Facebook   LinkedIn   WeChat   YouTube Alert List
Operational resilience

Q1 : What systems and controls should Platform Operators implement to identify, prepare for, respond and adapt to disruptive incidents? 

A:

Platform Operators should implement adequate systems and controls covering the following areas:


1. Governance


Platform Operators should have an effective governance framework in place to set their operational resilience objectives, develop, implement and oversee arrangements and measures to identify on an ongoing basis disruptive incidents which may affect the sound, efficient and effective operations of their business, and respond and adapt to disruptive incidents. Amongst other things:

  • Platform Operators’ senior management assume full responsibility for setting operational resilience objectives and developing and implementing the necessary arrangements and measures. 
  • Designated staff members should monitor the ongoing operational resilience of the Platform Operators’ business units in support of the senior management’s oversight. 
  • The senior management should be provided with sufficient information to enable them to continually and in a timely manner assess matters which may affect the Platform Operators’ operational resilience and consider and approve any necessary adjustments to its operational resilience efforts.

2. Operational risk management

Platform Operators should have an effective operational risk management framework in place to assess the potential impact of disruptions on operations (including people, processes and systems) and compliance matters and manage the resulting risks in accordance with their operational resilience objectives.

Platform Operators should establish and maintain effective policies and procedures to ensure the proper management of operational risks to which they are exposed. They should also conduct comprehensive reviews at suitable intervals to ensure that the risk of losses resulting from operational disruptions is maintained at acceptable and appropriate levels.

3. Information and communication technology (ICT) including cybersecurity

Platform Operators should ensure that their ICT systems are resilient in order to support the sound, efficient and effective operations of their business in the event of disruptions, and that these systems operate in a secure and adequately controlled environment.

Platform Operators should also establish policies and procedures for ensuring the secure operation of their ICT systems to protect the confidential data and information in their possession, and manage cybersecurity risks on an ongoing basis. 

4. Third-party dependency risk management

Platform Operators should identify their dependencies on key third parties, including intragroup entities, for the sound, efficient and effective operations of their business, evaluate the resilience of third-party service providers and manage the resulting risks in accordance with its operational resilience objectives.

Platform Operators should take appropriate steps to identify, contain and manage third-party dependency risks. Reviews should be conducted at suitable intervals and whenever there are changes in key service providers, to ensure that the Platform Operators’ risk of suffering losses, whether financial or otherwise, as a result of third-party dependencies is maintained at acceptable and appropriate levels.

5. Business continuity plan and incident management

Platform Operators should have an effective business continuity plan in place to respond to, adapt to and recover from disruptive incidents and review the plan at least annually to assess whether revisions are necessary in light of any material changes to the Platform Operators’ operations, structure or business. They should also adopt an effective incident management process to identify, assess, rectify and learn from disruptive incidents as well as to prevent their recurrence or mitigate their severity.

Platform Operators should establish and maintain business continuity plans which should: 

(a) address the various disruptive scenarios identified and set out corresponding procedures for activating the plans; and

(b) be reviewed at least annually and whenever necessary, and revised in light of changes to the Platform Operators’ operations, structure or business. The review results should be properly documented. 

Platform Operators should also develop an incident management process, which would be triggered upon the occurrence of a disruptive incident, to address:

(a) the applicable reporting and escalation procedures;

(b) the determination of appropriate actions for responding to the incident;

(c) the identification of the root cause through an analysis of the incident; 

(d) the prevention of the occurrence of a similar incident and the need to mitigate its severity if it does occur; and

(e) the implementation of communication plans to report incidents to internal and external stakeholders, including reporting to the regulator material incidents which affect their clients’ interests and their ability to continue conducting business as usual.

(Key references: Paragraphs 11.6 to 11.9, 11.11, 12.8, 12.10, 12.15, 12.16 to 12.20 of the VATP Guidelines)

Last update: 1 Mar 2024

We use cookies to improve the website performance and user experience. If you continue to use this website, you are agreeing to their uses. Learn more about our privacy policy.