Skip to main content
Version date: 25 April 2024 - onwards
Version 2 of 2

Principle 25 - Operational risk and operational resilience (paras. 40.56-40.58) (effective as of 25 April 2024)

40.56 Principle 25: [Reference documents: FSB, Enhancing third-party risk management and oversight: a toolkit for financial institutions and financial authorities, December 2023; BCBS, High-level considerations on proportionality, July 2022; BCBS, Principles for the effective management and supervision of climate-related financial risks, June 2022; BCBS, Revisions to the principles for the sound management of operational risk, March 2021; BCBS, Principles for operational resilience, March 2021; BCBS, Cyber resilience: range of practices, December 2018; BCBS, Sound practices implications of fintech developments for banks and bank supervisors, February 2018; FSB, Guidance on identification of critical functions and critical shared services, July 2013; BCBS, Recognising the risk-mitigating impact of insurance in operational risk modelling, October 2010; BCBS, High-level principles for business continuity, August 2006; BCBS, Outsourcing in financial services, February 2005.] The supervisor determines that banks have an adequate operational risk [Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk but excludes strategic and reputational risk.] management framework and operational resilience [Operational resilience refers to the ability of the bank to deliver critical operations through disruption.