Response to consultation on revised Guidelines on internal governance under CRD
Question 1: Are subject matter, scope of application, definitions and date of application appropriate and sufficiently clear?
Regarding the definition of "operational resilience", Sella Group notices that it is consistent with the definition proposed in the draft Guidelines on the sound management of third-party risk (non-ICT related services), but it does not coincide with that of "digital operational resilience" introduced by the DORA Regulation.
According to DORA Regulation, “digital operational resilience” means “the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions”.
By contrast, the concept of “operational resilience” as described in the draft Guidelines under analysis refers to a financial institution's ability to perform critical or important functions in the event of a disruption. This capability enables a financial institution, directly or indirectly, including through the use of functions provided by third-party service providers, to identify and protect itself from threats and potential failures, to react and adapt, and to recover and learn from disruptive events, in order to minimize their impact on the performance of critical or important functions in the event of a disruption.
In the context of the draft Guidelines under analysis, the concept of “operational resilience” is used mainly in relation to ICT and security risk management. Therefore, Sella Group would consider preferable the definition adopted in the Guidelines be aligned with that contained in DORA Regulation.
Question 2: Are the changes made in Titles I (proportionality) and II (role of the manamgnet body and committees) appropriate and sufficiently clear?
Sella Group has no specific comment on the matter.
Question 3: Are the changes made in Title III (governance framework) section 6 appropriate and sufficiently clear?
Title III regulates the governance framework that brings in an obligation for institutions to draw up an individual statement clearly defining the roles, responsibilities and duties of the members of the management body in its management function, as well as a mapping of duties, as provided for in paragraphs 68a and 68b.
However, for the purposes of mapping and collecting individual statements, the Guidelines refer not only to the management body and senior management, but also to the "key function holders". The term "key function" is considered overly broad and, as such, may lead to subjective interpretations by institutions.
Sella Group would consider it helpful if EBA provided more explicit clarifications regarding the scope of application of the obligations relating to mapping of duties, to avoid interpretative
uncertainties and ensure a consistent and proportionate application of the Guidelines by the institutions.
Question 4: Are the changes made in Title III section 7 (third-country branches) appropriate and sufficiently clear?
Sella Group has no specific comments on the matter.
Question 5: Are the changes made in Title IV (risk culture) appropriate and sufficiently clear?
The amendments introduced under Title IV of the Guidelines, aimed at strengthening the institution’s risk culture, are deemed appropriate by Sella Group.
With reference to paragraph 101a, which introduces a non-exhaustive list of additional indicators to be used to monitor the development of the representation and equal treatment of staff of different genders, Sella Group suggests highlighting that the selection of indicators should remain within the discretion of the institution, according to its specific organizational, dimensional and operational characteristics. A flexible and proportionate approach would allow for a greater focus — including from an operational and administrative standpoint — on the strategic objectives and policies that are effectively implemented, avoiding standardized burdens that may not reflect the institution’s actual operational reality.
Therefore, Sella Group suggest that this matter should be addressed within the Guidelines, possibly also in footnote.
Question 6: Are the changes made in Title V (internal control framework) appropriate and sufficiently clear?
The amendments introduced under Title V strengthen the role and independence of the internal control functions, in line with the principles of functional separation and operational autonomy.
Among the changes introduced by the new Guidelines, it is worth noting the explicit inclusion of legal risk among the risks that the Compliance function must manage and monitor (paragraphs 204, 209 and 210).
Sella Group feels this represents a significant evolution compared to the previous version of the Guidelines, as it formally acknowledges the relevance of legal risk within compliance process.
Sella Group deems it appropriate to clarify the operational scope of the legal risk assigned to the Compliance function. Specifically, Sella Group propose to limit the scope to violations of mandatory regulatory requirements, which may result in a risk of sanctions or a significant impact in terms of regulatory compliance.
However, the management of litigation risks cannot be assigned to the Compliance Function in cases where the dispute concerns purely civil matters (e.g. the interpretation or enforcement of contractual clauses). These areas, in fact, do not determine a non-compliance
event, but rather a litigation and legal risk and, therefore, fall within the remit of the Legal Function and, as operational risks, the Risk Management Function.
Finally, Sella Group proposes the introduction of definitions for the concepts of “legal risk”, “non-compliance events”, and “legal risk stemming from non-compliance events”, to ensure greater consistency in the interpretation and application of the Guidelines, particularly regarding the scope of competence of the Compliance Function and its coordination with the Legal Function.
Question 7: Are the changes made in Title VI (business continuity managment) appropriate and sufficiently clear?
Title VI regulates business continuity management, with the aim of ensuring the resilience of critical business functions in the event of adverse events.
In this context, paragraph 230 states: “The documentation should be available to the staff involved in the execution of the plans and should be stored on systems that are physically separated and readily accessible in case of emergency.”
Although this is a formulation already present in the previous version of the Guidelines, it should be noted that the concept of "physically separated systems" is not reflected in either Regulation (EU) 2022/2554 (DORA), or the EBA Guidelines on ICT risk management and security (EBA/GL/2019/04).
Sella Group believes that the current wording may generate interpretative uncertainty. It is not clear whether the expression should be interpreted as the obligation to keep the documentation exclusively on systems located in alternative sites or on backup media that are geographically separate and distinct from the production environment.
Considering the above, it is proposed to reformulate or delete the reference to "physically separated systems", to ensure greater alignment with the current European regulatory framework, particularly with the DORA Regulation.