In his blog post published 27 March 2020, Andrea Enria, Chair of the Supervisory Board of the European Central Bank (ECB) stated in the context of the COVID-19 pandemic that “Unlike in the 2008 financial crisis, banks are not the source of the problem this time. But we need to ensure that they can be part of the solution. To this end, our mitigation measures aim to allow banks to keep providing financial support to viable households, small businesses and corporates hardest hit by the current economic fallout.” To be part of the solution, banks are expected to guarantee business continuity in an environment marked by uncertainty and the rise of coronavirus-themed cyber-attacks. In preparation for this ambitious goal, on 3 March 2020 the ECB already sent a letter (PDF 155 KB) to all significant institutions in which they outlined their expectations to enhance preparedness and to minimise the potential adverse effects of the spread of COVID-19, many of which relate to IT continuity requirements.
So what are the key implications for banks that have emerged due to the COVID-19 crisis since the ECB letter was sent out, and which could affect their ability to maintain business continuity?
In response to these implications above, IT Risk management functions and key personnel can consider the below questions they could ask themselves in order to best address these implications or prepare for an increase in IT-related challenges if the COVID-19 crisis continues for a significant time.
Considering the aforementioned implications and responses to operational resilience, banks should also consider collecting data and KPIs that will be part of the lessons learnt and the continuous improvement process, for which supervisors could potentially ask in the aftermath of the COVID-19 pandemic. Cases of incidents, outages, disruption, unplanned downtime, unauthorised accesses should be formally documented. They can be used in the future to strengthen the effectiveness of crisis management procedures and protective measures. Such cases could include:
The COVID-19 pandemic is a wake-up call for banks to consider holistically their organisation and evaluate how their IT capabilities can help them to face extreme events, even the ones we all thought were unlikely to occur. As stated by the ECB, this time banks can be part of the solution. However, being part of the solution i.e. providing financial support to the ones hardest hit by the current economic fallout requires the ability to maintain operations in extraordinary and adverse circumstances, hence bringing the concept of operational resilience again to light.
Several supervisors, including the ECB, have acknowledged over the past years that a growing reliance of banking operations on IT platforms, digitalised product channels for banking services, outsourcing to third-party providers of IT-related tasks and functions, and communication networks makes banks vulnerable to a wide range of operational risks - but what the pandemic is showing us now is that the multi-dimensional response needed to achieve operational resilience (governance, adequacy and expertise of resources, business continuity planning, information security including cyber-security management, and third-party provider management) cannot be done without agile and coordinated IT capabilities at the core.
With publications from the UK regulators and more expected from the Basel Committee, other regulators and supervisors including the ECB may have a closer look at the concept of operational resilience in the near future - and the COVD-19 pandemic could be what they just needed to further develop and implement this concept.