This article was paid for by a contributing third party.More Information.
Rethinking risk and operational resilience post‑Covid‑19
In a Risk.net panel session, convened in collaboration with Fusion Risk Management, experts discussed five themes on re-evaluating existing operational resilience strategies
The panel
- Richard Cooper, Principal, Fnancial services, Fusion Risk Management
- Michele Ushkowitz, Head of operational risk, Americas, Societe Generale
- Rick Cech, Senior bank examiner, Operational risk governance, Federal Reserve Bank of New York
- Moderator: Rajat Baijal, Managing director and global head of enterprise risk, Cantor
Recent global events such as the Covid-19 pandemic and increasing geopolitical tensions have prompted organisations to rethink operational resilience. Financial institutions need to proactively manage the threats that escalating international and internal political pressures pose to their operations.
Effective operational resilience requires retooling resilience strategies and risk management approaches. New strategies, methodologies, roles and assessments will need to be developed to anticipate and respond to pandemic- and geopolitical-related events in the future.
In a Risk.net panel, convened in partnership with Fusion Risk Management, experts discussed how firms can mitigate the impact of these risks, address the increased threat from IT and cyber risk, and manage talent risk during uncertain times. Five key themes emerged from the discussion.
1. Identify and manage new risks
While the worst of the pandemic may be over, there is a long way to go to eradicate Covid fully – its impact will be felt for some time, and work environments have permanently changed for many firms. Alongside this, risk managers are facing growing uncertainty caused by geopolitical tensions.
While the prospect of war in Europe may have seemed distant for most of 2021, firms have had to quickly adjust their risk frameworks to the evolving situation. People risk and cyber risk have emerged as the two most important risks according to the panellists.
Firms previously hadn’t needed to consider people risk to the level now required, said the risk experts. Companies must now look at processes – and potential issues emanating from those processes – and question how their staffing is in certain sectors and whether it needs to be stronger.
Richard Cooper, principal financial services at Fusion Risk Management, highlighted the spread of the Delta variant of Covid-19 in India as an example of far-reaching impacts. Many people who had been working in cities stayed at home unable to work, and some employees and contractors went back to their hometowns and didn’t return. “They had been working on desktop computers and no had no way to complete their duties remotely. The denial‑of‑site impacts were planned for in India but not at the scale experienced. This highlighted the lack of long-term work transfer strategies and cross-training gaps. Therefore this issue in India impacted operations in Europe, the Middle East and Africa, and North America, and these same impacts are being felt with the current geopolitical situation. Operational risk issues have caused many to rethink yet again of all the plausible scenarios,” he said.
An extension of people risk is vendors and the supply chain. In the wake of the pandemic and shifting work patterns, firms are reassessing the resilience of their organisations and networks, with particular focus on potential vulnerabilities from third- and fourth-party suppliers and vendors.
Firms can be as strong as they like but cannot ignore their critical vendors, said panellists. Conducting vendor outreach and having engagement managers speak to vendors and understand how they are adapting their security protocols and resilience measures in a constantly changing landscape is another important aspect.
Turning their attention to cyber risk, panellists observed that firms have seen an uptick in incidents since 2020, a trend expected to continue but that will probably become more complex. In particular, they noted the distinction between process damage and information control damage, with the latter often following a very different track to cyber intrusion or disruption damage.
The pace of response required is also quickening. One panellist said their firm had fast-tracked the remediation process, resolving issues in the space of four weeks that would typically have spanned 12 months.
2. Plan resources effectively, beyond just identifying risk
According to Cooper, the real task is to boil down risks and find ways to apply resources in an effective manner to address them.
Process remains a key point when planning and applying resources to manage risk, he said: “The first step is to break down what we do with processes from a risk standpoint. Resilience is when the unexpected comes up. So if you develop a well-honed ‘fail-over’ capacity, if you have a good robust process driven by real-time and actionable data, you are well prepared.”
Panellists also advocate a flexible, agile approach – an essential attribute during the pandemic. Firms need to spend a lot of time thinking about potential risks, planning for them and knowing what their capabilities are. They need to consider what can go wrong, see how their risk management matches up and what refinements are needed.
Fast-tracking technology investment is one way firms can become more agile in preparing for a crisis. Experts point out that the most crucial aspect is that those responsible for remediation and resilience must stay online and remain functional no matter what.
3. Detect dynamic risks associated with the cloud
Today firms must improve their understanding of the risks associated with putting data on the public cloud, including knowing what third parties and vendors may store on the cloud:
Are you using the same cloud provider as your third and fourth parties?
Do you have the expertise to analyse risk from a second-line-of-defence perspective?
Are you equipped to assess indicators both within your firm and at the vendor firms?
New technologies such as artificial intelligence and blockchain also introduce new risks. The experts said firms must constantly question their preparedness and understanding of these risks: Do we have the individuals in the organisation who truly understand what the risks are? Risk assessments need to pick up on changes in the environment and adapt accordingly, bringing expertise in-house where necessary.
Firms need to identify the risks associated with accelerating technology transformation, articulating material processes involved and clearly defining their risk tolerances.
4. Wear a risk manager’s hat
Cooper said: “Having gone through the pandemic, everyone in an organisation is something of a risk manager. They are thinking about their risk and their employees. They are thinking about their work-from-home strategies and vendor strategies a bit more carefully.”
Panellists said there was a great opportunity to push risk back into the first line of defence and make it more actionable. The first line needs to be more predictive. Many firms experienced operational incidents in the wake of the pandemic – they are aware of the vulnerable areas within the organisation. They can now use that information to assess which desks seem to experience problems when volatility rises and become better at predicting and limiting risk.
Business managers need to understand how the entire business is running. It is not enough just to have a siloed plan for a single business unit – it is about the wider organisation too, panellists said.
5. View risk as a board-level concern
Firms continue to see increasing awareness and engagement around risk from senior management, helping encourage top-down buy-in for operational resilience.
Cooper said there is an increased focus at the board level. “There has been extreme interest in the understanding of [operational resilience], and the definition of important business services and [how they are mapped].” Executives are genuinely interested in learning the resilience imperative, the experts said.
Operational resilience involves walking multiple paths, according to the panel – a general escalation path, an information path and an education path. The board needs to wear two hats for this to be effective: one to be activists, the other to be learners.
Summary
A constantly changing operational risk environment in the fallout from the Covid‑19 pandemic requires reprioritising and strengthening resilience controls across the organisation. It is vital to identify new risks and be prepared for them but also become more predictive to efficiently flag and manage risks before they can cause widespread damage.
Firms can better address these issues by improving agility and communication as well as encouraging advocacy for operational resilience at the boardroom level.
Sponsored content
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@risk.net