Skip to content

Over the past ten years, consumer banking behaviours have significantly changed. Today, the majority of customers engage banks via digital channels. The change has pushed the resilience of digital-led services under the microscope.

During this transformational shift, multiple high-profile incidents have transpired, often linked to digital services, bringing scrutiny on the operational risk function. The media has ensured customer impact has been front-page news while highlighting the bank’s struggle to effectively manage recovery plans.

Shifting the organisational mindset 

The well-worn cliché “prevention is better than cure” is as true now as ever. Focusing on understanding the root cause of a risk and maximising preventive and early detective controls is critical. This has quite rightly remained a focus of good risk management. However, even good risk management can only achieve reasonable assurance that major incidents can be avoided; there is no guarantee.

The new approach requires a shift in organisational mindset. Firms need to start from a position of “assuming failure” and demonstrate how quickly recovery plans can be executed for critical services under extreme stress including defining impact tolerances for such events.

Adding vigour to existing risk processes?

While risk appetite focuses management attention on managing the likelihood of operational risks occurring, impact tolerances seek to increase management focus on operational resilience before operational risks have crystallised.

An opportunity may exist for risk functions to introduce impact tolerances to the traditional risk-evaluation matrix. This integration could also enhance the Risk Control Self-Assessment (RCSA) process, which is under pressure to be more efficient and informative. Linking the two methodologies could drive board engagement and assist the risk function’s engagement with the business.

 

Features-KRIs

Navigating the critical path

Effectively delivering resilience outcomes will require skilled collaboration. This presents an opportunity for the risk function to demonstrate depth of existing knowledge gained from historical scenario analysis and oversight of incident management. We must also consider and prepare for some of the key challenges when implementing:

Access denied(!): Detailing process flows in any firm, especially large and complex firms, is difficult. Validating process design can require multiple iterations; this exercise may be frustrated by components of the process which are not under direct control (i.e. cloud data services).

The new approach requires a shift in mindset.

Visualisation is essential: Boards and senior management will require an integrated view of resilience outputs (i.e. tolerances). Dashboards should be able to connect impact tolerance and scenarios to the risk appetite statement and other risk components, such as KRIs.

Beware of bias: The Financial Conduct Authority (FCA) has said that firms may be guilty of “ostrich bias”, ignoring dangerous or negative information associated with incidents. Firms must be prepared to challenge the various biases which scenario setting can contain.

We live in a world of increasing uncertainty on a global scale, whether from extreme weather events, global pandemics or a targeted cyberattack. Due to globalisation and change in customer behaviours, the impact from these events on organisations is ever increasing. Operational resilience is therefore becoming a key component of enterprise risk management, the “cure” when prevention fails.

Read the original article here

Next steps

Join our webinar "Operational Resilience: Are you prepared for what's coming?" to learn more about topics like operational resilience components, impact tolerance and operational resilience, and most importantly, what is operational resilience.

 

About the author

Gary has over 10 years’ experience consulting and providing advisory services to a wide range of clients both locally and overseas. He has a MSc in Finance and Capital Markets. Prior to Protecht, Gary spent time with three global banks consulting on risk and strategic change. He started his career in Risk Advisory at KPMG.