Over the last 12 months, financial institutions and regulators have been re-imagining what it means to be a resilient organization. The most disruptive event in modern history also has been the most instructive in terms of expanding the industry’s collective understanding of operational risks and the capabilities required to withstand them.
While the jury is still out on the important lessons to be learned from COVID-19 (the pandemic continues to wreak havoc in unprecedented ways), this event has affirmed a few things: Systems will fail, processes will be disrupted, cyberattacks will be successful, and pandemics will occur. The principles of operational resilience, which various regulators around the world have been honing and institutions have been readying to implement, draw specific attention to this inevitability.
During this week’s European Capital Markets Technology & Innovation’s virtual series, organized by the Association for Financial Markets in Europe (AFME), Protiviti joined a panel of industry leaders to explore the changing resilience landscape. Based on the panel discussion, as well as our own published thought leadership on operational resilience, there are a number of critical factors for financial services organizations to consider with regard to their future operational resilience.
Re-imagining Resilience by Applying the Lessons of Today’s Crisis
At its core, operational resilience — defined in various ways by regulators — is the intention to guide firms to develop a methodology and a system of processes and controls that would minimize the impact of a disruption to their operations, their clients and the broader economy. To put it simply, it encompasses the coordinated efforts needed to identify an organization’s vulnerabilities and the plans and controls required to mitigate impact.
In Protiviti’s and SIFMA’s jointly published report, COVID-19: Initial Lessons Learned and Considerations for Managing a Global Pandemic, we note that financial institutions are leveraging initial lessons from the pandemic to reassess their approaches to the foundational elements of operational resilience. Among the various ways the initial lessons are being applied, these three areas stand out:
- How firms define and deliver their important business services and processes.
- How firms manage their workforce in a mostly distributed environment, and the implications on service delivery, productivity, cybersecurity and resilience.
- How essential third-party service providers are managed.
Planning for the ‘Implausible’
Regardless of how they are described (whether critical operations or core business lines, as per the Federal Reserve’s recent “sound practices paper”), organizations should test important business services and processes against a range of severe scenarios, particularly those many considered implausible pre-COVID-19. Re-imagining resilience in a post-pandemic environment should, as an example, include contemplating what would happen to delivery capabilities should a severe illness or fatality incapacitate 50 percent or more of an organization’s workforce.
Cloaking Critical Functions in the Cloud
The ability to quickly marshal a remote workforce was a sign of the industry’s agility. However, with many employees (including security professionals) now working outside the safety and secure perimeter of the workplace, many institutions are struggling to manage an increase in cyber, data and privacy security risks. For most organizations, resilience re-imagined should include transitioning critical functions and applications to the cloud to enhance compliance and resilience.
Keeping Your Third-Party Partners Closer
A resilient organization should consider bringing third parties meeting certain criteria into their direct supervisory remit and into their information-sharing network. As the Financial Stability Board noted in a recent discussion paper, third-party providers who deliver core services should be treated as “essential personnel” so that a limited number of staff necessary to operate critical functions may be required to remain on-site during the pandemic as opposed to being able to work remotely.
Evolving Regulatory Guidance and the Biggest Risk to Resilience
There is now much more clarity from various governing bodies on their perspectives of how firms need to align on operational resilience, with few notable differences. Additionally, the financial services industry and its regulators have forged stronger partnerships in many areas of regulatory relief – such as relief on requirements for wet signatures – demonstrating the need for ongoing dialogue and collaboration to manage through crisis events. Still, the industry should not expect a lending hand from regulators in future resilience events. As noted in the “Lessons Learned” report, some argue that making permanent certain forms of temporary regulatory relief granted to the industry during the pandemic would increase risk-taking behavior – in other words, could make institutions less resilient.
That said, the biggest risk to resilience may have little to do with what regulators may or may not do – although that is critically important. In our view, complacency is the biggest risk. While the industry deserves much credit for how well it continues to weather the brutal impact of the pandemic, many experts agree that COVID-19 has so far not been a really good test of operational resilience; rather, it’s been a great test of traditional business continuity and incident management planning. We may not be able to say the same about the next severe-but-plausible event.
To avoid the dangers of complacency, financial institutions should continue to contemplate resilience events that fall outside their pre-conceived notions of what is possible. For instance, they should continue to plan for events that are asymmetric – like those that may be localized to their firm alone or to a segment of the market where they are the predominant player. They should re-imagine events that can happen rapidly, without warning, and may occur in concert with other crippling and uncorrelated incidents. In essence, re-imagining resilience should mean never going back to our comfort zones.