Please find here the meeting minutes for CMORG meetings to inform firms and groups of the discussions and decisions made at the CMORG group level.

The guidance incorporates the key requirements set out by the UK regulators for implementing operational resilience into firms. The content should be considered as high-level principles that can be used proportionately by a firm accordingly to their size, scale and complexity. It is not intended to be prescriptive or mandatory, but rather to support completion of individual firm documentation that aligns to the organisation’s specific corporate governance requirements and templates.

These principles relate to the substitution of a business service. Per the definition in the PRA and FCA’s policy on operational resilience, a business service is defined as delivering: A specific outcome or service to an identifiable user external to the firm and should be distinguished from business lines, which are a collection of services and activities.

These principles do not assume whether any business service has been assessed as Important by individual firms. However, they accept that this is likely to be the case when developing and maintaining alternative solutions, in light of correlated thresholds such as Impact Tolerance.

To provide a mechanism for firms, FMI and industry groups to coordinate, share information, and ensure the sector can respond effectively to significant operational incidents. Contains schematic overview of all response groups of the sector, their role and invocation procedures and links to other groups to support collaborative cross-sector engagement.

The Single Company Exercise (SCE) has been designed so that SIMEX’s value could be extended to as wide a range of firms as possible. SCE has been produced to allow any firm, but especially smaller firms without specific exercising experience or expertise, to deliver an effective internal exercise. The materials are based on a severe but plausible scenario and can be used to exercise a range of capabilities and test important business services.

In 2022 the CMORG Cyber Coordination Group (CCG) collaborated with the National Cyber Security Centre (NCSC) to produce guidance on practical steps for firms to help assess the cyber security of their supply chains – known as the NCSC Supply Chain Security Framework.

To complement this framework, CCG has developed a third party assurance scale as a practical tool to help firms further assess the risk of their third parties and ensure appropriate levels of risk-based control. This assurance scale includes three components:

1) An example of Risk Factors and weightings that can help an organisation identify the drivers of the risk of their third party providers (TPPs).
2) A Calculator that interprets those risk factors to group third parties by different risk levels.
3) An escalating Control Scale that can be deployed to manage the risk of TPPs at the different risk levels.

Industry expertise on managing resilience risks through the lifecycle of a third-party engagement, optimising the approaches undertaken by larger firms and supporting capability building across the wider sector. The guidance considers each stage of engagement from supplier selection and due diligence, classification to support supplier management approach, governance and assurance through to exit.

A common approach to scenario testing of critical third parties in order to address the challenge common providers have of multiple assurance engagements with diverse financial institutions.

Common definitions of critical GBP retail payments to support prioritisation across the sector during severe but plausible operational disruption.