Regulatory activities are going through a shift to emphasize risks occurring from the introduction of digital tools and technology in banks and financial institutions. This is transpiring as banks confront rising competitive pressure to switch to digitally-aided business models to rein in costs and be up-to-speed with customer demands in a period of fast innovation cycles. As digitization reorganizes banking operations, new vulnerabilities could trigger greater urgency to achieve operational resilience.
Operational resilience in financial institutions is an area of focus today with even Financial Market Infrastructure (FMI) firms working towards achieving this. Regulators worldwide are also progressively examining a firm’s ability to adjust and recuperate from operational disruptions, echoing the key role the financial services industry has in the larger context of society and the major impacts that could ensue when firms fail to function efficiently.
A joint paper published by Prudential Regulation Authority (PRA), Bank of England and Financial Conduct Authority (FCA) in 2018 indicated a different approach to the supervision and regulation of operational resilience in the UK. This approach highlights the desired outcome of the continuity of key business services, the significance of banks’ responses to and recovery from disruptive events, and the ramifications for individual accountability and governance. Their approach to building resilience suggests the following measures:
Operational resilience is the ability of businesses, FMIs and the entire banking sector to avert, act, recuperate, and learn from operational disruptions. A resilient business can salvage its vital business services from major unplanned disruptions, thereby safeguarding its customers, shareholders, and the financial system’s integrity.
Operational resilience is much more than just shielding the resilience of systems; it also encompasses strategy, governance, business services, change management, information security, and disaster recovery. Evading disruption to a specific system that endorses a business service aids operational resilience. But eventually, it is the business service itself that must be resilient.
The operational resilience of banks is a primary concern for supervisory authorities and is regarded as no less essential than financial resilience. Here are a few reasons why banks need to be operationally resilient:
As a result of the growing interconnectedness and complexity of the financial systems, financial regulators, especially in the UK, have realized the importance of a co-ordinated approach to operational resilience regulation. The FCA, PRA/BoE have worked on an extensive regulatory framework on operational resilience. Regulators evaluate operational resilience in a holistic manner due to market and technology changes that include:
Operational resilience for banks today is even more important than financial resilience, as a dearth of operational resilience could lead to financial volatility. Regulators, therefore, mandate banks to identify critical business and services and prove their resilience.
With rampant recognition of digital tools and increased dependence on third parties, a bank’s exposure to external security attacks and hostile cyber ecosystem has increased the need for it to prepare for and allay security threats. Unlike other sources of risk, mischievous cyberattacks are difficult to identify and fully eliminate.
If resilience is not prioritized, the core business functions become vulnerable during cyberattacks, insider threats, geo-political events or pandemics. By building resilience, banks get real-time visibility into processes and critical assets, they are better prepared with an enterprise-wide plan and response with a continuous redesign of business processes and services. Firms that prioritize resilience are shifting their mindset away from the conventional and myopic business continuity/disaster recovery model to “resilience by design.”
Operational resilience today has gone beyond the realm of a bank, covering the entire complex banking ecosystem, third-party providers, and partners needed to offer services that fulfil customer needs. With the growth of social media, the public is watchful of any outages. Service disruptions therefore can undermine a bank’s standing with customers, regulators, and stakeholders and impact its bottom line.
Industry experts and regulators are advising banks to think more broadly about building resilience. The scope of this concept can make it challenging for boards to build potent oversight practices. A robust technology solution can bring all aspects of an operational resilience framework into a single unified platform. An operational resilience solution should not only help meet operational resilience-related regulatory requirements, but also enable companies to achieve operational resilience by seamlessly embedding risk management practices into compliance, cybersecurity, vendor risk management, and business continuity planning to prepare for potential disruptions. A single, integrated, interconnected data model should unite data, remove friction between functional silos, and serve as a single source of truth for real-time, risk-aware decision making.
The solution should also support the data contextualization needs of various organizational lines. Stakeholders should assess risks and control effectiveness from multiple perspectives, and drive their individual governance areas, while aggregating risk outcomes to provide a single view of the inherent and residual risk exposure at various levels of the organizational hierarchy. This cohesive approach facilitates a common understanding of enterprise risk exposure while helping users enhance the completeness, accuracy, and integrity of risk data. Members mentioned a few areas of emphasis for boards to help them create useful practices:
Preserving and enhancing operational resilience helps organizations build trust with regulators, customers, and the economy. If there is no efficient and thorough resilience management framework in place, banks are unlikely to recognize and understand any developing internal and external resilience challenges. A proper framework must have the following key elements:
Trigger Business Impact Analysis (BIA) surveys to identify critical assets and processes. Map Recovery Time Objective (RTO) and Recovery Point Objective (RPO) dependencies through the product’s business process modeling capabilities and visualize these with the Data Explorer. Plan, schedule, and perform both top-down and bottom-up risk assessments. Route the results for review and approval. Enable simple assessments by rating risk, and advanced assessments using multiple factors and risk scoring to meet variations in risk assessment methodologies across business units, assets, processes regions, and products. Also, assess the overall control environment based on multiple factors. Define the logic for computing inherent and residual risk scores and analyze them through heat maps. Aggregate risk scores by multiple dimensions including organization, objective, product, process, assessable item or risk hierarchy for improved risk visibility.
Banks must ensure that all new partnerships or initiatives are properly scrutinized and reviewed for risk and to confirm that controls are in place. As part of vendor due diligence, robust vendor risk assessments must be performed to highlight all issues upfront. As part of the assessment, banks must look at all types of vendor risks- cyber, information security, operational, business continuity, anti-corruption, negative media coverage etc.
Banks must restore legacy systems without delay. They may prefer to be more cautious, in an environment where banks often make the headlines for being under IT and cyberattacks. However, this approach could provoke resilience concerns.
Manage, track, and close issues and actions triggered from risk assessments, control evaluation and business impact analysis. Leverage AI/ML to quickly identify issues based on relation and recommend issue classification. Recommend action plans to modify controls or define new controls as part of the issue remediation process. Monitor the status of the implemented actions at every stage and track them to closure.
Automatically validate vendor information and identify “red flags” based on globally sourced content around cybersecurity, finance, sustainability, regulations, disaster and hazard, corruption, reputation, sanction lists, Politically Exposed Persons (PEPs), Special Interest Persons (SIPs), state-owned enterprises, and adverse media listings.
Boards must be notified early about the occurrence of an incident. In almost all investigations it has been seen that communications have failed, and the board was not informed on time.
help risk managers present key risks and convince the board to take necessary actions to avoid major disruption in case of a crisis.
Accomplishing and preserving enterprise resilience is important for banks if they are to fulfil existing and unresolved regulations, keep pace with customer demands and defend the banks against major internal and external service risks.