Coronavirus is testing op risk managers to the limit

No amount of stress testing can prepare firms for the risks they’re facing, says Ariane Chapelle

Puzzle

Years from now – and for decades to come – the world will remember ‘the great pandemic of 2020’. The coronavirus’s effects on financial markets and companies are already acute: widespread disruption to business practices and everyday life has caused major indexes to shed up to one-third of their value, and forced governments to enact crisis measures to cope.

From a risk assessment perspective, reaction to this pandemic converges into a strange combination of under- and overestimation. Pandemic risks are sometimes called ‘grey rhinos’: probable, high-impact trends that are clearly observable, but often ignored until it’s too late. Before the current outbreak started, most would class pandemic risk as important, but not urgent.

China’s recent experience of Sars, which killed hundreds during the 2003 outbreak, may have informed its aggressive response to the Covid-19 epidemic, but Europe and the US had long forgotten the Spanish flu of over a century ago. Governments and many organisations were caught by surprise.

On an individual level, though, the virus has created an overestimation of risk, with many countries reporting panic-buying of household essentials, and images of shortages and queues that only reinforce the risk it is supposed to avoid. This self-fulfilling prophecy is caused by extreme herd behaviour and generalised panic, similar to a run on a bank or a market crash.

The virus is testing operational risk managers at banks and other financial firms in manifold ways. Many point out the heightened risk of fraud, and cyber fraud in general. Security engineers report elevated levels of attacks of every form, the most observable one being phishing attempts that play on people’s fears or need for information.

Perhaps more dangerous are attacks on networks and information flows. Firms are typically able to sustain around 10% of staff working from home. Moving suddenly to a multiple of this increases the attack surface in the same proportion, raising both the likelihood and impact of successful cyber events. On the positive side, the crisis has highlighted points of weakness in firms’ IT systems and security levels, leading to a list of remediation plans to be implemented once the storm has passed, hopefully without too much damage in the meantime.

Some local subsidiaries of international banks have decided to shutter all but non-essential operations for two weeks

Not even in the most extreme scenarios have organisations anticipated a situation of near total remote working. National banks and local or national insurance companies have up to 90% of their staff working from home. Regular cleaning and sanitising procedures are in place in all sectors for staff on site. Tier-one banks are focusing on the continuity of essential operations, such as payments and trading, and will delay, if need be, non-essential ones to prioritise resources. Some local subsidiaries of international banks have decided to shutter all but non-essential operations for two weeks.

Split staff across locations, such as duplicated trading floors installed on disaster recovery sites, or staff on site on a seven-day rotating basis, had already been in place at some top banks for weeks. For larger, international banks, technical aspects such as VPN capacity can be an issue during times of heavy use.

Another, more external issue is whether the internet can support such a spike in use, especially in highly dense areas of population. The mobile and landline phone network is a critical dependency: any failure of this network would have a severe impact on the ability of firms to carry out essential functions.

Risks of internal fraud, unauthorised activities, and simply operational errors, mistakes and omissions are expected to increase, too, as a direct consequence of the reduced monitoring capabilities caused by distance working.

Particularly for industries and organisations that are not fully digitalised, there is an accelerated transition to teleworking. The city of Quebec in Canada is the centre for insurance companies in the province. Quebec province and parts of North America experienced the Great Ice Storm of 1998, when exceptional ice falls cut off electric power for 3 million of the 7 million inhabitants. Since then, firms have developed continuity plans, including operating with 70% of staff. However, 100% of remote staff was not part of the plan, especially for an insurance industry that has large call centres and paper-based claims and cheques. Companies are devolving these call centres to people’s living rooms. The transformation effort is gigantic, but “we are getting on”, says a chief risk officer at one large company.

The operational pressures on the financial sector are equally present for their suppliers, and third-party failures constitute another possible knock-on effect. A third-party provider assisting travel insurance in Canada usually handles 3,000 calls a day. On Monday, 16 March, it received 300,000. Its insurance company clients are teaming up to create multiple, additional temporary call centres to help handle the ocean of requests. Supply chains are stretched to the extreme in other sectors, but this is an issue for banks and insurance companies, too.

Regulators and public authorities will have to adjust to the new reality. Compliance breaches and capital breaches will be put to the test. Canadian regulators are keeping a close eye on the financial sector, while realising the need to be flexible in their demands.

Several institutions are already planning for the return to normal. They say it will be complex and slow, and that in itself will generate another wave of operational risks, loss of productivity and mistakes. But thinking of the after-crisis is a proactive behaviour that each op risk manager should have.

Resilience is the capacity to recover quickly from difficulties. We can overcome the crisis, adapt and adjust. This formidable shock is also the opportunity to rethink what we want and who we want to be.

People reveal themselves in crises. Let’s think of how we want to be remembered in this one.

Editing by Alex Krohn

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact info@risk.net to find out more.

Most read articles loading...

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here