By Cory Cowgill, Chief Technology Officer, Fusion Risk Management
The word ‘unprecedented’ may have become a cliché when describing the COVID-19 pandemic. But for the banking industry, the effects of the pandemic were indeed unprecedented, with employees working remotely, branches limiting access to the public, and a growing need for digital capabilities. Banks had to make swift and drastic changes to the way they operate in order to stay in business.
But while the pandemic wreaked havoc on some banks, others were able to navigate, survive, and even thrive, thanks to their readiness to respond to large-scale disruptions. Their secret? Preparedness and commitment to building operational resilience.
Looking forward – the next 18 months
We’ve come a long way since last summer. Vaccination programs are being rolled out globally, workers are returning to the office (or adopting a hybrid remote working model), and business is adapting to the ‘new normal’. But if the last 18 months have taught us anything, it’s that the most unexpected events can hit without warning, completely disrupting business as we know it. For banks, now is the time to re-evaluate and strengthen operational resilience plans to futureproof against the next disaster.
Of course, operational resilience isn’t new. Regulators like the Bank of England, the FCA and Federal Reserve Board have been maturing recommendations on operational resilience since 2019, and this only accelerated in 2021. Recommendations and guidelines are quickly turning into rules – so for banks that have not yet established a robust resilience plan, now is the time to do so.
Time is running out. There are only a few months left to prepare for looming UK regulatory requirements. Beginning March 2022, institutions including banks, building societies, designated investment firms, insurance firms, e-money, and payment services firms must identify, map, and set impact tolerances for important business services. Beyond ensuring preparedness to protect your reputation, operational resilience is now becoming a matter of remaining compliant.
With recent disruptive events and regulatory pressure in mind, over the next 18 months, we should see bank leadership and the C-level get more involved in resilience planning. As a result, we can expect clear commitment and investment in resilience planning – whether it is funding for solutions, dedicating time to develop plans, or hiring new experts.
While bank leaders will without a doubt be inundated with a variety of resilience, it’s crucial to remember that technology cannot solve everything. Before blindly throwing money at the problem, over the next few quarters banks should focus on promoting a culture of resilience. Marrying leading edge technology investments with a culture shift within the workforce is the key to creating a truly resilient organisation.
Third party vendors– the overlooked piece
Over the last 20 months, we have seen the integral role third-party vendors play in determining the resilience of organizations. No bank exists in a vacuum, as indicated by extensive reliance on third-party vendors. Recently, the Financial Stability Board highlighted that a single point of failure could be created if a widely used third-party vendor experiences a disruption thus, causing a domino effect in the market.
While third-party risk management is vital for banks, it is not a box-checking exercise. Typically, third-party risk management focuses on risk assessments, due diligence, and contract management, but these precautions are not failproof in today’s environment. Banks require ongoing third-party monitoring. Signing a contract is not the end of analyzing vendor risk instead, it is just the beginning.
Expectations without monitoring are ineffective. Banks must establish and enforce ongoing monitoring requirements to ensure adherence to terms. There is no one size fits all approach for banks or vendors. Ongoing monitoring must be tailored to each specific type of vendor for a well-functioning third-party risk program.
Ongoing monitoring helps banks evaluate issues and form a plan before disruption ensues and hinders delivering on their promise.
The right tools, the right skillset
The investment in resilience technology is invaluable, when done correctly. The focus should be on achieving a centralized, simplified – yet detailed – view of risk across the bank’s functions. It should offer risk managers any complex data they require, while also being easy enough to understand for any employee in the bank, from the CEO to the back-office starter.
Resilience technology needs to support the breaking of silos between departments, from business continuity, incident and crisis management, disaster recovery, cyber risk, and other risk areas. If investing in new solutions, banks must review their compatibility with existing solutions. Do they integrate with new investments? Will the new technology replace them?
Having the right tools will give banks the skillset they need to identify their weaknesses and build a strong line of defence. Resilience technologies help banks identify data dependencies and simulate the range of possible outcomes in case of disruption, while resilience experts – both in-house and external – can help guide the way forward. This tandem approach, utilising both technology and people’s expertise, helps to build a robust, agile response plan, ready to deploy.
The ideal scenario? The resilience and continuity plan is activated so quickly, employees, customers and partners do not even know a potential disaster has been averted.
A CIO in shining armour
As bank executives advance their operational resilience strategies, the CIO is at the heart of this operation. CIOs manage the bank’s technology resources, develop infrastructure support plans, scan the market for cutting edge software and solutions, and lead the IT teams to keep the bank running seamlessly. In short, the CIO is key to a robust resilience strategy.
A bank’s CIO is best placed to deliver the most technologically advanced, comprehensive resilience plan, while also considering spend. It would be wise for banks to engage their CIOs to construct a plan that demonstrates to regulatory bodies the bank’s ability to withstand disruption. A plan that communicates to the market, to competitors, and current and future customers, that the bank is futureproofed and will continue to service customers, no matter what disaster strikes next.
Resilience rooted in customer centricity
The bank market is highly competitive so, establishing reliability is imperative for continued growth. Banks need to place customer needs at the core of their operational resilience strategy to ensure that they can deliver on their customer promise despite disruptions. Banks must identify the most essential and critical services offered to customers and build their resilience plan from a customer’s perspective. Customer-centric plans ensure no disruption will hinder a bank’s ability to meet the needs of their customers, thus creating trust.
Placing the customers at the core of a bank’s resilience plan not only establishes trust but also enables the bank to make real-time, data-driven decisions. Monitoring and adjusting plans accordingly enables banks to address any issues that may arise before impact. As a result, customers never experience a pause in services.
A few final words
How banks approach operational resilience in the next 12 to 18 months will determine whether the bank will survive or thrive when the next disruption hits. It’s clear that traditional approaches to risk management fall short of what the financial services industry needs, so the time has come to do things differently.
Banks must learn from the past, evaluate their current standing, and invest in operational resilience – now. By investing in the right technology, hiring the right people, and developing relevant and critical skills, banks will be able to seamlessly continue to deliver their services, even in the face of the next ‘unprecedented’ event.