Baringa Partners’ latest operational risk roundtable for industry practioners was again attended by representatives from across financial services. This month’s agenda explored lessons from Covid-19, what they mean for the future of operational risk management and how interim arrangements can be practically adapted for the return to business as usual (BAU).
In this blog we expand on some of the key themes discussed during the event.
Risk & control adaptation
It has been important for firms to consider how the interaction of key risk factors has changed due to the pandemic, potentially heightening exposure to some priority risks in new and unforeseen ways. For example, cyber risk has been an increased focus area, due to the combination of people shortages (caused by sickness) and weakened infrastructure (caused by working from home technology and controls). Increased testing of associated BAU controls – to prevent phishing, for example – was discussed at the round-table, and is likely to remain prevalent on firms’ agendas for the rest of 2020.
Some firms reported the need to relax certain controls to facilitate remote working – for example relating to traders’ use of mobiles. However, other participants responded to the pandemic with a re-design or enhancement of their control environments. For example, third party management and outsourcing resilience controls came under increased spotlight. Not only was control frequency upped in some cases, but escalation thresholds were also re-visited. With the increasing regulatory focus on operational resilience, it is unlikely that these stricter controls will be relaxed post-pandemic. In fact, this period has presented longer-term lessons about gathering sufficient information from vendors regarding their resilience. For certain other areas where controls were tactically adapted, firms should now look to optimise and automate where possible.
Firms have had to be increasingly agile in decision-making. Enhanced MI has helped support the management and oversight of the evolving risk and control profile. Some firms have created critical MI dashboards which are nimble and crucially low effort to maintain, yet allow focus on key metrics and are consumable at various levels (including Board). Risk acceptance processes have also required adjustments to quickly take and document key decisions.
It is highly likely that some of these interim arrangements will remain. A key next step for firms is to establish a process to agree and govern which changes should be unwound and which should not, taking into account how success – and risk – can be directly tracked.
Focus on communication, particularly 1st/2nd line of defence working relationships, has also been important to reinforce control environments. Increased frequency of communications – through various methods – has been used to reiterate key processes and how to escalate.
Some firms published relaxed rules relating to mandatory leave, aiming to avoid spikes later in 2020, whereas others strengthened their requirements to compensate for other changes to the control landscape.
Looking to the future, there was good debate about how COVID-19 might alter risk culture due to changes in engagement models. Challenges to maintain a robust team dynamic in a virtual environment have been largely tackled in the short-term. However, the gradual lifting of lockdown is creating hybrid working arrangements – firms must ensure that complacency does not creep in, and particularly ensure that new joiners are being appropriately embedded into the organisation’s risk culture.
Office & disaster recovery sites
Most firms have indicated that proportions of their workforce are beginning to return to offices, but that a full complement of employees being physically co-located is unlikely this year. This variation will create a unique transition state of risks and controls to manage.
Firms are, however, seeing the potential long-term savings that ongoing hybrid working could create. There is broad consensus that some form of flexible working seems likely to prevail, reducing the permanent office space required in high-cost locations.
The pandemic-enforced test of remote working has prompted many firms to consider this as a solid business continuity plan going forward. Many firms revealed that they intend to close, or heavily reduce, their disaster recovery site footprint in the coming months. However, such adaptations to strategy highlight a key consideration for firms to take on-board quickly – what is the new ‘Plan B’?
Many firms and employees are now treating their adapted working set-ups as a ‘new normal’ – but this is not necessarily a normal that has a safety net in place. Firms need to confirm back-up infrastructure to maintain connectivity or explore multiple methods of server access being available (for example, remote log-in tokens and additional laptops), for instance. They also need to respond to any further impacts to risks and controls from the new BAU – for example, solving for data privacy challenges in long-term remote working set-ups.
The ‘scenario’ presented by the pandemic went far beyond the parameters of those which firms considered in their operational risk and resilience planning before March. It has presented some practical learnings which participants discussed in detail. There was a broad agreement that previously dominant focus on capital numbers should be reduced, and response plans should be more fully tested to take account of wider ranging impacts. Probability scores of certain events should be reviewed – the ‘real-life’ overlay in this exercise has become more important and tangible.
There is growing appetite for industry collaboration to support scenario testing, and its value appears to be of increasing importance when considering some themes already discussed – for example, resilience of and reliance upon third parties. Whilst individual firms might have seemingly robust back-up plans relating to outsourcing arrangements, there is a risk that those plans are too consistent across organisations leading to a form of concentration risk in the industry. Cross-collaboration and thought leadership through methods such as war gaming could surface these potential issues to support both firm and industry-level stability.
In summary, operational risk management has adapted well in response to COVID-19 but the agility shown will need to be maintained. Challenges faced are evolving as lockdown lifts and firms return to a BAU, which looks considerably different to early 2020. Firms must also review changes made during the pandemic and seek to optimise these strategically in order to ensure effective and efficient operational risk management in the long-term.
If you would like to discuss any of these topics, or broader operational risk and resilience in more detail, or for more information on how to participate in our round-table series, please contact OpRisk@baringa.com.