We aim to deliver sectorwide operational resilience improvements to benefit the safety and security of customers through trusted and effective collaboration

Welcome to the CMORG Artefact library

This brings together all CMORG outputs that are accessible to industry participants. You can register to access all of these here, but to receive a response, you must provide an industry email address and be a direct industry participant.

Filter by:

Technology and cyber
Third Party Critical Vulnerability Response Playbook
This playbook is a Cross Market Operational Resilience Group (CMORG) capability, delivered under the governance of the CMORG Cyber Coordination Group in collaboration with the Financial Sector Cyber Collaboration Centre (FSCCC). It is intended to support effective sector coordination and information
sharing in response to a major third party zero day or critical vulnerability.

The playbook is aligned with FSCCC strategic objectives to define collaborative methods between members to improve industry’s ability to respond to cyber threats and/or incidents with actual or potential systemic impacts to the UK financial sector.
CMORG Meeting Minutes
Please find here the meeting minutes for CMORG meetings to inform firms and groups of the discussions and decisions made at the CMORG group level.
CMORG Portfolio
Please find here the latest portfolio of workstreams overseen by CMORG. This is to support firms and groups in understanding the wider portfolio of activity and the work being developed across CMORG, and to promote engagement with these workstreams.
Guidance for Firm Operational Resilience
The guidance incorporates the key requirements set out by the UK regulators for implementing operational resilience into firms. The content should be considered as high-level principles that can be used proportionately by a firm accordingly to their size, scale and complexity. It is not intended to be prescriptive or mandatory, but rather to support completion of individual firm documentation that aligns to the organisation’s specific corporate governance requirements and templates.
Sector Response
Sector Response Framework
To provide a mechanism for firms, FMI and industry groups to coordinate, share information, and ensure the sector can respond effectively to significant operational incidents. Contains schematic overview of all response groups of the sector, their role and invocation procedures and links to other groups to support collaborative cross-sector engagement.
SIMEX22 Single Company Exercise
The Single Company Exercise (SCE) has been designed so that SIMEX’s value could be extended to as wide a range of firms as possible. SCE has been produced to allow any firm, but especially smaller firms without specific exercising experience or expertise, to deliver an effective internal exercise. The materials are based on a severe but plausible scenario and can be used to exercise a range of capabilities and test important business services.
Third Party
Third Party Information Security - Supplier Risk Assurance
In 2022 the CMORG Cyber Coordination Group (CCG) collaborated with the National Cyber Security Centre (NCSC) to produce guidance on practical steps for firms to help assess the cyber security of their supply chains – known as the NCSC Supply Chain Security Framework.

To complement this framework, CCG has developed a third party assurance scale as a practical tool to help firms further assess the risk of their third parties and ensure appropriate levels of risk-based control. This assurance scale includes three components:

1) An example of Risk Factors and weightings that can help an organisation identify the drivers of the risk of their third party providers (TPPs).
2) A Calculator that interprets those risk factors to group third parties by different risk levels.
3) An escalating Control Scale that can be deployed to manage the risk of TPPs at the different risk levels.
Sector Principles for Service Substitution
These principles relate to the substitution of a business service. Per the definition in the PRA and FCA’s policy on operational resilience, a business service is defined as delivering: A specific outcome or service to an identifiable user external to the firm and should be distinguished from business lines, which are a collection of services and activities.

These principles do not assume whether any business service has been assessed as Important by individual firms. However, they accept that this is likely to be the case when developing and maintaining alternative solutions, in light of correlated thresholds such as Impact Tolerance.
Third Party
Scenario Testing of Critical Third Parties
A common approach to scenario testing of critical third parties in order to address the challenge common providers have of multiple assurance engagements with diverse financial institutions.