Regulators and stakeholders are focusing in on operational resilience. Here’s why and what you should be doing about it.
Operational resilience has been at the very top of the prudential regulators’ agenda for decades. Initially, the key focus was on assuring financial stability; the Global Financial Crisis demonstrated to regulators that a financial collapse at one firm could threaten the operational resilience of the entire system. And they worked fervently with the industry to help reduce that risk.
Over the past few years, however, their focus has shifted back towards the ‘operational’ side of resilience. Recent events – the pandemic foremost amongst them – have made it clear that ‘once-in-a-lifetime’ events are happening more frequently. And their interconnectedness (consider how a health crisis sparked a mobility crisis which spawned a financial crisis) has become clearer. Regulators are keen to highlight the risks and encourage resilience across the financial services sector.
In advanced economies such as Australia, Hong Kong (SAR) and Canada, and in a growing number of emerging markets, we are seeing regulators step up their focus on operational resilience.
Regulators have been making their intentions clear (albeit in rather different ways). The Bank of England has, perhaps, been the most active in promulgating regulation on the topic. The US Fed has also been quite open about their intentions, sharpening their focus on enhancing existing operational risk regulation. In advanced economies such as Australia, Hong Kong (SAR) and Canada, and in a growing number of emerging markets, we are seeing regulators step up their focus on operational resilience.
Given the upswell of regulatory activity in this area, all eyes are now on the Basel Committee in Switzerland. As has been the case with other global regulatory initiatives that require a certain level of global coordination, many within the regulatory community and industry have high hopes that the Committee will provide some level of guidance that will help clarify future expectations for banks, insurers and asset managers.
The challenge for the Basel Committee will be significant. It is clear many regulators have a common intent – to enhance the operational resilience of the financial system. Yet their approaches are currently not consistent. Finding common ground may take some time.
It’s not just the regulators that think shoring up operational resilience is a good idea. So, too, do financial services executives, investors, stakeholders, Boards and customers. They also recognise the interconnectedness of risks and are starting to become increasingly concerned about the concentration of risk.
Consider, for example, the concentration of risk around digital capabilities. Most financial services firms demonstrated great operational resilience in the initial phases of the pandemic by rapidly virtualising their workforces and processes. But now they see the potential concentration of risk around – for example – a cyber-attack or the loss of a core piece of IT infrastructure. Regulatory requirement or not, financial services executives know they have an obligation to protect their organisations from these risks.
Leading financial services firms are not waiting for regulatory direction. Many banks, asset managers and insurers are starting to take a much more holistic, multi-functional and collaborative approach to resilience.
The leading financial services firms are not waiting for regulatory direction. They are taking their cues from the clear direction of regulatory travel and an equally clear understanding of their stakeholder expectations. And they are using that insight to vastly enhance and expand their focus on operational resilience.
For one, we have seen many of the leading banks, asset managers and insurers start to take a much more holistic, multi-functional and collaborative approach to resilience. Rather than working in functional siloes (which tends to ignore the interconnectedness of risks), the leaders are bringing together multi-functional groups and supporting them with robust governance while, at the same time, assigning responsibility and accountability to individuals.
The leaders are placing more focus on understanding the impact that any potential disruption could have on their external stakeholders (customers in particular) and understanding what disruption would be intolerable – an impact tolerance.
Simply put, they want to drive 70 miles per hour in a 60 zone; but they first need to understand the risks to themselves (in the form of tickets or accidents) and their neighbors (in the form of complaints and ruined relationships). More often than not, the impact tolerance is directly related to what the neighbors would think rather than the concern of the ticket.
To better understand what the neighbors (in this case, external stakeholders) will think, the leading financial services firms are scraping data from a broad range of inputs – from customer call centers and corporate communications inquiries through to traditional operational data sources such as return on investment and revenue forecasts. And they are using that data to continuously adjust their assumptions and measure their outcomes.
Leading financial services firms recognise they need to make step-step changes in thought and capacity more sophisticated. They need to make them quickly. And they need to implement them with minimum disruption.
Many are now exploring how they might ‘power’ their resilience efforts forward and achieve material advantage by connecting existing tools, technologies and data sets into a cohesive whole in order to bring proven methodologies and acceleration catalysts to their program. Rather than attempting to catalyse change in narrow siloes or distinct processes, the leaders are connecting their technologies and processes to drive more fundamental outcomes. Indeed, we are working with a number of financial services firms to create a ‘powered’ operational resilience program that not only drives the overall resilience program, but also helps build a more connected, competitive and trusted organisation.
The most strategic financial services organisations are seeking to drive even greater change from their programs. They view their efforts towards organisational resilience as a way to drive transformation across the enterprise. If end-to-end processes are being mapped, risks are being identified and accountability for resilience is being delegated, why not use that data and horizontal accountability structure to drive other objectives such as cost efficiency, innovation or customer experience? A handful of leaders see the opportunity for fundamental and sustainable change that goes beyond simply enhancing resilience.
We are working with a number of financial services firms to create a ‘powered’ operational resilience program that not only drives the overall resilience program, but also helps build a more connected, competitive and trusted organisation.
The specific actions, processes and data required to drive operational resilience are different for each organisation, industry sector and market (thus the challenge for the Basel Committee). Until some form of global guidance is achieved on this topic, financial services leaders need to leverage industry leading practices, existing experience and current guidance.
We believe there are a number of practical principals that leaders will want to follow as they develop and execute their strategies.
Get used to talking about operational resilience. Our view suggests it will remain at the very top of regulator and Board agendas for the foreseeable future. The only real question is whether substantive progress will be catalysed by societal pressure, economic pressure or regulatory requirements.
Our advice is for financial services firms to get well ahead of this one. Those that do will find themselves not only more operationally resilient and better prepared to deal with upcoming regulation, they will also be more connected, competitive and trusted. Those are attributes all financial services executives can embrace.
Principal, Financial Services Risk, Regulatory and Compliance Network Leader
KPMG US