Regulatory Mapping
Nine regimes decomposed into provisions, mapped many-to-many to ORBIT's capabilities and to individual records. Jurisdiction lens: Meridian Commercial Bank — primary US, secondary CA-OSFI, UK-PRA. Expectations are paraphrased, never reproduced verbatim.
The PRA's operational resilience regime: identify important business services, set impact tolerances, map dependencies, test against severe but plausible scenarios, and remain within tolerances by the compliance deadline. The conceptual origin of the IBS model.
Firms must identify the business services whose disruption could threaten safety and soundness, financial stability, or policyholder protection, and keep the inventory current as the business changes.
For each important business service, the firm sets a tolerance defining the maximum tolerable level of disruption — expressed in time and, where relevant, other measures such as volume or value — at the first point where harm becomes intolerable.
Firms must identify and document the people, processes, technology, facilities, and information required to deliver each important business service, sufficient to identify vulnerabilities.
Firms must test their ability to remain within impact tolerances under severe but plausible disruption scenarios, increasing sophistication over time.
Testing and incidents must feed an improvement cycle: identified vulnerabilities are remediated on a prioritized basis with accountable owners.
Firms maintain a written self-assessment of their operational resilience, approved by the board, evidencing the reasoning behind IBS selection, tolerances, and testing outcomes.
The board and senior management own operational resilience outcomes; clear accountability (SMF alignment) and management information support effective oversight.
Firms were expected to have identified IBS, set tolerances and started mapping/testing by March 2022, and to remain within tolerances as soon as reasonably practicable and by March 2025.