Skip to content
Pacific Resilience Institute
All insights
RegionalJan 2026 · PRI Insights Team

Basel's operational resilience principles, five years on

The Basel Committee published its Principles for Operational Resilience in March 2021. APAC implementation has converged on a recognisable shape, with sharpening edges on tolerance and testing.

Informational only. This article reflects the views of its author and does not constitute legal, regulatory or risk-management advice. References to MAS, APRA, HKMA, RBI or JFSA are for context; PRI is not endorsed by any regulator.

The Basel Committee on Banking Supervision published its Principles for Operational Resilience in March 2021, together with revisions to the Principles for the Sound Management of Operational Risk. The seven principles set out a common international expectation that banks should identify critical operations, set tolerances for disruption, map their dependencies, manage third parties and continue to be able to deliver critical operations through severe but plausible scenarios. APAC supervisors have used the Basel framework as a reference point for their own implementation, with adaptations to local markets and supervisory styles.

Five years in, the shape of implementation is consistent across the region. Australia has codified expectations through CPS 230, with full effect from 2025 and service provider arrangements following in 2026. Hong Kong's OR-2 set a three-year transition that ends in May 2026. Singapore's June 2024 Information Paper on Operational Resilience formalised the supervisory direction that MAS had been articulating for several years. The Philippines issued its operational resilience framework in 2024. India and Indonesia have addressed the territory through their IT governance and risk management regimes. Japan and Korea have approached it through their cyber and IT supervisory frameworks rather than through a dedicated operational resilience instrument.

Tolerance setting is the area that has matured most visibly and is also the area where supervisory pressure is sharpest. The early phase saw many institutions set tolerances that were essentially restatements of their existing recovery time objectives, which is not what the principles intended. The supervisory test is whether the tolerance is grounded in customer and financial stability outcomes, whether the board has genuinely engaged with it and whether the institution can defend it under stress. Tolerances that have not changed during the implementation period are typically a signal that the analysis has not deepened.

Mapping has improved but remains uneven. Many institutions now have credible mappings for their flagship critical operations and weaker mappings for the long tail. The fourth-party question, which is the visibility into service providers' own sub-contracting arrangements where these support critical operations, continues to be the part where evidence is hardest. Several regulators in the region have started to test this directly, with thematic reviews that look beyond the contractual flow-down to the operational reality.

Scenario testing has moved from compliance to learning in the better institutions. Scenarios that combine cyber compromise with infrastructure disruption, scenarios that take out a shared provider, and scenarios that require the institution to operate at reduced capacity for an extended period are the ones that have produced useful findings. Scenarios that confirm existing recovery plans without breaking them remain common but are decreasingly persuasive.

Third-party risk has been pulled towards the centre of operational resilience as the cloud and software supply chain has matured. The Basel principles addressed third-party risk explicitly, and the regional implementation has if anything intensified the focus. The supervisory dialogue is no longer only about contractual due diligence but about continuing visibility into provider posture, exit planning that is rehearsed rather than only documented and concentration awareness across the institution and the system.

For boards and executives setting operational resilience priorities for 2026, the five-year point is a useful prompt. Test the tolerances against current customer expectations and regulatory standards rather than against the original calibration. Push mappings beyond first-tier providers into the dependencies that matter. Use scenario testing to learn, and act on what it shows. And treat operational resilience as a continuing capability that the board owns, not as a programme that finishes when the framework is approved.

ShareLinkedInXEmail

More insights