Imagine a world where financial institutions are not just resilient, but operationally resilient, equipped to navigate disruptions and emerge stronger. This is the vision the Central Bank of Ireland (CBI) has for the MiFID investment firm sector. But here's where it gets controversial: the CBI's recent thematic assessment reveals a mixed bag of results, with some firms excelling and others falling short.
The CBI defines operational resilience as the ability of firms and the financial sector to anticipate, respond, adapt, recover, and learn from operational disruptions affecting critical business services. In simple terms, it's about being prepared for the unexpected and ensuring business continuity.
The CBI's guidance, published in 2021 and updated in 2025 to align with the Digital Operational Resilience Act (DORA), aims to enhance this resilience. It sets out clear expectations for firms to have robust frameworks in place, with boards and senior management taking accountability.
And this is the part most people miss: the assessment's findings. While many MiFID firms met the CBI's expectations, some critical gaps were identified. These included issues with identifying and mapping critical business services, scenario testing, and alignment with existing risk management frameworks.
For instance, the CBI noted that certain mapping exercises lacked the necessary detail, hindering firms' ability to identify vulnerabilities and develop effective remediation plans. It's like trying to build a house without a solid foundation - the structure is bound to fail.
So, what's next? The CBI expects all MiFID firms to revisit their compliance with the guidance, especially the DORA updates. They've highlighted specific guidelines for firms to focus on, including identifying critical business services, understanding their delivery, and capturing third-party dependencies.
But the CBI's focus isn't just on DORA. They've made it clear that cyber and digital operational resilience remain key priorities. With technology evolving rapidly and threats becoming more sophisticated, firms must strengthen their resilience frameworks, especially in these areas.
The CBI's message is clear: firms must act now to review and enhance their operational resilience frameworks. It's a complex and dynamic environment out there, and the CBI wants firms to be prepared for further supervisory engagement.
At Arthur Cox, we have the expertise to guide regulated firms through this journey. If you're reassessing your operational resilience frameworks, we'd love to help. Let's work together to ensure your firm is not just resilient, but future-proof.
