ACTIVATING OPERATIONAL RESILIENCE IN THE WAKE OF THE COVID-19 CRISIS - Six critical actions for banking executives
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
ACTIVATING OPERATIONAL RESILIENCE IN THE WAKE OF THE COVID-19 CRISIS Six critical actions for banking executives Subas Roy Anna Maria Rosati
Activating operational resilience in the wake of the COVID-19 crisis The coronavirus (COVID-19) crisis is continuing to have a significant adverse impact on people’s lives as well as the economy of most countries. In the months and years ahead, this will rewrite the way Corporate, Commercial and Retail banks are operated. Banking executives (CXOs) will need a plan that accelerates the digitization and automation of many activities, relies less on third parties and provides an even stronger core with robust operational resilience that is able to withhold sudden shocks such as the current crisis. This work needs to start now, led by the CEO and with coordinated response from the CXOs including Operations, Technology, HR and Risk functions. Focus should be given to continuing critical customer services, applications, data and technology infrastructure while minimizing the risks of fraud, data leakage, data protection, and cybersecurity issues created by third parties. The six key actions mentioned herein will enable the banking CXOs to provide stable services and will activate this operational resilience. It draws from our collective experience of working with a number of banks across the Americas, EMEA and Asia, including the changing outlook from key regulators, globally. © Oliver Wyman 2
Activating operational resilience in the wake of the COVID-19 crisis ISSUES THAT REQUIRE AN OPERATIONAL RESILIENCE GAME PLAN Banks are facing severe operational and technology issues. Social distancing and remote working for a prolonged period is creating new business continuity challenges that were unfathomable even a few weeks ago. As such, the banking chiefs – including the chief operating officer (COO), chief information officer (CIO), chief risk officer (CRO), chief information security officer (CISO) – must tackle the challenges through a set of emergency resilience measures: Managing the crisis through continuity of operations in a non-digital-ready environment. Compared to other industries such as Big Tech, Retail or Telecommunications, banks have scored on the lower digital maturity index so far, including for instance, slower digitization of customer facing channels and poor penetration of smart cloud-based solutions. Banks, therefore, need a rapid assessment of their business-critical services in order to respond well to this crisis. A number of regulators, including the Financial Conduct Authority (FCA) in the United Kingdom have already raised the point that banks will need to maintain resilience in its critical business services, set impact tolerance and perform risk scenario analysis to stay afloat. FCA: “firms should focus more effort and resources on achieving the continuity of their important business services in the event of severe operational disruption, and not just on recovery of the underlying systems and processes” Managing uncertainty and the continuous evolution of the pandemic: COVID-19 has also made the business environment uncertain, for instance, tumbling activities in the service sector have made it difficult to plan ahead, in addition to clients and employees operating from different locations or asking for new services that require rapid turnaround. Compounding of these risks to banks operating across multiple jurisdictions at different stages of the pandemic makes it even more difficult to provide sustained operations and services. Banks thereby have to be able to cope with the situation, prioritize certain tasks and, thereby testing the limits of its technology and operations, while also addressing the evolving risks. Dealing with increasing cybersecurity and data privacy risks in a chaotic work environment. Continual remote working involves accessing sensitive applications (such as, bulk payments clearing, and interest rate positioning) over home internet, often with mid-to-low grade security protocols. This – coupled with limited awareness of potential data privacy risks (for example, use of bring your own device and, third party applications) and around cybersecurity and increased surface of attacks through malware, phishing, and denial of service – further expose vulnerabilities as was recently highlighted by the European Central Bank. © Oliver Wyman 3
Activating operational resilience in the wake of the COVID-19 crisis Taking financial crime risks into consideration, including fraud attempts as they are also seeing a rise fuelled by a series of new payment requests including Government grants. Across Europe, banks are reporting a dramatic surge in payment activities in recent weeks. Banks will need to accelerate the implementation of advanced fraud detection techniques including digital identify verification and transaction monitoring checks to combat, and reduce the risks of fraud and money-laundering. Sustaining workload, accelerating digital efforts and balancing resources to ensure constantly changing and often increasing work volumes are prioritized and addressed accordingly. Digital innovation and acceleration have been driven in certain areas of the bank, but not to the scale required to respond to the current situation. A key challenge will be to align different objectives between Operations, Technology and Risk colleagues in the bank requiring definition and establishment of an operational resilience game plan. This game plan should look to achieve balance between workload priorities and resource mobilization among three lines of defense (3LoDs). HOW TO RESPOND Banks will need to adjust their response as the pandemic extends from months to quarters. As such, there are three phases of response that banks need to be prepared for. 1. Emergency response (now, as the disease continue to spread). The priority is to guarantee the continuity of operations, providing rapidly extended remote working services for the employees and maintaining execution of business critical and customer related activities, while safeguarding against the key risks highlighted above. 2. Intermediate response (from now and over next several months, Q2 and possibly Q3 2020). Focus needs to be on stabilizing the operating environment with a combination of digital and other work-around solutions. A unified operational resilience war room that is able to document and analyze various risk scenarios with rapid responses, scalable cost-efficient secure remote working including priority third party services will be key during this period. The operational resilience war room should be able to deliver a structured, forward-looking risk scenario analysis that is able to map and predict, the financial and operational impacts of key supply chain issues, prolonged unavailability of branch network and/or other critical services, infrastructure and network, and third-party connectivity issues. Cybersecurity, data leakage protection and fraud risk management should also be enforced in line with the risk appetite of the bank and as per the expectation set by regulators. The “war room” should also deal with multiple risk scenarios and outcomes based on the impact tolerances that are driven by a clear set of self-assessment questions. 3. Longer-term response (2020-2021). In the months ahead, banks will need to utilize the lessons learned from the previous phases, while also evaluating the impact on its future strategy and budget. Developing further operational resilience to deal with future uncertainties and operating remotely yet successfully will become the “new normal”. Banks should be able to achieve this by delivering a robust change strategy that facilitates digital acceleration with a focus on cost and efficiency, while extending its digital channels to create a path for remotely accessible service for its clients available 24 hours a day, 7 days a week. © Oliver Wyman 4
Activating operational resilience in the wake of the COVID-19 crisis Developing operational resilience to deal with future uncertainties and operating remotely will become the “new normal”. Exhibit 1. Key operational resilience considerations by response phases 1. Emergency 2. Intermediate 3. Longer-term • Have you identified your critical • How are you building your • How will you measure the staff, data, technology and operational resilience war room impact of coronavirus crisis on infrastructure, third parties? in order to track events and your strategic direction, future • How are you responding to risks, compare across scenarios growth plans and investments? incidents at scale? and provide solutions? • What will be the critical items • How are you defining the trade- • What is the most cost-effective for inclusion in the budgetary offs between rapid remote and secure approach to review process? services and key cyber/fraud/ continual remote working and • How can you further accelerate privacy risks? customer service? a digital strategy that also looks • How are you reprioritizing staff • How can you define and roll at your dependency on third capacity for critical services? out a crisis management, parties for critical data services, risk appetite action plan that products and solutions? further strengthens your • How will your new operational operational resilience? resilience game plan change • What needs to be done the future direction of risk to address any regulatory management, including more questions, including integrated three lines of forbearance? defense (3LoDs)? 6 CRITICAL ACTIONS FOR BANKS IN ADDRESSING KEY OPERATIONAL RESILIENCE ISSUES 1. Deploy an industrialized approach to your operations, incidence and crisis management Mobilize a secure, virtual operational resilience war room or central command center focused on continuing critical operations and services. Promote forming multi-skilled SWAT teams, for instance, Proposition and Sales, Products and Services, Technology and Operations, Risk and Compliance specialists working together by region, product or client segments and using technologies that enhance productivity in a remote working scenario. Assign such SWAT teams to these critical operations and services, set up risk impact tolerance to each of the tasks assigned. Take a number of control steps including daily check-ins and daily close, management of information dashboards for risk scenarios, regular communication, and empathetic messaging to staff and third parties providing critical services. Also ensure that you build enough spare capacity while setting up the impact tolerances for critical services, infrastructure and operations as sudden shockwaves or unexpected disrupting events will occur as part of the new-normal. Keep a close watch on the central banks and key regulators impacting your business, lending capacity and overall balance sheet position. © Oliver Wyman 5
Activating operational resilience in the wake of the COVID-19 crisis Setup a structured forward-looking risk scenario analysis, predicting the events that could lead to further disruption or where issues might re-occur (for instance, repeated third party service failures or a new fraud pattern requiring adjustment of your surveillance checks). Aim to be prepared for when such events occur, reducing recovery time or even preventing the occurrence of such an event at all (for example, establishing ability to choose from a pool of third parties to ensure critical service provision). 2. Protect your most critical assets and services from cybersecurity risks Banks will already have adopted many cybersecurity controls but now it will need to assign priority to these controls and decide how controls will be applied to each group of assets. As such, focus must be given to continuing most critical services and operations, for instance, interaction with the customers’, bulk payments processing, clearing and settlements, opening and closing of accounts, daily checks, and transactions reporting. Most of these activities should already be performed remotely, and banks therefore will need to assess cyber vulnerabilities and prioritize any testing. As such, the cybersecurity function should support the war room to provide clear guidelines on accessing cloud-based applications through desktop apps, must have security protocols for employees and third parties working on a bring your own device (BYOD) basis, those working in virtual private network vis-à-vis unsecured networks, interactions on social media and/or chat engine, authentication and passwords. Such risks must be quantifiable and reportable through the consolidated risk tolerance of the bank. 3. Be vigilant on new data privacy and data leakage issues Remote working, including rapid response to new requests from customers, and key stakeholders will give rise to new data confidentiality, data privacy and data leakage issues. Establish a tight control mechanism as part of your emergency and intermediate response game plan. All staff and third parties working remotely shall be routinely reminded of their individual and collective responsibility to comply with these rules. Often, governments and regulators may relax some privacy rules to trace mobility of individuals to track down and minimize the impact of the virus. Any such steps, if taken by the banks, must be communicated to and approved by the executive management. A clear list of such exceptions must be maintained. 4. Avoid exacerbating third party and outsourcing risks The critical infrastructure and services listing must help identify where and how third party and other outsourcing services are being used during the crisis. It should also assess the impact of the lockdowns across other jurisdictions (for example, in India, the service centers were closed with the employees working from home), including key risks such as, data leakage, identity and access, cybersecurity and service continuity, and how this impacts the overall impact tolerance risk appetite of the bank. © Oliver Wyman 6
Activating operational resilience in the wake of the COVID-19 crisis This also raises key issues around managing and governing the commercial and business relationship with the third parties as in most cases these will not be integrated across the organization. Banks will therefore need to assess the impact of its decisions to either reduce or change third party service provisions on its business relationships. At such times of stress, it will be important to demonstrate solidarity and maintain regular communication with all third party service providers irrespective of their relative importance or access to critical data, services. 5. Limit fraud and money-laundering risks The National Crime Agency of the United Kingdom are already reporting a surge in fraud and money-laundering attempts in the wake of the COVID-19 crisis. Banks need to be extra careful when processing transactions, including new payment requests increased by the announcements of grants by most of the European Governments. Steps should be taken to use existing fraud and transactions monitoring data and technology solutions, including designing and building into new payment fraud scenarios, boosting accuracies of such data models by changing the impact thresholds and corrective actions for the next few months. This should also include analyzing various data sources and leveraging available analytics, reaching out to the regulators and the regulatory technology (RegTech) solution providers to ask for help. The “war room” should also support updating the standard policies and controls that ensure only the mission-critical checks are performed in totality, including necessary documentation. This set of new controls and daily checks will significantly limit the operational and transactional fraud attempts, and bogus claims from new customers asking for benefits. 6. Uphold teamwork, staff morale and emotional resilience As remote working extends beyond weeks into months, the bank’s chiefs including COOs, CIOs and CROs need to work together to uphold teamwork, integrity and the ethos of staff, and key decision-makers. This pandemic will test emotional resilience as it changes our usual lifestyles and it is important to be able to adjust to new work-life balance scenarios, with the same level of priority afforded to workloads, without being pedantic. Operational resilience must routinely consider teamwork, integrity, morale and mental health as key considerations for successful response and business continuity. Existing 3LoDs activities should be reviewed, prioritizing customer facing work and delaying or abating routine assurance tasks. As such, the human-resource department should also look at policies and practices to ensure that appropriate flexibilities are provided with clear communication channels for all concerned. Any exceptions, if granted, must be approved and communicated by the senior executives. © Oliver Wyman 7
Activating operational resilience in the wake of the COVID-19 crisis CONCLUSION Coronavirus crisis will leave a profound impact on the future of banking and how banking services are delivered. Self-sustainability will become a major theme in which banks will need to be able to foresee and manage their risks, reduce dependencies on third parties and prioritize among key activities. They will need to be better and faster in how they deploy and use digital technologies, including automation, achieving further cost and efficiency targets. Operational resilience will become the new imperative for banks. And as has been already described by a few regulators, it should be integrated with risk appetite, setting impact tolerance on the provision and availability of critical activities in this time of distress. This will inform the Board and the senior management on how to react when another disruption, similar to COVID-19 occurs, and could also be used in running the bank in this new-normal to make informed decisions on investments or to expand into new products or territories. Banks have the opportunity to learn from the Covid-19 crisis in a way that defines a new resilience strategy and future operating model. © Oliver Wyman 8
Oliver Wyman is a global leader in management consulting that combines deep industry knowledge with specialised expertise in strategy, operations, risk management, and organisation transformation. For more information please contact the marketing department by email at info-FS@oliverwyman.com or by phone at one of the following locations: EMEA Americas Asia Pacific +44 20 7333 8333 +1 212 541 8100 +65 6510 9700 AUTHORS CONTRIBUTORS Subas Roy, Murat Abay, Partner Partner Tom Ivell, Partner Dominik Kaefer, Partner Anna Maria Rosati, Pankaj Khanna, Partner Principal Mark James, Partner Michael Heaney, Principal Copyright © 2020 Oliver Wyman All rights reserved. This report may not be reproduced or redistributed, in whole or in part, without the written permission of Oliver Wyman and Oliver Wyman accepts no liability whatsoever for the actions of third parties in this respect. The information and opinions in this report were prepared by Oliver Wyman. This report is not investment advice and should not be relied on for such advice or as a substitute for consultation with professional accountants, tax, legal or financial advisors. Oliver Wyman has made every effort to use reliable, up-to-date and comprehensive information and analysis, but all information is provided without warranty of any kind, express or implied. Oliver Wyman disclaims any responsibility to update the information or conclusions in this report. Oliver Wyman accepts no liability for any loss arising from any action taken or refrained from as a result of information contained in this report or any reports or sources of information referred to herein, or for any consequential, special or similar damages even if advised of the possibility of such damages. The report is not an offer to buy or sell securities or a solicitation of an offer to buy or sell securities. This report may not be sold without the written consent of Oliver Wyman. Oliver Wyman – A Marsh & McLennan Company www.oliverwyman.com
You can also read