For more than 15 years – since the H5N1 avian flu virus emerged as a threat in 2006 – pandemic risk has featured low, if at all, on the risk radar of banks. At that time the World Economic Forum’s Global Risks Report sounded the alarm on pandemics and other health-related risks, warning that a “lethal flu, its spread facilitated by global travel patterns and uncontained by insufficient warning mechanisms, would present an acute threat.” Overtaken as a matter for concern by the collapse of the financial markets in 2008, pandemic risk sank to the bottom of the pile until 2020 – when supposition became deadly reality.
The 2021 Global Risks Report now cites pandemic risk as the fourth most likely risk, with the greatest potential to impact a bank’s business continuity.
The pandemic has led large, systemic banks to a crossroads. The route they take now will determine how effectively all stakeholders are safeguarded in the future – customers, employees, executives and the board. For many smaller financial institutions, sadly, it is reported that up to 4,000 “low resilience” businesses in the UK are already at risk of harming customers or total business failure.
Without doubt, Covid-19 has proved to be the greatest operational or non-financial risk stress test of all time, and operational resilience is now the #1 concern in financial services.
Many factors have led to heavier reliance on technology and third-party service providers, including remote working and the need to onboard new customers online. For cyber criminals, work-from-home arrangements with remote access to corporate networks have significantly expanded the attack surface. Financial crime and money laundering has thrived on the move to go digital, and according to Acin’s Risk Intelligence there has been a 30% rise in controls related to conduct risk supervision and surveillance since the pandemic emerged.
As governments, businesses and societies survey the socio-economic damage inflicted over the last year, strengthening strategic foresight is emerging as a critical success factor. With the entire world more attuned to risk and redundancy there is an opportunity to identify and communicate effective risk management practices to decision-makers, and garner support for a step-change in risk culture and aversion practices throughout your organisation, for evermore.
Moving forwards, financial institutions must conduct comprehensive stress tests to demonstrate their preparedness for managing operational disruptions. Maintaining business continuity, mitigating cyber risks, preventing IT outages, ensuring system and data access and availability, managing IT obsolescence and strengthening third-party risk management are among the key areas that will be scrutinised by regulators.
A comprehensive operational risk management framework needs to include emerging risks through the lens of scenario analysis, which in turn needs good quality data and a view of all processes and controls throughout each function. Looking at scenarios in departmental silos, in isolation from the inputs and outputs of each process, is no longer feasible for managing risk in a world where the effects of every incident have such far-reaching consequences.
Cracks have emerged within the three lines of defence model favoured by banks since it was introduced by the Institute of Internal Auditors in 2013, because business, compliance, operational risk and audit functions must now work hand-in-glove, front-to-back, to maintain sufficient defences to survive a global pandemic unscathed. There is also growing recognition that a culture of risk management – throughout the entire organisation – must be nurtured to provide ultimate protection for customers, the firm and its executives. The ownership of controls, and clarity around the role that every employee has to play in managing risk, needs practical implementation; tone from the top is critical to get this in motion.
Can data-driven intelligence enable a more resilient financial ecosystem? One where banks concentrate on their core business and are supported by a network of data-driven insights that guide and inform their risk management practices?
Debating these topics in a webinar on February 23, 2021 at 13:00hrs (GMT) will be operational risk management experts Rupal Patel (Acin), Damian Hoskins, Stephen Mascall (Credit Suisse) and Samantha Ng (Deutsche Bank).
Register now to join the discussion.