UK Finance Webinar Recap: Operational Resilience – Lessons Learnt from the Crisis
The Pandemic Crisis has offered the financial services sector a live stress test environment to assess its planning, systems, and processes for Operational Resilience. To explore this and see how institutions have fared so far, the trade group UK Finance recently hosted an Operational Resilience Webinar.
It featured Sam Lee, Head of Operational Risk EMEA at Sumitomo Mitsui Banking Corp., Jay Fitzhugh, Chief Regulatory Officer, GRC Mitratech, Andrew Rogan, Director, Operational Resilience at UK Finance, and myself.
The concept of Operational Resilience – enhancing systems and processes to maintain operational robustness and maintain market confidence – has been an emerging theme over the last 2-3 years across the world. With plans to introduce a regulatory compliance framework in Q1 2021, the UK is leading this, with formal compliance due in 2024.
The panel had a robust discussion around whether COVID had been a significant test for Operational Resilience. From a host of industry conversations, all felt that COVID had bought home the need for Operational Resilience very firmly. It has raised the profile, and value, of being systematically resilient, highlighting gaps and robustly testing those Operation Resilience frameworks that were in place.
Where these had fallen short, firms have responded very quickly, accelerating the adoption of new systems and processes far faster than they used to. However, there was also a view that COVID had been a good test of crisis management, rather than Operational Resilience itself.
Sam Lee felt that the focus of Operational Resilience was to be proactive and forward-looking while demonstrating resilience to stakeholders. He believed the (outstanding) response to COVID has been primarily reactive. One lesson for Operational Resilience will be the need to be circumspect when drawing the lessons of the response to COVID. The next significant crisis will likely need a different reaction than that brought on by the pandemic.
Policy Management’s role in Operational Resilience
There was broad agreement on the panel for the way that organizations had handled Policy Management. Usually, this is a conservative topic, with policies for many aspects of business processes reviewed yearly. This year many policies have been reviewed weekly or monthly, which has helped businesses to appreciate fully the value of well-defined and managed policies.
However, the overhead of reviewing, implementing, and monitoring constantly changing policies has put many manual processes under excessive strain, both within the business and its supply chain. Everyone felt that automated policy management and vendor risk management were areas where time and money had been heavily invested in the UK and the US in 2020. It was a trend everyone anticipated continuing into 2021.
The challenge of proportionality
The panel also felt that COVID had highlighted the issue of proportionality in how organizations had shaped their response. Proportionality – how one can address a problem in different ways, given the different sizes of many institutions – is at the heart of the UK’s principles-based regulatory approach. Proportionality drives flexibility, which allows organizations to implement different systems and processes that meet their unique requirements. It also allows for greater risk sensitivity.
As Sam Lee pointed out, there might be situations where, for example, a smaller institution might not be able to find out who is in their fourth tier of suppliers. They might decide that not having visibility of this – given the effort and costs involved and the likely limited risks – is an acceptable business risk. It would need to fall within normal risk parameters and be approved, documented, transparent, and auditable.
MRM and EUC usage
An issue that I flagged during our discussion was Model Risk Management (MRM) and End User Computing (EUC) applications. Models have been put to good use during the Pandemic, helping analysts and management navigate the potential impact of economic slowdowns, vaccines, inflation, and unemployment, for example, on lending, borrowing, and the balance sheet of an institution.
EUCs, especially spreadsheets, have been used extensively in modeling and other areas for many years in Banks. Extensive homeworking has led to an even greater increase in their use. The lack of controls in these applications, compared to IT-managed applications, exposes an institution to a range of operational, reputational, and regulatory risks.
In response to COVID, risk and compliance teams are stepping up their efforts to integrate the management of their corporate-IT and EUC applications, especially around MRM. Their goal is to maintain the flexibility that EUCs bring while still delivering transparency to stakeholders and management.
The panel wrapped up discussions with how Mitratech was helping customers enhance their resilience during the pandemic. The key areas were policy management, vendor risk management, and model risk management. These were all very dynamic areas where the assessment and review cycle had been dramatically reduced, as the commercial, HR, and legal situation changed to reflect changes in the pandemic’s impact. The automation these solutions delivered were proving to be a game-changer for many.
Watch the webinar using the link below. Or learn more about how to enhance your Operational Resilience here.