- The pandemic has unleashed an unprecedented wave of risk events on banks.
- Their finances were prepared, thanks to vast reforms after the credit crunch. Now regulators want to beef up their operational and non-financial risk management capabilities.
- It envisages putting risk managers at the centre of a great and complex web of data flowing to and from every part of the business.
- They will be responsible for keeping the show on the road when any kind of disruption strikes at their bank’s key functions.
It can be a tough and thankless life working as a financial regulator. Nobody notices you until things go wrong. Officials are never credited with stopping the crises which never happened – only blamed when the financial system hits a wall. After a crash, it falls to regulators to pick up the pieces.
At that point they are typically accused of ‘fighting the last war’, neglecting the assorted other risks which could threaten banks and economies in future, while crushing growth with radical new directives. Yet all of the preparation done by banking authorities ended up saving the day when the coronavirus pandemic swept the globe.
This was not on the list of likely risk events identified in the Bank of England or the Federal Reserve of the European Central Bank. China was a hazard, because of its economic clout and vast and opaque debts. US corporate debts were on the watch list, and so was the possibility of another Eurozone crisis.
So how did the banking reforms of the past decade help keep the financial system not just afloat, but actively helping as a deep source of funds in this unforeseen crisis? The key is in the consistent and vigorous application of data in pushing banks to beef up their capital buffers, allowing them to face shocks and power on through to fulfil their central role in the economy, instead of hunkering down and slashing lending in a desperate effort to survive. Banks’ financial risk models were rigorously re-examined and adjusted under the auspices of a new global regime.
All banks had to apply tighter new capital risk weightings to their loan books, based on closer studies of those assets’ performances through the economic cycle. The basis of their financial stability was roughly steady across nations and different parts of the industry. Regular stress tests applied hypothetical global crunches to their books to see how resilient each bank was, and how it could stay afloat. All of this took vast quantities of data from each bank and regulator, packaged into consistent formats so it could be properly analysed.
The result was a robust industry which has performed far better than in the financial crisis, despite the unprecedented scale of this economic crash and rebound. But the pandemic has opened up other risks which were not identified by the financial risk analysts.
The Covid reset
Disruption on a previously unimagined scale struck every industry, including financial services.
Customers stopped visiting branches. Entire offices were deserted, all staff forced to work from home. IT systems took the strain, with the extra pressures that were placed on support services. Security protocols had to be re-written to let, for instance, call handlers answer customers from their kitchen tables instead of the service centre.
New working practices combined with the high pressure of Government lending programmes, operating through banks, opened up fraud risks. It sent organisations into overdrive to ensure they could provide the critical functions of a modern economy.
Into this morass steps the Basel Committee, the organisation which played a key role coordinating the global response to patching up the banking system after the credit crunch.
In its sights this time is operational resilience, rather than financial risks. It has identified seven key aspects in a new consultation, Principles for Operational Resilience.
They are as follows: “governance; operational risk management; business continuity planning and testing; mapping of interconnections and interdependencies of critical operations; third-party dependency management; incident management; and resilient information and communication technology (ICT), including cybersecurity.”
At the same time it is revising its principles for the sound management of operational risk, most notably by adding a principle on ICT risk. These are not going to be new ideas for risk managers. But all have been intensified and put to the test by the pandemic.
Governance, for instance, has been increasingly the focus of regulators and investors, worried that the excesses of the pre-financial crisis years, from bad loans to customer mistreatment, would have been lessened by better structures and systems to allow proper scrutiny of business operations. The strength of those governance procedures and structures has been tested by the pandemic.
IT and cybersecurity risk was already frequently in the news, either from malicious attacks or accidents within companies hitting their ability to provide services, putting company or consumer data at risk, and causing reputational harm. Now more businesses are utterly reliant on IT working well to coordinate staff and serve customers. Business continuity planning has been relied on heavily, as businesses needed alternative centres for work and new work from home protocols, and faced the risk of losing key staff to the virus.
All of this extends to key suppliers, from IT contractors to recruitment agencies to commercial landlords, whose ability to help banks operate domestically and internationally was also threatened by the pandemic.
The purpose of Basel’s overall programme is to seek to rationalise these disparate, and potentially overwhelming, layers of risk into a coherent framework. This consultation pictures risk managers at the centre of a great web of information, a nerve centre in the business with data flowing in both directions.
Its vision is one in which managers can assess which risks each business unit faces, and how to respond to each; what risks face the wider business; how those risks interact; and how the critical functions of the company can withstand the crystallisation of those risks in any particular business unit. That is to say: what does the centre need to do to make sure the bank can keep working if something goes wrong?
There are certainly precedents for mapping out business functions in this way. For instance Britain’s Financial Conduct Authority insists financial services firms have named individuals with responsibility for each and every part of their operations.
This part of the Senior Managers Regime was introduced to ensure bosses could be held to account for any disasters on their watch, as well as for any bad behaviour by their underlings. It was designed because regulators frequently found it impossible to pin the collapse of Royal Bank of Scotland, and subsequent discoveries of customer mistreatment, on any particular individual. When RBS was the world’s largest bank, it apparently became too complex to know which executives were in charge of each part of the business.
Yet the latest vision from Basel is on a much greater scale. Instead of seeking to allocate blame, it imagines very active risk management to stop bad things from happening, and to have plans in place to react if and when they happen anyway. So what happens next?
A new era for operational resilience
Basel’s consultation asks interested parties a series of questions on the principles. Do they cover all of the right topics? Could the list benefit from some consolidation? For those who have been put through their paces this year, the Committee also wants to hear lessons from Covid-19. This indicates the extent to which regulators are aware the pandemic could rewrite the rules on operational resilience, much as the credit crunch did for financial risk.
The financial crisis was unusual as it was such a wide-spread crash, engulfing much of the world. By devastating the banking industry, it seeped into the wider economy in dramatic style.
When businesses might have been able to cope with trouble in one market, or even the economy of an entire continent, a global shock was tougher to handle. Similarly the pandemic has swept the globe, with serious impacts on the operations and viability of every type of business, changing the way we all live and work in a way hitherto barely imaginable.
The other strand is to try to quantify the risks facing banks. As the consultation asks, “What kind of metrics does your organisation find useful for measuring operational resilience? What data are used to produce these metrics?” Key in bolstering financial resilience was putting banks’ financial exposures into one framework, counting up loans, weighting them for risk and calculating how much capital banks should hold against those risks.
The result was that banks had to hugely increase their capital buffers. So far, it has served them, and the wider economy, well in this crisis. But how to do that with operational risk?
At the heart of a great nerve centre
Coming up with a single metric to tot up risks around cybersecurity, supplier reliability, and each of the many other threats to business viability is a mind-boggling complex task. It is a case of comparing apples and oranges, and many other fruits besides. The task is complicated by the lack of fungibility. When it comes to loans, if a bank gets into trouble on, say, commercial real estate loans, at least it may have a stronger residential mortgage business which keeps the revenues flowing.
But operational risks and resilience do not behave in the same way as financial risk. If operations are flattened by an IT failure, then the resilience of some unrelated supplier will not help keep the bank’s critical functions on track. The loss of key staff to a pandemic cannot be helped by a great incident management function.
This great nervous system imagined in the Basel papers is powerful and streamlined. Expect the job to be tough, still thankless – and potentially extremely complicated.
Network Standard is the new industry publication for non-financial risk management leaders, delivered to you by Acin. Sign up here to join our community.