Imagine a world where financial services firms are resilient, adaptable, and prepared for any disruption. Sounds ideal, right? Well, the Central Bank of Ireland (CBI) is taking steps to make this a reality. In a recent assessment, they've evaluated how MiFID investment firms are implementing operational resilience measures. But here's where it gets controversial: some firms are falling short, and the CBI has identified key areas for improvement.
The CBI defines operational resilience as a firm's ability to anticipate, respond to, and recover from disruptions affecting critical business services. It's all about ensuring the financial sector as a whole can weather any storm. The CBI's guidance, published in 2021 and updated in 2025 to align with the Digital Operational Resilience Act (DORA), aims to enhance this resilience.
The assessment's key objectives were to determine whether firms had implemented the CBI's expectations and whether their boards and senior management were accountable for operational resilience frameworks. The results were a mix of positives and areas for enhancement.
On the positive side, many MiFID firms had operational resilience frameworks aligned with the CBI's guidance and expectations. Most firms had their boards ultimately responsible, with appropriate delegation to committees and senior management. The CBI also noted good practices in regular management reporting and challenge at the board level.
However, there were some deficiencies. The CBI recommended enhancements in the identification and mapping of critical business services, scenario testing, and alignment with existing risk management frameworks.
In terms of mapping, some exercises lacked the necessary detail, hindering firms' ability to identify vulnerabilities and develop effective remediation plans. The CBI emphasized that operational resilience is an evolution of operational risk and business continuity management, and therefore should align with existing frameworks in these areas.
Looking ahead, the CBI expects all MiFID firms to revisit their compliance with the guidance, including the DORA updates. They've highlighted specific guidelines for attention, focusing on identifying and mapping critical business services and capturing third-party dependencies.
While the assessment didn't specifically focus on DORA or cyber resilience, the CBI considers these areas key priorities. They plan to conduct further supervisory work in 2026-2027, recognizing the increasing complexity and dynamism of the operating environment. With rapid technological evolution and sophisticated threats, the CBI expects firms to strengthen their operational resilience, particularly in cyber and digital operational resilience, to ensure they can recover from disruptions and protect customers.
Firms should take note and review their operational resilience frameworks now. At Arthur Cox, our team has extensive experience advising regulated firms on operational resilience, cyber security, and associated regulatory requirements. If you're updating your frameworks, we'd be delighted to help.
So, what do you think? Are these expectations realistic? How can firms balance the need for resilience with the challenges of an evolving landscape? We'd love to hear your thoughts in the comments!
