FINMA circular 2023/1 Operational Risks and Resilience – Ready for an audit?

Have you completed or planned the necessary steps to ensure compliance with FINMA Circular 2023/1 “Operational risks and resilience – banks”? Further requirements from FINMA Circular 2023/1 must be implemented by 31 December 2024. This article provides you with an overview of these requirements as well as how the reviews are carried out.

The fully revised FINMA Circular 2023/1 on managing operational risks and ensuring resilience took effect on 1 January 2024. Detailed explanations of the circular can be found in our blog article from January 2023 : Below we provide an overview of what needs to be done to successfully pass a regulatory audit.

Are you ready for a regulatory audit?

Have you successfully achieved compliance with the requirements of the circular by the end of 2023, making you ready for a regulatory audit? Can you show the audit firm what measures you have taken and what measures are being implemented or are planned to achieve compliance?

Transitional provisions have been defined for the requirements to ensure operational resilience which ensure that affected institutions have sufficient time to define and implement appropriate measures. Below you will find a checklist that you can use to check the implementation status.

Download «FINMA Circular Checklist»

How regulatory audits have been carried out since 1 January 2024

The full revision of the circular entails modifications to the implementation of the regulatory audit:

    • The audit points on IT and the audit points on handling electronic customer data were cancelled at the end of 2023.

    • New audit catalogues were drawn up for the newly created audit fields of cyber risk management and critical data risk management, which support the regulatory audit. First-time audits can be carried out from 1 January 2024.

    • Transitional provisions of up to two years are in place for the newly created operational resilience audit area; a test catalogue is not yet available. First-time audits can take place from 2024 at the discretion of the audit firm and based on its risk analysis. However, an audit must be carried by no later than during the 2027 audit year at the latest, i.e. in the second year after the end of the transitional period.

    • For the remaining audit areas, the audit firms will draw on existing audit points or information from past regulatory audits.

    • The four elements of the ICT risk management audit area will now be phased in over four years instead of the previous six. As a result, there may be interventions on several of the four elements until the new cycle of phasing in the elements has stabilised over the four years.

The determination of the frequency and selection of audit areas for the regulatory audits is based on the regulatory audits carried out in the past and the regulatory category of the institution. We recommend contacting the respective audit firm at an early stage to establish a common understanding of future regulatory audits and to allow for suitable preparations accordingly. Institutions should also familiarise themselves with the newly created audit catalogues for cyber risk management and critical data risk management. These will form the basis of the compliance assessment. Compliance with other ordinances and laws in the audit catalogues is also audited in addition to the margin numbers of FINMA Circular 2023/01 as part of the audit catalogue.

Get support with the implementation of FINMA requirements at an early stage

Thanks to our longstanding track record in security consulting, we can support you in achieving compliance with the new FINMA Circular 2023/1 and in preparing for a regulatory audit, e.g. through a gap analysis and identifying and prioritising the most important measures.

FINMA Gap-Assessment


We can also support you in identifying the critical functions based on the main inherent risks and the subsequent development of key controls. We’re here to support you in the process of implementing the new FINMA Circular requirements in an efficient and targeted manner whenever you’re ready. Further information can be found on our website.

FINMA Implementation

In addition, we can offer you expert support on specialist questions about the individual requirements as well as with the general implementation of measures, guidelines and processes. Our comprehensive range of services for implementing the requirements of the new FINMA Circular 2023/01 includes for instance penetration tests, data protection, scenario-based exercises and targeted employee training as well as round-the-clock management, SOC and incident response services.

<< >>

Data Governance

Michael Fossati
About the author / Michael Fossati

InfoGuard AG - Michael Fossati, Principal Cyber Security Consultant

More articles from Michael Fossati

Related articles
NIS2 – Cyber Defence is a Must, not only for KRITIS
NIS2 – Cyber Defence is a Must, not only for KRITIS

The risk of cyber attacks such as DDoS, ransomware and phishing is increasing. Attackers are increasingly [...]
Are you ready for the new FINMA circular 2023/1 “Operational risks and resilience – Banks”?
Are you ready for the new FINMA circular 2023/1 “Operational risks and resilience – Banks”?

The completely revised FINMA Circular 2023/1 on management of operational risks and ensuring resilience in [...]
ISG revision: consequences & obligations for critical infrastructure operators [Part 2]
ISG revision: consequences & obligations for critical infrastructure operators [Part 2]

If you’ve read the first part of this blog article, you probably already know that both information security [...]

Exciting articles, the latest news and tips & tricks from our experts on all aspects of Cyber Security & Defence.

Blog update subscription
Social Media