Operational resilience for financial institutions
October 2022 | TALKINGPOINT | BANKING & FINANCE
Financier Worldwide Magazine
October 2022 Issue
FW discusses operational resilience for financial institutions with Duncan Scott, Bobbie Ramsden-Knowles, Stella Nunn and Rakesh Majithia at PwC UK LLP.
FW: Despite the level of disruption to firms in recent years, to what extent do financial institutions (FIs) typically underappreciate the impact of disruption on their operations? What are some of the major risk areas?
Scott: Some firms are definitely underestimating the impacts of disruption. Financial institutions (FIs) that have scars from notable past disruptions more readily recognise the damage that disruption can cause. The nature and perception of disruption has also changed. There are two forces that have driven this. Firstly, many financial services run 24/7, or alternatively, during their operating hours, they deliver fast, time-sensitive outcomes. This means that systemically there is more sensitivity in the system than in the past – people no longer have the appetite to rely on cheques that take five days to clear. Secondly, consumer and market expectations have grown significantly over the last 10 to 15 years. The advent of the internet, broadband and particularly the smartphone means people and firms can manage their finances in an instant. The upshot is that disruption is more visible than ever and there is less tolerance for it by individuals and firms alike.
Ramsden-Knowles: It is important firms recognise that disruptive events can be both incident – sudden impact – and issues-driven – slow burning. Quite understandably, organisations are focusing on preparing to respond to incident-driven risks, such as ransomware, given the sharp increase in attacks. However, it is also important firms have appropriate risk management and crisis preparedness in place to identify and manage reputation-driven issues, particularly given the increasing focus on environmental, social and governance (ESG)-related issues. Organisations that recognise this are starting to run ESG crisis exercises to prepare their executives for this type of disruptive event.
Williams: Digitalisation, repeated M&A, deliberate deferral of technology refreshes to help with cost reduction and extensive use of outsourcing and third parties, means that the complexity of firms’ operations can be significant. Senior decision makers can underappreciate this complexity, believing that existing risk and control frameworks provide a foolproof solution. Furthermore, senior leaders may also perceive infrastructure, particularly technology, as a driver of efficiency rather than appreciating that this is exclusively how business services are delivered and that traditional service channels, which might provide a substitute when things go wrong, have been removed in pursuit of financial performance. Consequently, firms may sleepwalk into a crisis, not understanding their own operations or having the capability to respond and recover in the timeframe that customers of digital services expect. Amplify this with a hostile social media environment and firms can find out quickly and too late that operational failures can in fact generate an existential crisis.
Nunn: There is still an issue across the sector of not learning lessons from incidents. One of the key findings we nearly always see in post-incident reviews is the knock-on impact of disruption. Even firms that have prepared well and are able to respond effectively to the immediate disruption often overlook the subsequent backlogs that build up and the difficulty they have in truly ‘returning to normal’. Even a small disruption can have a long tail and the longer-term recovery can be more complex than anticipated.
Majithia: FIs are still not appreciating how the complex supply chain for the services they use is likely to cause disruption to their operations. Often, failures in the services they rely on cause significant disruptions affecting their customers. Key risks are that firms fail to truly understand or govern the ongoing changes, such as upgrades to systems and personnel changes, among others, implemented by their third-party providers for the services they rely on.
FW: What additional challenges have FIs had to confront during recent disruptions such as coronavirus (COVID-19)? In what ways has the crisis highlighted the need to address organisations’ crisis and resilience arrangements?
Nunn: We have really seen two camps for coronavirus (COVID-19) response and learnings: those that consider themselves to be resilient as they dealt with COVID-19 and kept services running, and those that recognise that while that might be true it does not make them resilient in other scenarios. What is key to remember is that the global pandemic happened to everyone at the same time, we were all in the same boat and people went above and beyond to ensure continuity of services. Also, unlike other scenarios, this one was not the fault of an individual organisation; it was not self-inflicted. When this occurs, there is far less good grace from customers. Also, in other scenarios you are not likely to be bailed out financially by the government. Preparing for a variety of scenarios, planning and testing accordingly will help firms be more resilient. COVID-19 response alone is not enough.
Scott: It was particularly interesting to see how firms responded in the early days of the COVID-19 pandemic and the extent to which they relied on their resilience arrangements. There are examples where playbooks were in place to support response and recovery, but these were never taken off the shelf, dusted off and used. FIs should consider what worked or did not work during the pandemic and also what that says about their organisation. For example, the management of the crisis may have been strong, but took a different form to the approach that was anticipated. One challenge for some firms is not to take false confidence from what might be seen as an effective response to the pandemic. The pandemic is one of a much wider suite of potential disruptions firms need to be prepared for, such as cyber attacks or data integrity events. These disruptions can be shorter, sharper and potentially more damaging.
Majithia: With almost all of the work being done remotely from homes during COVID-19, firms have had to get greater assurances from their service providers on the strength of their security, in particular how their data is being protected. It has been a priority – and a significant challenge – for organisations to implement effective safeguards against loss of sensitive data while their service providers’ workforce operated from homes, often with substandard, vulnerable connectivity.
Williams: What was not anticipated was the extended duration of the COVID-19 crisis and this posed a challenge to firms. That said, longevity was a key factor, as, combined with the slow and observable crystallisation of the risk, it allowed firms time to develop new capabilities and permanently adapt their operations; firms’ staff recovery plans look permanently different, and more robust, post-COVID-19 than they did before it. But COVID-19 was a symmetric threat, affecting all firms simultaneously and slow to crystallise, so mostly existing plans could be mobilised in advance and long-lived, allowing permanent adaption. Other threats with the precise opposite characteristics would still present a significant challenge to most firms.
Ramsden-Knowles: COVID-19 reinforced the need for organisations to have incident and crisis management structures which are agile and drive swift decision making. Many firms found that their response structures were not fit for purpose for this type of crisis. Additionally, a key learning was the need to invest in their people, particularly crisis leaders. People manage crises, not plans. People need to have the same investment in their skills and personal resilience to put them in the best possible position to lead effectively under pressure.
FW: Could you outline the importance of operational resilience in helping FIs prevent, respond, recover and learn from business disruptions and crises?
Williams: If bad things are definitely going to happen, then a fundamental shift in thinking is required to risk management. Existing risk and control frameworks, which are fundamentally predicated on probability assessments, will offer only partial solutions, at best, to the management of risks which have a probability of one. And yet, that is precisely what firms now have to deal with – cyber being the most obvious example where it is generally accepted that a successful attack is a question of when and not if. Resilience offers firms the ability to look beyond existing risk mitigations and ask challenging questions about their own capabilities under a range of severe but plausible scenarios. What this means in practice is looking beyond probability, where risk management stops, and into plausibility instead. Such an approach gives people permission to ‘fail’ and to collectively assess organisational abilities where existing risk mitigations may be ineffective.
Majithia: Operational resilience is really helping FIs understand their important business services and how these are delivered. In particular, this has also highlighted the role third parties are playing in the delivery of these important business services, which has in turn led to a greater focus on ensuring fit for purpose frameworks and practices are in place to oversee and govern these arrangements. Organisations need to understand fully the third-party services that contribute to the delivery of their important business services and how these are being managed.
Scott: Operational resilience is vital, as it is a mechanism for building muscle memory to address disruption to the most important services FIs provide. Operational resilience requirements themselves are the building blocks for firms to understand where disruptions can be most impactful – how those services are delivered and what they rely on to be delivered, as well as setting standards the organisation must achieve to minimise the impacts of disruption. These building blocks do not deliver resilience in themselves, rather they are means by which FIs should view themselves, understand their vulnerabilities and importantly, take action. The work done by firms to date has been focused on gaining this understanding, but the challenge now is to make decisions based on it and build an operationally resilient organisation. Now is the pivotal moment for the industry to focus on building resilience, not just assessing vulnerabilities.
Ramsden-Knowles: The key difference with operational resilience is the recognition that organisations need to be able to adapt to disruptive events as much as they need to be able to absorb the impacts. This provides an opportunity for change and to rebuild to a new state while also learning and embedding lessons.
Nunn: Operational resilience, which advocates an end-to-end view of important business services, addresses the issue of the siloed approach that many firms take to risk decision making. Risk identification, remediation and acceptance are often disconnected across a firm, and therefore the potential impacts, especially external impacts, are not well understood. The build out of the resilience risk position of an end-to-end service helps to connect all the related risks and provides better insight for decision making, investment and preparedness.
FW: To what extent is there an increasing regulatory imperative for FIs to improve their operational resilience? How are they responding to this rising pressure?
Ramsden-Knowles: Organisations are understandably being driven by regulatory compliance deadlines. However, to really drive change there will need to be an ongoing focus on how this is embedded in the business and its culture to drive sustained outcomes. To achieve this, some firms are now starting to explore how to undertake complex scenario testing, particularly testing that focuses on an organisation’s readiness to respond to a ransomware attack from the executive level right down to the frontline technical response. Additionally, they are exercising their response to financial uncertainty as a result of an ongoing cyber crisis and exploring the interlinkages between the operational and financial crisis management framework.
Scott: Expectations have never been higher, and these are not only emanating from the UK. The US Federal Reserve, European Central Bank and Monetary Authority of Singapore all have been vocal on resilience, albeit with the UK having first mover advantage, or disadvantage. The volume of requirements has increased, and firms are having to determine a nuanced response. FIs have to navigate their way through these regulations, albeit regulators have said they are generally aligned in their objectives. Firms are having to consider what should be their primary reference for the requirements or even make decisions on whether to undertake work at all – for example, FIs with third-country branches in the UK. Many firms are embracing the fact that with resilience comes trust, a more sustainable organisation and commercial benefits. There are, however, FIs that still view regulation as being a stick rather than a carrot, seeking to meet the regulations but not realise the wider benefits.
Williams: UK regulators were first out of the blocks on operational resilience, with a string of well documented operational failures at UK banks being the catalyst. There was also notable political interest. This backdrop may not have been present in all jurisdictions but nonetheless the UK’s move was swiftly matched by the Basel Committee for Banking Supervision and other international standard setters. The interest of regulators is stimulated by the harms that operational failures can now have on customers and, in extremis, the broader financial system, including potential financial stability concerns. Broadly, regulations recognise and address that a focus only on firms’ internal risk appetites is insufficient to deliver the wider public interest outcomes. The challenge for firms is to avoid taking a regulatory risk and compliance approach to operational resilience and recognise that there are genuine issues in the way firms approach non-financial risk management which need to be fundamentally rethought.
Majithia: Regulatory imperative has understandably created a level of senior management focus which has been needed to improve operational resilience. In my view, they have been responding well to the expectations, but many FIs have much to do.
Nunn: Where regulation focuses on outcomes it can really help drive and embed the right behaviours. Being resilient is more important than being compliant, but achieving both is possible. There has been lots of focus in the UK on how to meet the regulation and in some cases the objective of the regulation has been forgotten.
FW: What key elements do FIs need to consider when implementing an effective operational resilience programme and crisis management approach?
Scott: One of the fundamental points FIs need to consider is their purpose in the market. A strong understanding of this allows them to effectively determine where they may have a stronger impact if disrupted and where to focus resilience efforts. Resilience requires FIs to focus on the most important services they provide and sets the size of the task ahead. Another key element is the level of involvement required across an FI to build a resilient organisation. Effective linkages between the business and second-line functions are needed, but with a clear direction that this approach is led by the business. Resilience is here to stay, and needs to be integrated into roles and responsibilities, not a side of the desk activity as business continuity has traditionally been for some FIs.
Williams: Three things will define a firm’s success in taking an operational resilience approach. First, prioritise. Not everything can be resilient or needs to be resilient to the same degree. Identify the most important things that the firm does and make it is resilient to the extent necessary and practicable. Second, allow plausibility to override probability for severe but plausible scenarios. Look beyond the expert view that says that something should not happen, and have a plan to respond for when it does. Third, strategy. Make sure that the business strategy places equal value on operational resilience as it does on financial resilience. This will give permission for the rest of the organisation to shift its focus. Bring balance to financial and operational resilience considerations and do not allow financial performance to dominate at the expense of operational resilience, using low-probability assessments to justify inaction.
Majithia: Key to implementing a successful operational resilience programme and eventually a part of an FI’s DNA in business as usual is senior management focus and accountability – facilitated through the senior manager function (SMF) role – creating the right tone from the top. Effective alignment, and integration, with adjacent programmes, such as operational continuity and resolution and outsourcing, and third party risk management, is also key. In my view, FIs should not consider operational resilience as an afterthought but as a core requirement, at the inception of any change activity. For example, operational resilience requirements should be advocated and built into any functional requirements for a new technology or business change.
Ramsden-Knowles: Key to successfully implementing a programme is recognising the link between risk management, building resilience and preparing for disruptive events. These activities should not be viewed in silos. They are part of one continuum. Risk is aimed at preventing disruptions from having an impact on a business; the goal of operational resilience is to have measures in place which will enable an organisation to withstand, absorb or adapt during disruption. But firms also need to have an effective crisis management capability to deliver their strategic aims, ensure they return to a viable operating state, recover and change to a new normal.
Nunn: Resilience is not a one off or once a year activity. Where it is effectively implemented, it becomes part of the firm’s DNA – just the way a firm thinks and acts. Resilience should be owned and delivered in the first line, as part of how it operates in designing and delivering services to customers, clients and markets. Having the right skills and experience, often now blended between those that are business SMEs and those that work in the resilience disciplines, is something we are seeing more of.
FW: With the increasing reliance placed by FIs on third parties, what are the challenges to them in understanding the full supply chains of the services they use? How does the issue of supplier concentration contribute to risk?
Nunn: Management of third parties remains a challenge for FIs – the way in which firms engage with their third parties and the level of understanding they have of how and who delivers their services is not up to scratch. There is a complexity in the supply chain that many FIs still do not have under control.
Ramsden-Knowles: With an increasingly complex supply chain, organisations need to have a better understanding of how they will respond if a key supplier fails. Using a structured exercise to help identify and develop plans to proactively manage down the risks, issues and challenges that would be faced in the event a key supplier fails is a no regrets move.
Majithia: With increasing use of the cloud, including by service providers, there are definite challenges to understanding complex supply chains, specifically with potential blind spots on the fourth and fifth parties involved. Given this, FIs are struggling to truly understand their supplier concentration risk.
Williams: Third-party risk management is the challenge of our time. And it is likely to remain so for a decade. Firms make extensive use of third parties and outsourcing arrangements, leading to complexity within their operations and their supply chains, which arguably cannot be fully fathomed across the full range of third parties they currently use. In the short term, the remedy is the same as it for operational resilience: prioritise and make sure that the most important are as resilient as they can be. But do not fall down a rabbit hole. Consider supplier substitutability for the most important services and where it is viable, which may allow for less resilience of an individual supplier or single point of failure. Long term, firms should reflect on whether the level of unmanageable risk created by use of third parties means that in-sourcing should be considered. Or perhaps even vertical integration strategy.
Scott: Incumbent FIs already have been increasingly utilising specialist third parties to augment their offerings for some time, however the advent of the new entrant FinTech firms has brought further focus on the outsourcing of service elements. There is an increasing presence of challenger firms that have a core value proposition that is supported significantly by third parties. New FIs are no longer banks that are enabled through technology, but are technology firms that provide banking services. Given this dynamic, the ability to oversee and manage third party relationships and arrangements is critical, and the increase in these arrangements contribute to a sector that is more interconnected than ever.
FW: When exploring and addressing operational resilience, how important is it for senior leaders to be involved? How should executives and the board work together to ensure operational resilience?
Williams: Senior leaders are the ones most likely to have driven a business strategy, which puts operational resilience as a secondary consideration to financial performance. Combined with a drive for product development and innovation, this is likely to have led to suboptimal choices on infrastructure investment. These choices are likely to have led to a build-up of legacy technology within firms’ operations. This technical debt creates challenges for cyber risk management and operational resilience and builds complexity and fragility into a firm’s operations. Regulators have looked at this before. It is possible that the focus on operational resilience self assessments may shine a light on this aspect of firms’ vulnerabilities once again. If this problem originates with business strategy then it can only be fixed by business strategy. This means senior leaders acknowledging the role they play in setting strategy and culture and ensuring financial and operational resilience choices are in healthy balance.
Ramsden-Knowles: Boards with the right mindset recognise the importance of having a ‘resilient ready’ culture – investing in preparing their people and structures. They also recognise that disruption is inevitable. There is often opportunity too. If an FI responds well to a disruptive event, it can use the situation to build trust with its stakeholders.
Scott: Operational resilience is such an important aspect of the regime that regulators have called out the need for boards to sign off on the services the FI has deemed as important, along with the impact tolerances that have been set. On that basis, it has been very important for a constructive dialogue to be in place while the key parameters of the resilience regime have been established. It is now, however, that this relationship becomes even more meaningful. As vulnerabilities are identified, FIs will need to make investment decisions with resilience in mind, and the dialogue between executive and board is crucial to demonstrating this is happening. I would also emphasise that resilience is an organisational mindset and this culture should be embedded across the three lines of defence. To believe that resilience is strictly the domain of a resilience team, the board or a key accountable individual would be to miss the point as an organisation.
Nunn: Being resilient should be an objective of all firms – a commercial imperative within their business strategies. This needs to come from the top and the new regulation has helped to elevate the topic of resilience up to board level.
Majithia: I firmly believe senior leaders and the board need to work together to create the right tone from the top on the behaviours required to drive a culture of operational resilience across the organisation.
FW: What are your predictions for operational disruption in the months and years ahead? Do FIs need to make crisis and resilience an essential part of their risk management framework?
Majithia: FIs’ ability to deal with crises and their record on resilience will be a key differentiator in the future, and therefore will require absolute senior management focus and complete integration into risk management practices.
Scott: My prediction would be a toughening line by regulators in the event of disruptions that are specific to firms. Resilience in the current format has been on the agenda for some time now, meaning that tolerance for failures that could have been anticipated is likely to be low. The outcome is that more severe regulatory interventions, such as independent reviews and fines, may be more prevalent, or more visible. Additionally, with increasing geopolitical tensions the management of resilience will only increase in importance. The potential for cyber attacks from foreign actors could increase should the UK become a potential target.
Williams: Firms’ operations have never been more complex; complexity brings fragility. Combined with an increasing hostile threat environment, including but not limited to cyber, then acknowledging that bad things will happen must be the primary consideration of firms. Those that fail to grasp this point are likely to encounter the greatest cost in trying to take a compliance-based approach to regulators’ requests while realising the least benefit. Or worse, fall victim to operational failures, either from within their own organisation or from external – cyber – threats. In implementing operational resilience, my prediction is that firms will realise that they cannot afford the assurance necessary, particularly over third parties, and will blame regulators for unrealistic expectations of resilience. This would be a mistake. The better reaction would be to acknowledge that resilience by design can substantially reduce the burden of policy compliance while simultaneously bringing business benefits through agility and ability to thrive in a hostile world.
Ramsden-Knowles: Disruption will continue to be more frequent and complex. The evolving external landscape means organisations that fail to invest and embed resilience in their business and culture risk their future commercial viability. My prediction is that disruption will not just come from operational issues. With the change in external stakeholder expectations and the role of ESG in driving that change, reputation resilience will start to become as important as operational.
Nunn: You could argue that the future of operational risk is operational resilience. While the latter assumes failure rather than the prevention or acceptance of risk, they are intrinsically linked. Ultimately, operational resilience looks across the risk types associated with operational risk, such as technology, people, process, premises and security, among others, but takes the analysis to an extreme position – enabling operational risk to learn more about risk mitigation and the art of the possible. Also, monitoring operational risk can be an early warning system for operational resilience, to get ahead of potential disruptions.
Duncan Scott leads PwC’s operational resilience practice in banking and leads the firm’s crisis and resilience hub. Mr Scott has worked within financial services for nearly 20 years, specifically with top-tier banks on their resilience maturity and approaches to regulatory requirements in the UK, US, Europe and Asia. He has also worked extensively with firms in the past to enhance their approaches to operational risk, regulatory risk and governance. He can be contacted on +44 (0)7894 393 607 or by email: duncan.j.scott@pwc.com.
Bobbie Ramsden-Knowles is a partner in PwC’s risk line of service in which she leads the crisis management practice. She is a specialist in crisis, resilience and reputation management, helping organisations prepare and respond to high-impact, disruptive events. She can be contacted on +44 (0)7483 422 701 or by email: roberta.ramsden-knowles@pwc.com.
Stella Nunn leads on operational resilience, focusing predominantly in the current climate on the insurance sector, but also works across industry sectors. With over 20 years of industry and consulting experience, she is a leading voice in the market, with particular expertise in the practical application and operation of operational resilience and business continuity approaches. She can be contacted on +44 (0)7932 144 627 or by email: stella.nunn@pwc.com.
Rakesh Majithia is a partner in PwC’s risk line of service in which he leads the resilience and risk management proposition. He is a specialist in outsourcing and third party risk management and operational continuity in resolution. He has supported numerous financial services organisations with developing effective practices to mitigate risks from their use of third parties, while meeting regulatory expectations. He can be contacted on +44 (0)780 302 3856 or by email: rakesh.majithia@pwc.com.
Paul Williams is an independent special adviser to PwC on operational resilience. Until February 2022, he was head of division for operational risk and resilience at the Bank of England and Prudential Regulation Authority. In this role, he led the implementation of operational resilience and was the driving force behind the concepts in the UK financial authorities’ policies on operational resilience. He can be contacted on +44 (0)7488 812 144 or by email: paul.xz.williams@pwc.com.
© Financier Worldwide