The ability to successfully navigate a crisis is largely dependent on the structures that have been built prior to chaos striking.
COVID-19 and the recast of resilience
After the Great Financial Crisis (2007-2009), supervisors and regulators worldwide undertook a concerted effort to devise an approach that would enhance banks’ financial resilience. In theory, by way of Recovery Planning, banks would be lessening their Probability of Default (PD). In turn, Resolution Planning would reduce their Loss Given Default (LGD). And so it was that Recovery and Resolution Planning (RRP) became a harbinger for the development of Crisis Management Frameworks1 (CMFs) to safeguard banks’ financial resilience.
A decade later, in an increasingly volatile, uncertain, complex, and ambiguous (VUCA2) environment, turbocharged by COVID19 and its reverberations, an unexpected and colossal test on banks’ resilience, beyond its financial nature, is currently underway.
COVID19 has unleashed an unprecedented, system-wide, real-time testing of the operational arrangements in banks that sustain their business continuity, and the means available to ensure the health and safety of their employees. Banks’ CEOs and their senior management are now, more than ever, thinking strategically on operational resilience matters and the relevance the banking activities performed which comprise providing essential services to clients. Hence the focus in this crisis, relative to past ones, on keeping branches open and maintaining adequate service levels in contact centers.
Yet, despite these developments, oftentimes awareness on operational resilience lags that on financial resilience. This common pitfall fails to grasp the delayed financial damage that such operational events may wreak.
While COVID19 has taken the spotlight, it is undeniable that banks’ risk management must incrementally account for a myriad of other menacing operational threats that can erode profits such as (geo)political upheavals, cyber-attacks, natural disasters, IT outages, compliance and conduct negative outcomes, etc. The list of looming operational events that can quickly spiral out of control and unfold into a full-blown crisis decimating profits is endless in our VUCA environment.
The aim is to place operational resilience on an equal footing with financial resilience, with indicators adapted to the risk profile of the operating model, comprehensive scenarios analyses tailored to banks’ vulnerability and an effective reporting approach.
In response to banks' increasing vulnerability to these threats, and their ever-increasing complexity and interconnectedness, operational resilience has moved up on the agenda of supervisors, regulators and standard-setters worldwide.3 The aim is to place operational resilience on an equal footing with financial resilience, with indicators adapted to the risk profile of the operating model, comprehensive scenarios analyses tailored to banks’ vulnerabilities, and the implementation of an effective reporting approach.
This revamped paradigm envisages operational and financial resilience as two sides of the same coin known as “resilience” exhibiting commonalities that can be synergistically exploited through the holistic, practical arrangements embodied in CMFs – a tantalizing thesis which we explore next.
Crisis Management Frameworks (CMFs) and the “4 Ps” foundations
Concept-wise, and in practical terms, CMFs pivot on four chief foundations: (i) Parameters (or Indicators); (ii) Phases; (iii) People, (iv) and Plans (preventive and reactive). Given the connection between financial and operational resilience, the “4Ps Paradigm” applies equally to both, requiring a homogenous and consistent approach.
1. Parameters (or Indicators):
Indicators lie at the heart of sound risk and crisis management. They should provide a precise snapshot of a bank’s current operational and financial status –while capturing emerging risks and enabling prompt reactions to crises (and prior stages of stress), and the corresponding activation of relevant response bodies. To the extent possible, Indicators should be embedded within a banks’ Risk Appetite Frameworks (RAF) so that individual thresholds are reviewed at least annually by the Board of Directors and the senior management.
The set of Indicators (comprising Early Warning Indicators and Recovery Indicators) are defined in the Recovery Plan, the most relevant being those measuring a bank's financial position in terms of capital, liquidity, asset quality, and profitability. On the non-financial (operational) domain, the most common Indicators include relevant parameters envisaged in Business Continuity Plans (BCPs), cyber and physical security contingency plans, and qualitative categorizations of negative media and reputational impacts. COVID-19 has spurred a re-thinking and engineering on the range and nature of operational indicators to adequately monitor the multifaceted impacts of each phase of the crisis (eg, via the development of employees’ health indicators that track new daily cases, accumulated incidence, fatalities, etc.).
Regulators and supervisors are currently urging banks to adopt a consistent approach towards operational resilience, and to include a bank-wide definition of “critical operations” and indicators that provides an effective early warning signal along the entire value chain of each critical operation.
That said, the approach typically leveraged by banks on operational model risks is generally quite limited and, many times, inconsistent. For one, they lack a uniform definition of critical operations4 to which both financial and operational indicators would equally be aligned. Moreover, frequently the vulnerabilities of the operational model are not sufficiently well-defined ex ante.
For this reason, regulators and supervisors are currently urging banks to adopt a consistent approach towards operational resilience, and to include a bank-wide definition of "critical operations" and indicators that provides an effective early warning signal along the entire value chain of each critical operation.
These encompass the progressive sequencing of stress levels that would range from BAU all the way to the activation of “Recovery Mode,” and the endpoint of Resolution. The phases are defined on the basis of the individual calibration, and/or combinations, of the thresholds of the parameters (which typically follows a traffics-light/RAG approach) –notwithstanding that expert judgement should play a role in their definition and activation. Each of the phases will be supported by specific activation and de-activation arrangements/protocols so as to ensure that the transition from one phase to another, whether in terms of escalation or de-escalation, are commensurate with the unfolding of the stress event and can be implemented in time and due form.
There should be a formal attribution (e.g. via policies, procedures, protocols etc.) of roles and responsibilities in each of the phases for the senior management and key executive positions (e.g. CEO, CFO, CRO, etc.). This allocation should also be ex ante defined for crisis management bodies activated depending on the severity of the stress event (e.g. ranging from Bronze, Silver, to Gold). For the purposes of steering and leadership, it may prove useful to appoint a Crisis Management Director (CMD) which may be different depending on the nature of the stress event and the phase activated.
These response bodies typically summon a broad representation of the bank’s main functions involved with securing both operational and financial resilience. Furthermore, the composition of these bodies needs to be malleable to cater for the multifaceted nature of stress events. An added benefit of the holistic composition of these bodies is that they can be leveraged within BAU contexts to periodically review, discuss, and approve operational and financial resilience aspects (e.g. BCP strategies, RRP developments, etc.), which, in turn, helps increasing awareness and cementing a “corporate culture” on RRP and crisis management matters.
Plans can be divided into preventive plans, activated prior to a stress event which lower the probability of its occurrence (PD), and reactive plans, activated once the event has materialized – thus lowering the LGD. Some examples include Pandemic Response Protocols, Disaster Recovery Plans, BCPs, Communications Plans, Capital/Liquidity Contingency Plans, the Recovery Plan, and the Resolution Plan.
Many times, these plans will target the mitigation and redressal of the impacts that led to the activation of a particular phase. However, some flexibility is warranted in the approach to gauge their activation accounting for the prudential supervisory framework in force (e.g. Recovery Plan).
COVID-19 has spurred a fundamental re-assessment of what it means to be a truly resilient bank: one in which operational considerations cannot be detached from, nor understood without, their corresponding financial reflection.
The core principles of CMFs
Undergirding the “4 Ps,” a number of Core Principles stand out in terms of streamlining operational and financial resilience via a common Crisis Management Framework. The following Principles aim to ensure adequate degrees of awareness, responsiveness and adaptability so banks can safely navigate the choppy waters of their ever-evolving “BAU.” Similarly, the Principles are intended to help calibrate resources versus expected benefits when setting up CMFs:
- A holistic, enterprise-wide approach should be promoted that cuts across the limited and incomplete scope of silos, and which credibly and effectively galvanizes all relevant functions from the “Three Lines of Defense”5. The silo view of a bank’s operational model and its risks, which has become established over the years (e.g. IT, outsourcing, cyber, information security, etc.), makes it difficult to grasp the interconnections within the operational model which are interwoven via the business services provided by banks. Moreover, this imperfect approach has created redundancies and unnecessary resource requirements undermining the ability to quickly react to the failure of business services. In contrast, by leveraging on the comprehensive approach provided by CMFs, gaps and overlaps are averted resulting in increased efficiencies and the harnessing of synergies.
- Tone-from-the-top is paramount ensure the successful implementation of CMFs and an effective response to crises. This is moreover needed to promote awareness amongst banks’ top deciding bodies on the financial and technical resourcing needed to support banks’ overall operational and financial resilience efforts. The active involvement of the Board will increase the likelihood that no risks are left unaddressed and resources be adequately allocated and linked to the business and risk strategy of a bank.
- Proportionality is warranted, commensurate with a bank’s core business activities, its size, risk profile, and geographical footprint. There is no one-size-fits-all in the realm of CMFs, and just as every bank possesses its own idiosyncrasy, so too must its CMF’s central features be tailored to reap maximum benefits.
- Flexibility. If History teaches us anything, it is that no two crises are the same, which requires banks to be flexible enough to adapt rapidly to any new crisis, no matter whether this crisis is of financial, operational or mixed nature. CMFs need to include flexibility valves so that their central features (e.g. activation/de-activation of phases, response bodies, plans, etc..) can be fine-tuned depending upon the circumstances. Automatisms should be discouraged and can never substitute professional acumen and expertise.
In line with the above, it is important to ensure that Plans and their measures therein can be adapted to a broad range of scenarios (based on a complete list of identified triggers and vulnerabilities). To increase their practical purpose, one can leverage on practical manuals, such as playbooks which provide a summarized step-by-step approach that can be read at a glance and facilitate prompt execution and decision making.
- Formalization. To be credible (particularly under the eyes of regulators), CMFs require formalization and therefore should be backed by a robust regulatory tree containing the internal norms (e.g. models, policies, procedures, terms of reference, etc.) which are periodically reviewed and updated drawing on current developments (e.g. new regulatory requirements) and lessons learnt from simulated events of stress (e.g. dry runs) and real-time ones.
- Awareness: Training is of paramount importance to ensure that each key person in the organization is familiarized with their roles and responsibilities regarding crisis management and prior stages of stress. A highly effective means of achieving this is by performing on a continuous basis dedicated “coaching” sessions and simulation exercises which test capacities and abilities to optimally react and respond to events, and, not least, draw lessons going forward to further strengthen crisis management arrangements. Furthermore, as stated earlier, convening in BAU crisis management bodies to review and approve RRP and crisis management matters strongly enhances overall preparedness and awareness in the organization.
This article is featured in Frontiers in Finance – Resilient and relevant
The resilient bank of the future resonates
COVID-19 has spurred a fundamental re-assessment of what it means to be a truly resilient bank: one in which operational considerations cannot be detached from, nor understood without, their corresponding financial reflection. CMFs provide the underpinnings to coherently integrate both sides of the same reality by leveraging on commonalities that yield synergies and efficiencies.
In our turbulent times, it has become all too evident that it is not enough for banks to be reactive, they should be proactive. As such, being on the ready can make all the difference between averting a crisis or confronting one ill-prepared.
For this reason, crisis management and ensuring resilience will become the new ethos for the bank of the future – and, needless to say, it is fast gaining traction in the agenda of supervisors and regulators who will expect, in turn, greater degrees of credible engagement from managers and Board members alike on these matters.
And, in a world in which COVID-19 has placed front and centre the relevance of Environmental, Social, and Governance (ESG) matters, it is our belief that CMFs can also play an important role in this domain by ensuring that banks are resilient and are contributing to safeguarding first and foremost the public good of financial stability – whilst avoiding the real economic and social impacts of failing to do so.
At a time in which there are powerful forces at play redefining our “new normal,” those banks which are underpinned by CMFs will have the upper edge in the future. They will have understood the relevance of aligning purpose with profit, and, with this renewed impetus, they will resonate in society.
1E.g. The EU’s Bank Recovery and Resolution Directive (2014) is often referred to as the “Crisis Management Directive.”
2Acronym first used in 1987, drawing on the leadership theories of Warren Bennis and Burt Nanus.
3See e.g. PRA CP 29/19 ‘Operational Resilience: Impact tolerances for important business services’ (05.09.2019), BCBS Consultation Paper ‘Principles for Operational Resilience’ (06.08.2020), Fed et. al ‘Sound practices to Strengthen Operational Resilience’ (30.10.2020)
4There is no global standard on what exactly constitutes a critical operation. Here, a critical operation is defined along the BCBS ‘Principles on Operational Resilience’ as a business activity (or related activities, processes, services and their relevant supporting assets), the disruption of which would be material to the continued operation of the bank or its role in the financial system.
5Typically, “First Line:” Busines Management Areas; “Second Line:” Risk and Compliance and Conduct; “Third Line:” Internal Audit.
Dr. André Fischer
Senior Manager, Financial Services, Risk Banking
KPMG in Germany
Jose Maria Fernandez Lachica
Jose Maria is a Manager at the Santander Group’s Crisis Management Global Office (Financial Division) which is responsible for the continuous fine-tuning and practical implementation of the Crisis Management Framework in all of the Group’s main Units (Europe, North and South America, and Asia).
Stay up to date with what matters to you
Gain access to personalized content based on your interests by signing up todaySign up today