6 minute read 28 Jul 2021
Two people standing on the edge of cliff

What good risk management means for operational resilience

By Mark Watson

EY Americas Financial Services Managing Director and Board Matters Deputy Leader

Transformational leader. Advisor on matters delivering global impact and strong governance. Passionate about sound public policy. Avid moviegoer. Electronic dance music fan. Proud Anglo-American.

6 minute read 28 Jul 2021

The 11th annual EY/IIF global bank risk management survey inherently links strong risk management and robust operational resilience.

In brief
  • COVID-19 has seriously tested banks’ operational capabilities and highlighted priorities such as cybersecurity that they need to consider in the future.
  • Banks must do better at building in resilience by design to recover quickly from ongoing challenges and disruption.
  • CROs should proactively propel operational resilience high on agendas to ensure banks operate efficiently and effectively within a wider financial ecosystem. 

Banks’ operational resilience has been severely pressure-tested throughout the pandemic. Prior to COVID-19, banks typically ran simulations to see how long they could sustain services during a disruption lasting days or weeks. COVID-19 has tested these capabilities for well over a year. The good news is, for the most part, systems worked. But the experience has highlighted a number of priority enhancement areas, such as cybersecurity and the management of third parties, that banks need to address as economies continue to emerge from the pandemic.

A majority of chief risk officers (CROs) understand that operational resilience is a firm-wide risk mandate and an imperative because it affects every aspect of how banks serve customers and communities. Today, many banks have pivoted their strategic initiatives to focus on how their organizations can better support firm-wide resilience. Yet, more work needs to be done.

One distinct outcome of the pandemic is the need for banks to build in resilience by design. To do so effectively, as shown in the 11th annual EY/IIF global bank risk management survey, CROs can no longer be passive observers of operational risk; rather they need to be drivers. Operational resilience doesn’t only relate to value creation and the services banks provide to customers – it also comprises the work banks do internally. Greater operational resilience increases the responsibility of second-line risk management, and CROs understand that this resilience must align to strong operational risk practices.

Cyberattacks: a question of when, not if

It is now assumed that all organizations, including banks, have been hacked and at some stage will face a material attack that could cease core operations. Businesses are being advised to review their corporate security positions and business continuity plans to ensure they can continue or restore operations quickly, especially core services such as checking accounts and payments. Consequently, the primary question all institutions must grapple with is how they are going to manage through and recover. Recent ransomware attacks across various industries have accelerated the conversation around how organizations can improve both their cyber and operational resilience capabilities.

Enhanced regulatory requirements

61%

of banks expect higher standards for cybersecurity.

Many governments globally are urging business leaders to take immediate action to prepare for such attacks, warning that cyber criminals are changing tack from stealing data to disrupting core operations.

Where your data lies

To date, most banks haven’t had a uniform approach to data management. Regulations, such as General Data Protection Regulation (GDPR), have forced firms to ensure they have the appropriate documentation to properly use, move, access and, when necessary, delete data. But this is not enough. Staying on top of data monitoring is one thing, managing critical data that support continuity of core services across complex organizations, is another.

Banks not only need the right technology to manage this data, but crucially, a deep understanding of their data identification and data governance processes across the entire business. In practice, this involves figuring out the impact of daily transaction data on banks’ services. Curating data properly is not just a defensive priority. Banks’ ability to convert data into insight, and insight into sustainable value, is an effective way to develop new revenue streams and commercial models. Organizations that recognize this opportunity are creating new roles around data stewardship to work in conjunction with resilience officers who are embedded in the corporate function.

Tech resilience isn’t just about technology. It’s about the data that feeds it.

Building a sustainable, repeatable process to aid recovery after a successful cyber attack is paramount and banks can do this by prioritizing critical data to better support their essential services.

Being part of the value chain

Whether you’re a small community bank or large global universal bank, other organizations in your value chain are imperative to your operational resilience. CROs must consider how they work with each and every important player in their ecosystem to understand the impact of resilience risks to their organization, and conversely, what risks their institution poses to the wider ecosystem. Here, greater collaboration is crucial in understanding how other businesses are set up and what the expectations are of all participants across the ecosystem.

As banks have been pushed by regulators to focus on the end-to-end continuous delivery of services, they have had to assess whether each third party is critical or not. If the service is critical, so too is the third party that supports it (and even more so, third parties that support multiple critical services). This includes services provided to customers, as well as internal or enterprise-wide functions critical to operations.

There is a clear expectation that banks are already planning for greater scrutiny of third parties from a testing perspective, both in terms of continuity of support and of developing broader, deeper conversations with the most critical vendors. The survey shows that 74% of respondents expect higher standards for monitoring critical third-party service providers. This is going to push banks to elevate their maturity in terms of how much transparency they want with these vendors. Banks must perform other tasks, such as concentration risk analyses and looking at single points of failure, to ensure their operational resilience is robust.

How to achieve operational resilience

Banks learned a lot about the quality of their operational resilience during COVID-19 and have shared these learnings with both their boards and regulators. CROs expect regulators will subsequently use those insights to strengthen regulation – indeed, 93% of bank CROs expect tougher resilience standards ahead, especially in data protection, cybersecurity, and end-to-end testing.

However, there isn’t just a regulatory need to improve operational resilience, there’s a business incentive too. With ongoing threats and disruption, banks cannot treat resilience as a stand-alone issue. Instead, it must be built into the fabric of organizations’ decision-making processes, transformation programs, and digital and technological capabilities immediately. CROs can help to shift how banks think about resilience processes by building the necessary business case to secure more investment in resilience measures.

Being more proactive is a major theme when talking to CROs about what they learned about operational resilience during the COVID-19 crisis. There is widespread recognition that no bank had a business continuity plan good enough for a global pandemic of this magnitude.

The lessons learned are now making their way into how organizations will operate in the future. For example, the more executive management teams are informed about risks, the more understanding they have of the critical information, thereby accelerating their risk acceptance decisions. Additionally, there is a greater recognition that resilience is made up of many components, with each playing a crucial role. The pandemic has helped to break up a traditionally siloed mentality toward resilience, to ensure that each operational capability works in harmony with another.

EY leaders and the IIF discuss key findings of the 11th annual EY/IIF global bank risk management survey.

The webcast replay and podcast explore the top priorities – including climate change, credit risk, cybersecurity and the impact of technology – and what that means for risk management.

Webcast replay    Listen now

Summary

Banks are no different than other organizations in needing to change how they think about building in resilience by design so as to ensure greater operational resilience and the power to withstand continued disruption in the months and years to come.

About this article

By Mark Watson

EY Americas Financial Services Managing Director and Board Matters Deputy Leader

Transformational leader. Advisor on matters delivering global impact and strong governance. Passionate about sound public policy. Avid moviegoer. Electronic dance music fan. Proud Anglo-American.