Sponsored by ?

This article was paid for by a contributing third party.More Information.

Heightened operational risks in a changing world

Heightened operational risks in a changing world
The addition of employee wellbeing to the top 10 operational risks for 2021 reflects the heightened risk that has come with the surge of home-working during lockdown

Christoph Kurth, partner and member of the global financial institutions leadership team at Baker McKenzie, discusses the growth of conduct and operational risks in the light of the pandemic, including those caused by mass home-working, the enhanced technological ability to address them, and why we should design a new type of workplace culture or risk losing one altogether

The financial crisis that began in 2007–08 ushered in a wave of regulation that is still being rolled out today. How can regulators best support financial firms this time around as they emerge into a post-pandemic ‘new normal’? 

Christoph Kurth, Baker McKenzie
Christoph Kurth, Baker McKenzie

Christoph Kurth: The global financial crisis caught financial institutions unprepared and the regulatory system wanting. The international response saw the creation of the Financial Stability Board and commitments made to reform global financial architecture and to rein in excesses that had contributed to the crisis. 

During the Covid-19 pandemic, regulators have responded sympathetically to businesses by pushing back consultations on new rules, with exceptions as required. This pragmatism should continue and previous reforms should be allowed time to bed in. That said, there is an important role for regulators to play in relation to the digitisation of the industry, including digital assets, and the transitioning of the economy to carbon neutral by 2050. 

Financial institutions are conscious of their key roles as intermediaries in this transformation, which has been accelerated by Covid-19, yet there is a need for coherent, globally aligned frameworks and accompanying standards to allow them to play their parts effectively. Putting these in place and providing certainty will allow financial institutions to rise to the challenge more effectively, contribute positively to the transformation of the economy and to harness digitalisation for efficiency gains. 

 

What impact has the Senior Managers and Certification Regime (SMCR) had on the approach to conduct and culture in financial organisations? To what extent should we expect to see investigations and enforcement actions arising from pandemic-related stress and turmoil?

Christoph Kurth: It is still too early to assess the impact of individual managerial accountability regimes on conduct and culture. However, anecdotal evidence suggests senior managers are more engaged with compliance and conduct risk; no longer is it left to compliance officers or as the last item on the board’s agenda. With Covid-19, there has been a real concern that a focus on stressed markets and widespread home-working, with its practical challenges of supervising client-facing staff, may translate into increased conduct risk. In fact, a more complex and varied picture has emerged. On the one hand, anecdotally, many businesses have doubled down on facilitating healthy cultures to reduce conduct risk. On the other, many businesses appreciate extended home-working leads to the loss of physical town halls, in-person bilaterals and team meetings as well as ‘water-cooler moments’ – all important in creating and maintaining culture. 

Businesses must design new ways of building culture or risk losing it. As it was after 2008, as we return to the new normal we can expect to see investigations and enforcement activity rise as misconduct comes to light. However, given the reforms of the past decade, including the SMCR, this time around cases may be more modest. In any event, due to the long lead time for investigations, we will not know the full picture for a while.

 

Sophisticated analytics and a greater volume of available data have enhanced firms’ ability to detect and monitor operational risks. What threat does this pose to customer/employee rights and data privacy? 

Christoph Kurth: Rapid developments in advanced data analytics, artificial intelligence (AI) and data capture have created myriad new opportunities for our clients. We are partnering with a number of them to implement innovative technologies to boost productivity and mitigate op risk, while also managing customer and employee compliance and wellbeing. From an employment perspective, increased reliance on technology – and especially employee monitoring – can expose employers to risks of discrimination and breaches of the implied duty of trust and confidence. From a data privacy perspective, many new technologies, if used to their full potential, may collide with concepts ingrained in the General Data Protection Regulation; regulators have shown they are alert to transgressions in this regard. Similarly, customer-facing technologies must be implemented carefully to mitigate against overreaching data processing that may present real regulatory risks. The sheer volume of data collected means technical and organisational security measures are of fundamental importance. Data breaches can cause considerable reputational and commercial harm, as well as exposure to regulatory action.

 

Covid-19 has had a profound and lasting effect on the world of work, placing greater reliance on digital channels and technology. What are the pitfalls financial firms face as they scramble to replace ageing IT infrastructure and systems?

Christoph Kurth: The fourth industrial revolution is well under way, but Covid-19 has further accelerated the digitalisation of financial services – some commentators consider parts of the industry to have advanced five years within the space of just one – and, inevitably, opportunities also bring risks. Given the intensity of technology changes being put through at such a fast pace with stretched resources, the usual risks may be elevated, particularly where there are new or emerging technologies. Most financial institutions, other than fintechs, still rely on legacy infrastructures, and replacing them is associated with the highest failure rate in change management. In fact, there is a direct link between lower levels of legacy infrastructure and the success rate when implementing technology change. Moreover, financial institutions that lack legacy infrastructure are less likely to have to install IT changes in an emergency, and those changes tend to be more successful – a virtuous circle. By their nature, emergency changes carried out with speed have an increased margin for error and risk, exacerbating any existing weaknesses. 

 

New technologies such as AI, machine learning and blockchain bring equal measures of opportunity and risk. To what extent does regulation act as a drag on innovation, and how can regulators find the right balance going forward? 

Christoph Kurth: Although regulation rarely keeps up with technological advances and changing market practice, this does not necessarily mean it holds back innovation. While it can impede new services and products, it is often a facilitator rather than an obstacle. A good example is payments, which today are synonymous with fintech. If the Revised Payment Services Directive had not required account providers to allow access and share customer data, we would not have seen such tremendous growth in new innovative third-party services. In contrast, the lack of legal and regulatory certainty, alongside political and other concerns, may hold back the development of digital assets – intangible assets supported by blockchain technology. 

Clearly, regulation can be overprescriptive, stifling innovation and making compliance costly, but most regulators recognise the benefits of innovation and competition to the market and, besides regulatory sandboxes, seek to provide a technology-neutral framework within which the market may operate. Proof of this is in the approach of the Swiss Financial Market Supervisory Authority of enhancing client onboarding via digital channels and The Kalifa review of UK fintech, the very welcome proposal for a new regulatory framework for emerging technology. Regulation should not regulate or hold back technology, but provide certainty on the regulatory treatment of technological innovation.

 

Given the increasing incidence of geopolitical risk facing the financial system, how should regulators and financial firms respond?

Christoph Kurth: Geopolitical risk is a fact of life with cross-border business. We have just come through Brexit, which has cut market access in Europe and where the extent of future equivalence-based access remains uncertain. Political and economic rivalry is increasing between the West and China, and with it possible protectionism. There are no easy answers to managing such uncertainties, but financial institutions must identify their vulnerabilities and assess the likely impact. Regulators will of course expect financial institutions operating in ‘at risk’ markets to be prepared, but supervisors can also help by liaising with counterparts, offering guidance and, where necessary, providing a degree of forbearance and flexibility to allow financial institutions time to adjust and adapt.  

 

Which op risks should financial firms be most concerned about?

Christoph Kurth: IT disruption and data compromise are likely to be near the top of firms’ agendas. The last year has seen accelerating digitalisation during the pandemic. With increased dependency on digital services, even short-lived incidents such as a denial of service can cause significant disruption, reputational fallout and regulatory exposure. Escalating cyber attacks that increase the risk of data compromise are an indirect consequence of greater interconnectedness in the banking and payments sphere, particularly when IT processes are built on a patched legacy infrastructure. Regulators, such as the Monetary Authority of Singapore, warn that, because large-scale remote working is a recent development, the risks may take time to fully emerge.

In recognition of such risks, countries are imposing tougher obligations on businesses over the collection, use, sharing, storage and disclosure of data. Whereas before, data protection regulators might not have brought enforcement action, now they just as likely to as financial services regulators, and can impose substantial fines based on turnover.

Another issue worth mentioning is the Covid-19-related impact on staff wellbeing. This reflects the heightened risks around home-working during lockdown, on the basis of which many employers have developed special programmes. As we move to the new normal, they should be careful not to overlook this duty.

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here