RBI issues guidance note on operational risk management, resilience

All regulated entities (REs) in India should implement a robust information and communication technology (ICT) risk management programme in alignment with their operational risk management framework, the central bank said on Tuesday.

"REs should manage their dependencies on relationships, including those of, but not limited to, third parties (which include intragroup entities), for the delivery of critical operations," the Reserve Bank of India said in its guidance note.

The RBI said all REs must perform a risk assessment and due diligence before entering into any arrangements with third parties or external entities.
 

The REs should also verify whether the third party, including the intragroup entity to these arrangements, has at least an equivalent level of operational resilience to safeguard the RE's critical operations in both normal circumstances and the event of a disruption, the RBI added.

"REs should develop and implement response and recovery plans to manage incidents that could disrupt the delivery of critical operations in line with the RE's risk appetite and tolerance for disruption," the central bank said.

"REs should continuously improve their incident response and recovery plans by incorporating the lessons learned from previous incidents."