How the Pandemic is Forcing Businesses to Rethink Operational Resilience

Introduction

The recent pandemic has generated an unprecedented health crisis that is affecting people and businesses globally. However, its consequences go far beyond the spread of the virus itself. It has thrown up both challenges and opportunities to organizations across industries. For the banking and financial services industry, for example, it has marked a year that put its risk-taking abilities, business sensibilities, mental and organizational strengths through acid tests. However, despite a few glitches, most financial services organizations have been able to carry out operations smoothly, thanks to their digitization efforts.

Over the last year, the financial environment has been changing dramatically, forcing financial institutions to rethink and adapt their business models to the new circumstances. To fight the economic turmoil caused by the pandemic, many countries have already put in place extensive financial measures to support their people, businesses, financial institutions, local governments, and financial markets hit by the economic fallout.

While rapid digitization transformed many businesses, it also gave rise to digital risks. Geopolitical tensions have deepened as new working practices and use of new collaboration tools create fresh cyber vulnerabilities and points of weakness for fraudsters and criminals to exploit. And the huge swings in financial markets exacerbate credit and liquidity risk, leaving businesses of all sizes threatened at multiple levels. Due to remote working and rapid digitization, the year 2019 and 2020 witnessed the highest number of cybersecurity breaches, financial frauds and third-party risks.

There has been immense pressure on CROs and risk leaders around the world to manage operational risks in order to avoid any disruptions to businesses and meet ever increasing regulatory requirements. At the other end of the spectrum, regulators are being extra vigilant to ensure that banks and financial services companies deploy necessary controls and measures to avoid any disruptions. So how is it possible to comply and at the same time turn risk into advantage?

It is now critical for companies especially banks and financial services institutions, and regulators to work together to create the conditions where companies take advantages of business growth opportunities and accelerate digital transformation while remaining operationally resilient throughout. By the way, operational resilience is not new to banks. In the past it was tackled in silos. For example, operational risks and business continuity planning were not interconnected and typically measures were taken to prevent a crisis rather than to prepare for it.

This work needs to start now, and focus should be given to continuing critical customer services, applications, and data and technology infrastructure while minimizing the risks of fraud, data protection, and cybersecurity issues created by third parties. Organizations will need an approach that accelerates the digitization and automation of many activities, evaluates third parties thoroughly, and provides an even stronger core with robust operational resilience that is able to withstand sudden setbacks such as the current crisis.

Key aspects of not just navigating through, but thriving on disruptive risks that are interconnected and emerging, are:

1. Identifying key risks, critical assets, systems, processes, and services that can disrupt your business operations. Performing business impact analysis of these critical services to ensure business continuity. Organizations with robust controls and control testing have proved to be more prudent and risk-aware in times of uncertainty.
2. Aligning risk appetite and impact tolerances to business strategies: Connecting risk appetite to  strategy elucidates the level of risk associated with a strategy. It also facilitates the discussions on whether alternative strategies would present more attractive risk/return tradeoffs, given the organization’s risk appetite. The first step in developing a robust risk appetite framework is to get a comprehensive visibility and understanding of the risks at the organization level. These risks should be further classified into various risk categories including strategic, climate, operational, compliance, third-party, cyber and digital. GRC technology helps companies streamline activities related to risk identification and management. An agile approach to risk management ensures that companies adapt and realign risks and risk appetite to take advantage of an adverse situation.
3. Dealing with cybersecurity and digital risks: In a data driven world, digital transformation plays a key role in getting ahead of competition, meeting growing customer requirements, and accelerating business opportunities. However, this also poses digital and cybersecurity risks. These risks need to be prioritized and addressed accordingly. Safeguarding enterprises against various digital risks that include technology related risks, operational risks, third-party risks, strategic risks, and cyber risks is not just a role of the CRO but also of the CISO and CIO. This approach should look to achieve balance between workload priorities and resource mobilization between the three lines, while enabling the frontline to identify and report risks, issues and losses for immediate attention and actions. This improves decision-making and the management and mitigation of IT risks and threats with accurate and timely insights, from across the cyber infrastructure. In addition, cyber quantification can greatly help the CISOs and CIOs to make risk-based decisions safeguarding key infrastructure and data, but also to guide the strategic conversation with the board around cyber resilience to justify their investments on infrastructure, technology and tools to protect data.
4. Empowering the frontline: Organizations can prevent adverse incidents by empowering business users to proactively capture and report irregularities that could impact the organization. Leaders from various departments in an organization need to come together to instill integrity by enabling the frontline to raise a hand and report unethical activities anonymously. Taking consequent action will help build confidence that the appropriate risk mitigation has been adopted to address emerging risks
5. Advanced technologies to manage interconnected risks: Today risks are not just becoming visibile, but they are also interconnected in nature. Companies need advanced technologies to manage the volume and velocity of data and harness actionable insights.  Advancements in artificial intelligence (AI) and machine learning (ML) will make the process more efficient and effective. The process of capturing and aggregating issues and risk events from the first line can be quite time-consuming and resource-intensive due to the large number of participants involved. However, technologies like robotic process automation (RPA) and chatbots have exponentially increased the ability of risk functions to gather information from the first line in a simple, efficient manner. For example, at a leading mortgage financing company, mobile-device-based chatbots offer an easy and jargon-free way for first-line participants across the organization to report issues and risk events.

A key lesson we have learnt from the pandemic is that it is critical that one is prepared, ready to adapt and respond, and learn from a crisis to stay resilient. Going forward, operational resilience will become a pivotal imperative for organizations. The operational resilience approach should be integrated with risk appetite, setting impact tolerance on the provision and availability of critical activities in this time of distress. This will guide the board and the senior management to to make risk-aware decisions, even through disruptions,  on investments and expansion into new products or territories.