[Reading time: 24 seconds]

Operational resilience is of paramount importance to the Central Bank and we expect all firms to have adequate systems and controls in place to ensure operational resilience”.

This is a statement from the Central Bank, in response to a recent outage at one of Ireland’s largest credit unions.

The outage arose while the organisation attempted to migrate to a new IT system. According to this report in the Irish Independent, the problem meant 50,000 customers were unable to access their online accounts for a number of days.

The Central Bank is now investigating the incident.

 

So what?

The incident is a reminder that Operational Resilience isn’t just about IT security risks.

In the words of the Central Bank, “operational resilience [is] the ability of a firm [..]to identify and prepare for, respond and adapt to, recover and learn from an operational disruption. An operationally resilient firm is able to recover its critical or important business services from a significant unplanned disruption, while minimising impact and protecting its customers.

While DORA will not apply to Irish credit unions in January 2025, the Central Bank’s Cross Industry Guidance on Operational Resilience does.

It’s a big challenge, because:

  • Credit unions do not have the resources of larger financial institutions.
  • They also rely heavily on third party IT service providers that can lack the resources (or risk management maturity) of the large services providers used by bigger regulated firms.
  • And even with all these resources, the bigger firms aren’t always A-grade at operational resilience anyway, as proven by Ulster Bank’s epic outage of 2012 and Bank of Ireland’s numerous outages over the years (with the latest one only a few months ago).

Hopefully, the Central Bank will be mindful of this reality when assessing whether the actions taken by the credit union “to identify and prepare for [and] respond and adapt to [this] operational disruption” were proportionate and reasonable.