European Banking Authority: Operational Resilience a Key Issue for European Banks in 2022
Despite the occasional operational issue, European banks; like their peers in Asia, the US, and the UK, are generally in good financial shape to weather the current economic storms reverberating around the world. This picture is reflected in the recent Annual Risk Assessment published by the European Banking Authority (EBA).
The UK’s Prudential Regulatory Authority (PRA) regulations in this area – SS1/21 and SS2/21 – come into effect in March 2022. The influence of these regulations covers institutions themselves and the third parties they use to deliver their services. Plans are in development to extend the provisions of Operational Resilience to creating a register of incidents, the third-party arrangements themselves, and potentially even attempt to regulate the most important third-party suppliers as well.
While challenges remain – with continued low-interest rates, slow economic growth combined with inflationary pressures, and the impact of Brexit on the European banking system being just a selection – the picture painted by the survey is that EU banks have strong balance sheets. They have good liquidity reserves and are making an essential contribution to the growth of countries in the EU.
Nonetheless, that positive picture belies several challenges banks face in the EU. While the EU economy recovers well from the impact of the last two years, the ongoing nature of the pandemic may drive future economic shocks. Equally, the continued involvement of UK-based central counterparties (CCPs) for clearing EU-based transactions for derivatives is considered increasingly risky, post-Brexit. The EBA has also highlighted operational resilience as an essential issue for banks across the EU.
The significance of the EBA’s focus on operational resilience
The EBA’s focus on operational resilience is significant and reflects the enhanced focus on this area by regulators worldwide. In part, this focus echoes the efforts that governments, regulators, and taxpayers put in place to support the financial services sector after the financial crisis. Having spent billions in helping a range of institutions, regulators are highly disinclined when it comes to new sets of challenges emerging within the same sector.
Another driver is the changing nature of financial services themselves. Low interest rates are driving institutions to deliver new products and services that utilize digital capabilities capable of offering new routes to markets with new audiences. At the same time, constant cost pressures compel banks to broaden the scale and scope of their supply-base and their partnerships, in a way that supports business development.
If you include the increasingly widespread use of remote working – with its operational and security complexities – it is easy to understand why the EBA explores operational resilience in some detail in its report.
There are several areas the EBA focuses on in the report.
Cyber risk is a significant source of potential operational risk, and a threat to resilience, because of the increasing digitization of core banking services. Hybrid-working has further accelerated this process. That said, banks are very aware of the threats they and their customers face, and have invested heavily in their systems and processes, to counter growing cyber threats, and will continue to do so.
Third-party risk also presents a significant risk to EU banks and reflects the changing way that they globally source and deliver their services.
Historically, banks have primarily sourced and delivered their core services themselves while outsourcing peripheral services like payroll or facilities management. Now that concerns about the security of cloud-based computing systems have been addressed, banks have invested heavily in the power, flexibility, and scalability that cloud computing can offer.
Clearly, this introduces complexity to a bank’s operations, as it means that a small range of key cloud service providers are core to a bank’s business and technical operations. For a bank, this means that a cloud service provider’s issues become, in a way, the bank’s issues. Secondly, the small number of cloud service providers and the widespread adoption of their services creates a concentration risk, both for individual banks and the wider banking sector.
This situation is exacerbated by banks’ use of third-party technology, application, and data providers, who also use the same small number of cloud service providers. It can mean that a bank has an ever more complex supply chain at a time when regulators across the world are pushing for more visibility and enhanced management controls for supply chains in banking.
Remote working practices present a challenge to operational resilience as well. Many institutions still use manual processes to support core business processes, with Excel spreadsheets often being the ‘go-to’ tool. While always popular, over the last two years, its significance has grown further as spreadsheets have helped many teams work remotely. The power and flexibility of spreadsheets allow users to create their own End User Computing (EUC) applications that fall outside the control and influence of the corporate IT function. However, these applications lack the controls that provide the auditability and transparency that meet the EBA’s expectations around operational resilience, as missing data and calculation errors have the potential for significant impact on the business.
How can institutions best respond to these developments?
Two initiatives are proving effective working with our customers and discussing the issues with industry practitioners.
Third-party Risk Management (TPRM) is designed to help an organization proactively manage complex and deep supply chains, so that issues around the resilience of one part of it do not turn into a major resilience issue for the prime customer. Powerful SaaS-based capabilities offer a decentralized but robust approach to managing suppliers deep into the third, fourth and fifth level supply chain. Delivering this would need a centralized repository containing the relevant contracts, policy standard documentation, and the risk profiles of the various suppliers. Risk and compliance teams can monitor the various elements of the supply chain proactively, so they can respond swiftly if issues emerge at any level before a minor issue develops into something more serious.
Another initiative banks are pursuing is spreadsheet risk management, that allows them to bring enterprise-strength controls to their most critical spreadsheets. These capabilities allow banks to proactively monitor these spreadsheets to identify issues – missing data, broken links, or formula errors, for example – that can impact a bank’s operational resilience.
A spreadsheet inventory provides a foundation for centralizing the management, review, and visibility of critical spreadsheets used in the business. It also provides a repository for essential documentation required for defining and controlling core spreadsheets used in a company.
Powerful spreadsheet discovery capabilities help identify key spreadsheets that need to be proactively monitored, so that issues can be captured, fixed, and reported.
Mitratech’s GRC Platform offers powerful capabilities that help financial institutions across the world enhance their Risk Management capabilities and deliver value fast.
How can you best deliver this?
Spreadsheet risk management capabilities allow companies to apply enterprise-strength controls to their most critical spreadsheets. These capabilities allow banks to proactively monitor these spreadsheets to identify issues – missing data, broken links, or formula errors, for example – that can impact a business’ Operational Resilience.
A spreadsheet inventory provides a foundation for centralizing the management, review, and visibility of the critical spreadsheets used in the business. It also provides a repository for the documentation essential for defining and controlling the core spreadsheets used in a company.
Powerful spreadsheet discovery capabilities help to identify the key spreadsheets that need to be proactively monitored so that issues can be captured, fixed, and reported.
Third-party Risk Management (TPRM) capabilities help an organization to proactively manage complex and deep supply chains so that issues around the resilience of one part of it do not turn into a major resilience issue for the prime customer. Powerful SaaS-based capabilities offer a decentralized but robust approach to managing suppliers deep into the third, fourth and fifth level supply chain. Delivering this would need a centralized repository containing the relevant contracts, policy standard documentation, and the risk profiles of the various suppliers. Managers can monitor the various elements of the supply chain proactively, so they can respond swiftly if issues emerge at any level before a minor issue develops into something more serious.