The ability to successfully navigate a crisis is largely dependent on the structures that have been built prior to chaos striking.
After the Great Financial Crisis (2007-2009), supervisors and regulators worldwide undertook a concerted effort to devise an approach that would enhance banks’ financial resilience. In theory, by way of Recovery Planning, banks would be lessening their Probability of Default (PD). In turn, Resolution Planning would reduce their Loss Given Default (LGD). And so it was that Recovery and Resolution Planning (RRP) became a harbinger for the development of Crisis Management Frameworks1 (CMFs) to safeguard banks’ financial resilience.
A decade later, in an increasingly volatile, uncertain, complex, and ambiguous (VUCA2) environment, turbocharged by COVID19 and its reverberations, an unexpected and colossal test on banks’ resilience, beyond its financial nature, is currently underway.
COVID19 has unleashed an unprecedented, system-wide, real-time testing of the operational arrangements in banks that sustain their business continuity, and the means available to ensure the health and safety of their employees. Banks’ CEOs and their senior management are now, more than ever, thinking strategically on operational resilience matters and the relevance the banking activities performed which comprise providing essential services to clients. Hence the focus in this crisis, relative to past ones, on keeping branches open and maintaining adequate service levels in contact centers.
Yet, despite these developments, oftentimes awareness on operational resilience lags that on financial resilience. This common pitfall fails to grasp the delayed financial damage that such operational events may wreak.
While COVID19 has taken the spotlight, it is undeniable that banks’ risk management must incrementally account for a myriad of other menacing operational threats that can erode profits such as (geo)political upheavals, cyber-attacks, natural disasters, IT outages, compliance and conduct negative outcomes, etc. The list of looming operational events that can quickly spiral out of control and unfold into a full-blown crisis decimating profits is endless in our VUCA environment.
The aim is to place operational resilience on an equal footing with financial resilience, with indicators adapted to the risk profile of the operating model, comprehensive scenarios analyses tailored to banks’ vulnerability and an effective reporting approach.
In response to banks' increasing vulnerability to these threats, and their ever-increasing complexity and interconnectedness, operational resilience has moved up on the agenda of supervisors, regulators and standard-setters worldwide.3 The aim is to place operational resilience on an equal footing with financial resilience, with indicators adapted to the risk profile of the operating model, comprehensive scenarios analyses tailored to banks’ vulnerabilities, and the implementation of an effective reporting approach.
This revamped paradigm envisages operational and financial resilience as two sides of the same coin known as “resilience” exhibiting commonalities that can be synergistically exploited through the holistic, practical arrangements embodied in CMFs – a tantalizing thesis which we explore next.
Concept-wise, and in practical terms, CMFs pivot on four chief foundations: (i) Parameters (or Indicators); (ii) Phases; (iii) People, (iv) and Plans (preventive and reactive). Given the connection between financial and operational resilience, the “4Ps Paradigm” applies equally to both, requiring a homogenous and consistent approach.
1. Parameters (or Indicators):
Indicators lie at the heart of sound risk and crisis management. They should provide a precise snapshot of a bank’s current operational and financial status –while capturing emerging risks and enabling prompt reactions to crises (and prior stages of stress), and the corresponding activation of relevant response bodies. To the extent possible, Indicators should be embedded within a banks’ Risk Appetite Frameworks (RAF) so that individual thresholds are reviewed at least annually by the Board of Directors and the senior management.
The set of Indicators (comprising Early Warning Indicators and Recovery Indicators) are defined in the Recovery Plan, the most relevant being those measuring a bank's financial position in terms of capital, liquidity, asset quality, and profitability. On the non-financial (operational) domain, the most common Indicators include relevant parameters envisaged in Business Continuity Plans (BCPs), cyber and physical security contingency plans, and qualitative categorizations of negative media and reputational impacts. COVID-19 has spurred a re-thinking and engineering on the range and nature of operational indicators to adequately monitor the multifaceted impacts of each phase of the crisis (eg, via the development of employees’ health indicators that track new daily cases, accumulated incidence, fatalities, etc.).
Regulators and supervisors are currently urging banks to adopt a consistent approach towards operational resilience, and to include a bank-wide definition of “critical operations” and indicators that provides an effective early warning signal along the entire value chain of each critical operation.
That said, the approach typically leveraged by banks on operational model risks is generally quite limited and, many times, inconsistent. For one, they lack a uniform definition of critical operations4 to which both financial and operational indicators would equally be aligned. Moreover, frequently the vulnerabilities of the operational model are not sufficiently well-defined ex ante.
For this reason, regulators and supervisors are currently urging banks to adopt a consistent approach towards operational resilience, and to include a bank-wide definition of "critical operations" and indicators that provides an effective early warning signal along the entire value chain of each critical operation.
These encompass the progressive sequencing of stress levels that would range from BAU all the way to the activation of “Recovery Mode,” and the endpoint of Resolution. The phases are defined on the basis of the individual calibration, and/or combinations, of the thresholds of the parameters (which typically follows a traffics-light/RAG approach) –notwithstanding that expert judgement should play a role in their definition and activation. Each of the phases will be supported by specific activation and de-activation arrangements/protocols so as to ensure that the transition from one phase to another, whether in terms of escalation or de-escalation, are commensurate with the unfolding of the stress event and can be implemented in time and due form.
There should be a formal attribution (e.g. via policies, procedures, protocols etc.) of roles and responsibilities in each of the phases for the senior management and key executive positions (e.g. CEO, CFO, CRO, etc.). This allocation should also be ex ante defined for crisis management bodies activated depending on the severity of the stress event (e.g. ranging from Bronze, Silver, to Gold). For the purposes of steering and leadership, it may prove useful to appoint a Crisis Management Director (CMD) which may be different depending on the nature of the stress event and the phase activated.
These response bodies typically summon a broad representation of the bank’s main functions involved with securing both operational and financial resilience. Furthermore, the composition of these bodies needs to be malleable to cater for the multifaceted nature of stress events. An added benefit of the holistic composition of these bodies is that they can be leveraged within BAU contexts to periodically review, discuss, and approve operational and financial resilience aspects (e.g. BCP strategies, RRP developments, etc.), which, in turn, helps increasing awareness and cementing a “corporate culture” on RRP and crisis management matters.
Plans can be divided into preventive plans, activated prior to a stress event which lower the probability of its occurrence (PD), and reactive plans, activated once the event has materialized – thus lowering the LGD. Some examples include Pandemic Response Protocols, Disaster Recovery Plans, BCPs, Communications Plans, Capital/Liquidity Contingency Plans, the Recovery Plan, and the Resolution Plan.
Many times, these plans will target the mitigation and redressal of the impacts that led to the activation of a particular phase. However, some flexibility is warranted in the approach to gauge their activation accounting for the prudential supervisory framework in force (e.g. Recovery Plan).
COVID-19 has spurred a fundamental re-assessment of what it means to be a truly resilient bank: one in which operational considerations cannot be detached from, nor understood without, their corresponding financial reflection.
Undergirding the “4 Ps,” a number of Core Principles stand out in terms of streamlining operational and financial resilience via a common Crisis Management Framework. The following Principles aim to ensure adequate degrees of awareness, responsiveness and adaptability so banks can safely navigate the choppy waters of their ever-evolving “BAU.” Similarly, the Principles are intended to help calibrate resources versus expected benefits when setting up CMFs:
COVID-19 has spurred a fundamental re-assessment of what it means to be a truly resilient bank: one in which operational considerations cannot be detached from, nor understood without, their corresponding financial reflection. CMFs provide the underpinnings to coherently integrate both sides of the same reality by leveraging on commonalities that yield synergies and efficiencies.
In our turbulent times, it has become all too evident that it is not enough for banks to be reactive, they should be proactive. As such, being on the ready can make all the difference between averting a crisis or confronting one ill-prepared.
For this reason, crisis management and ensuring resilience will become the new ethos for the bank of the future – and, needless to say, it is fast gaining traction in the agenda of supervisors and regulators who will expect, in turn, greater degrees of credible engagement from managers and Board members alike on these matters.
And, in a world in which COVID-19 has placed front and centre the relevance of Environmental, Social, and Governance (ESG) matters, it is our belief that CMFs can also play an important role in this domain by ensuring that banks are resilient and are contributing to safeguarding first and foremost the public good of financial stability – whilst avoiding the real economic and social impacts of failing to do so.
At a time in which there are powerful forces at play redefining our “new normal,” those banks which are underpinned by CMFs will have the upper edge in the future. They will have understood the relevance of aligning purpose with profit, and, with this renewed impetus, they will resonate in society.
1E.g. The EU’s Bank Recovery and Resolution Directive (2014) is often referred to as the “Crisis Management Directive.”
2Acronym first used in 1987, drawing on the leadership theories of Warren Bennis and Burt Nanus.
3See e.g. PRA CP 29/19 ‘Operational Resilience: Impact tolerances for important business services’ (05.09.2019), BCBS Consultation Paper ‘Principles for Operational Resilience’ (06.08.2020), Fed et. al ‘Sound practices to Strengthen Operational Resilience’ (30.10.2020)
4There is no global standard on what exactly constitutes a critical operation. Here, a critical operation is defined along the BCBS ‘Principles on Operational Resilience’ as a business activity (or related activities, processes, services and their relevant supporting assets), the disruption of which would be material to the continued operation of the bank or its role in the financial system.
5Typically, “First Line:” Busines Management Areas; “Second Line:” Risk and Compliance and Conduct; “Third Line:” Internal Audit.
Financial institutions should embrace operational resilience to better prepare for regulations, and be more connected, competitive and trusted.
Six leading practices for financial institutions to drive operational resilience.