Why Lessons From Covid-19 Can Lead To Better Operational Resilience
Author: Mike Dempsey, Senior Manager, Risk & Accounting Advisory Services
While financial services providers have long been accustomed to discussing and planning for so-called ‘black swan’ events, until recently pandemics rarely topped the list. Yet now, as we enter the third year of life in the shadow of COVID-19, that’s beginning to change.
The collateral damage of the pandemic continues to be felt, prompting a growing number of firms to begin evolving their enterprise and operational risk management frameworks to better protect their business-critical functions and processes. Many banks and financial services firms have also started to incorporate measurable resiliency objectives into their risk management planning and assessments.
But few are yet going far or fast enough.
For many years, organizations have judged themselves on their ability to deliver and continue critical operations and core business lines during geopolitical triggers, environmental events, or infrastructure failures, such as power outages, market disruptions, and data breaches.
Yet now, as they try to navigate the evolving risks associated with a virtual workforce and the threat of new coronavirus variants like Omicron, firms must achieve previously unseen levels of digital security and transformation to remain resilient, relevant, and productive. Financial services providers must re-evaluate and strengthen their operational resilience plans specifically to account for pandemics.
Regulators Pick Up the Pace
The pressure to implement stronger organizational resiliency is not only coming from within their own business; regulators are increasingly focused on it too. An inter-agency paper entitled Sound Practices to Strengthen Operational Resilience, published in November 2020, identified resiliency as a core capability for large financial institutions (LFIs)1. The paper highlighted the growing complexity and sophistication of cyber incidents, pandemic outbreaks, and how the increasing reliance on third parties is exposing LFIs to a vast array of unforeseen operational risks. It also proposed a flexible and scalable operational resilience approach that can evaluate the ability of firms to prepare, adapt, and recover from a major disruption while maintaining core operations throughout.
Another paper published by the Financial Stability Board (FSB), also in November 2020, told a similar story. It specifically addressed the issue of financial institutions becoming dependent on a solitary or small number of third-party providers, pointing out the potential for a single point of failure that negatively impacts financial stability, safety, and soundness. Meanwhile, in December 2021, the Central Bank unveiled cross-industry operational resilience guidelines for regulated financial service providers (RFSPs). It recommended managing disruptive events under three pillars: (i) identify and prepare; (ii) respond and adapt; and (iii) recover and learn.
An Integrated Approach
How do financial services providers deliver against these new, greater expectations and, in doing so, futureproof their business against a more unpredictable and disrupted operating environment?
Enter Scenario Analysis, an operational risk management framework tool based on collecting experts’ assessments of the likelihood and impact of plausible, significant, high-impact events. These insights are then used to develop, validate, and calibrate a firm’s disruption tolerance. Rather than be limited by the traditional approach of focusing on a single event, the framework integrates scenario analysis with disaster recovery and business continuity management, making it easier to execute a risk management strategy in the face of extreme stress and multiple disruptions, as seen in the pandemic.
Scenario Analysis can be deployed as a critical operational resiliency framework tool to support business performance and effective risk management because it helps firms better understand internal and external business environment factors, identify gaps and exposures, and gain critical insights on the necessary incremental mitigation strategies. Craig Spielmann’s, CEO of RiskTao, LLC, Multiple Event Simultaneous Scenario (“MESS”) methodology is a great example.
Financial services providers should act now to enhance their operational resilience capabilities across critical operations and core business lines. They must identify and address risks across other operations, services, and functions as part of their recovery and resolution plans, taking into account affiliates, partners and third parties. Operational resilience should also be considered in the due diligence and risk assessment processes for the launch of new, expanded, or modified products and services.
Additionally, there are rising expectations particularly among regulators that firms will create a resilience framework owned by the Board, and be based on a standardized taxonomy, clear risk and control inventories, tangible metrics and impact tolerances. The framework should also establish clear roles and responsibilities across the three lines of defense (managing, monitoring, and reporting), along with ongoing data and situation monitoring. Once the framework is established, regular reporting to senior management and the Board would enable timely and appropriate decisions regarding disruption response measures.
It’s increasingly clear that an integrated approach which breaks down the silos across business continuity, risk management, cybersecurity, and third-party threats will be necessary if financial services firms are to develop a sustainable operational resilience framework that can be embedded across their critical operations and core business lines.
Beyond that, a truly operationally resilient model will also serve to promote clear risk ownership and accountability to ensure nothing falls through the cracks. As a result, it will help foster a strong risk management culture that empowers multiple parties to eliminate inefficiencies, plug gaps and promote best practice across multiple functions.
The pandemic has been a testing time for everyone, and its effects will no doubt be felt for many years to come – including among them financial services firms. But if they can take those experiences, learn the lessons, and make the necessary changes, its legacy may also be a positive one. Build the right operational resilience and risk management frameworks now and next time something like this happens, they will be ready.
To learn more about how to boost your organization’s operational resilience, business continuity or third-party risk management assessments, contact Mike Dempsey, Senior Manager, Risk Advisory practice or speak to your Cherry Bekaert advisor.
1 – Applies to nonmember banks, savings associations, U.S. bank holding companies, and savings and loan holding companies that have average total consolidated assets greater than or equal to: (a) $250 billion, or (b) $100 billion and have $75 billion or more in average