand operational risk-related events that could cause significant operational failures or wide-scale disruptions in financial markets. The principles contained in the BCBS paper must not be considered in isolation, but rather be consolidated as part of a bank’s enterprise-wide risk management framework. This directive serves to direct banks to consider the adequacy and robustness of the banks’ current policies, processes and practices related to operational resilience, against the best practices contained in the BCBS paper on principles for operational resilience.

1. Introduction 1.1 In March 2021, the BCBS issued a paper on principles for operational resilience. 1 Available online at https://www.bis.org/bcbs/publ/d516.pdf

2 1.2 The paper outlines principles that are organised across the following seven categories: 1.2.1 governance; 1.2.2 operational risk management; 1.2.3 business continuity planning and testing; 1.2.4 mapping of interconnections and interdependencies of critical operations; 1.2.5 third-party dependency management; 1.2.6 incident management; and 1.2.7 resilient information and communication technology (ICT), including cyber security. 1.3 The principles are required to be applied on a consolidated basis and also form an integral part of a bank’s forward-looking operational resilience approach in line with its operational risk appetite and tolerance for disruption. 1.4 Regulation 39 of the Regulations relating to Banks (Regulations) requires all banks to establish and maintain a robust process of corporate governance that is consistent with the nature, complexity and risk inherent in the bank's on-balance sheet and off-balance sheet activities and that responds to changes in the bank's environment and conditions. This process includes the maintenance of effective risk management and capital management by the bank. In order to achieve the objective relating to the maintenance of effective risk management and capital management, every bank is required to have in place comprehensive risk management processes, practices and procedures, and board-approved policies. 1.5 Consequently, operational resilience must form an integral part of the enterprise risk management processes, practices and procedures, and board-approved policies of banks. 1.6 Regulation 38(4) of the Regulations states that when the Prudential Authority is of the opinion that a bank’s policies, processes and procedures relating to operational resilience are inadequate, the PA, among other things, may require the said bank to: 1.6.1 maintain additional capital, calculated in such a manner and subject to such conditions as may be specified in writing by the PA; or 1.6.2 duly align the bank’s operational resilience policies, processes, or procedures with the bank’s relevant exposure to risk. 1.7 The PA is of the opinion that the principles, as set out in the BCBS paper, are applicable to the banking industry in South Africa.

3 2. Directive 2.1 Based on the aforesaid, and in accordance with the provisions of section 6(6) of the Banks Act 94 of 1990, banks are hereby directed as follows: 2.1.1 Banks must assess the adequacy and robustness of their current policies, processes and practices against the principles for operational resilience issued by the BCBS. 2.1.2 All operational resilience controls implemented by the bank must follow a risk­ based approach that is aligned with the bank's risk appetite, based on the nature, size and complexity of its operations. 2.1.3 Banks must ensure that all principles contained in the BCBS paper are addressed either through internal resources or by means of outsourcing/third party agreements without undue delay. 2.1.4 Existing risk management frameworks, business continuity plans and third-party dependency management must be implemented consistently within the bank. 2.1.5 Banks must consider whether its operational resilience approach is appropriately harmonised with the stated actions, organisational mappings, and definitions of critical functions and critical shared services contained in its recovery and resolution plans. 2.2 All banks must comply with the respective requirements specified in this Directive within 18 months of the publication date. 3. Acknowledgement of receipt 3.1 Kindly ensure that a copy of this Directive is made available to your institution’s external auditors. The attached acknowledgement of receipt duly completed and signed by both the chief executive officer of the institution and the said auditors should be returned to the PA at the earliest convenience of the aforementioned signatories. Kuben Naidoo Deputy Governor and CEO: Prudential Authority Date: 2021-12-14 The previous Directive issued was Directive 9/2021, dated 12 November 2021