ACTIVATING OPERATIONAL RESILIENCE IN THE WAKE OF THE COVID-19 CRISIS - Six critical actions for banking executives
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
ACTIVATING OPERATIONAL RESILIENCE IN THE WAKE OF THE COVID-19 CRISIS Six critical actions for banking executives Subas Roy Anna Maria Rosati
Activating operational resilience in the wake of the COVID-19 crisis
The coronavirus (COVID-19) crisis is continuing to have a significant
adverse impact on people’s lives as well as the economy of most
countries. In the months and years ahead, this will rewrite the way
Corporate, Commercial and Retail banks are operated.
Banking executives (CXOs) will need a plan that accelerates the
digitization and automation of many activities, relies less on third
parties and provides an even stronger core with robust operational
resilience that is able to withhold sudden shocks such as the
current crisis.
This work needs to start now, led by the CEO and with coordinated
response from the CXOs including Operations, Technology, HR and
Risk functions. Focus should be given to continuing critical customer
services, applications, data and technology infrastructure while
minimizing the risks of fraud, data leakage, data protection, and
cybersecurity issues created by third parties.
The six key actions mentioned herein will enable the banking CXOs
to provide stable services and will activate this operational resilience.
It draws from our collective experience of working with a number of
banks across the Americas, EMEA and Asia, including the changing
outlook from key regulators, globally.
© Oliver Wyman 2Activating operational resilience in the wake of the COVID-19 crisis
ISSUES THAT REQUIRE AN OPERATIONAL
RESILIENCE GAME PLAN
Banks are facing severe operational and technology issues. Social distancing and remote working
for a prolonged period is creating new business continuity challenges that were unfathomable
even a few weeks ago. As such, the banking chiefs – including the chief operating officer (COO),
chief information officer (CIO), chief risk officer (CRO), chief information security officer (CISO) –
must tackle the challenges through a set of emergency resilience measures:
Managing the crisis through continuity of operations in a non-digital-ready environment.
Compared to other industries such as Big Tech, Retail or Telecommunications, banks have scored
on the lower digital maturity index so far, including for instance, slower digitization of customer
facing channels and poor penetration of smart cloud-based solutions. Banks, therefore, need
a rapid assessment of their business-critical services in order to respond well to this crisis. A
number of regulators, including the Financial Conduct Authority (FCA) in the United Kingdom
have already raised the point that banks will need to maintain resilience in its critical business
services, set impact tolerance and perform risk scenario analysis to stay afloat.
FCA: “firms should focus more effort and resources on achieving the
continuity of their important business services in the event of severe
operational disruption, and not just on recovery of the underlying
systems and processes”
Managing uncertainty and the continuous evolution of the pandemic: COVID-19 has also
made the business environment uncertain, for instance, tumbling activities in the service
sector have made it difficult to plan ahead, in addition to clients and employees operating from
different locations or asking for new services that require rapid turnaround. Compounding of
these risks to banks operating across multiple jurisdictions at different stages of the pandemic
makes it even more difficult to provide sustained operations and services. Banks thereby have
to be able to cope with the situation, prioritize certain tasks and, thereby testing the limits of its
technology and operations, while also addressing the evolving risks.
Dealing with increasing cybersecurity and data privacy risks in a chaotic work
environment. Continual remote working involves accessing sensitive applications (such as,
bulk payments clearing, and interest rate positioning) over home internet, often with mid-to-low
grade security protocols. This – coupled with limited awareness of potential data privacy risks (for
example, use of bring your own device and, third party applications) and around cybersecurity
and increased surface of attacks through malware, phishing, and denial of service – further
expose vulnerabilities as was recently highlighted by the European Central Bank.
© Oliver Wyman 3Activating operational resilience in the wake of the COVID-19 crisis
Taking financial crime risks into consideration, including fraud attempts as they are also
seeing a rise fuelled by a series of new payment requests including Government grants. Across
Europe, banks are reporting a dramatic surge in payment activities in recent weeks. Banks will
need to accelerate the implementation of advanced fraud detection techniques including digital
identify verification and transaction monitoring checks to combat, and reduce the risks of fraud
and money-laundering.
Sustaining workload, accelerating digital efforts and balancing resources to ensure
constantly changing and often increasing work volumes are prioritized and addressed
accordingly. Digital innovation and acceleration have been driven in certain areas of the bank,
but not to the scale required to respond to the current situation. A key challenge will be to align
different objectives between Operations, Technology and Risk colleagues in the bank requiring
definition and establishment of an operational resilience game plan. This game plan should look
to achieve balance between workload priorities and resource mobilization among three lines of
defense (3LoDs).
HOW TO RESPOND
Banks will need to adjust their response as the pandemic extends from months to quarters. As
such, there are three phases of response that banks need to be prepared for.
1. Emergency response (now, as the disease continue to spread). The priority is to guarantee
the continuity of operations, providing rapidly extended remote working services for the
employees and maintaining execution of business critical and customer related activities,
while safeguarding against the key risks highlighted above.
2. Intermediate response (from now and over next several months, Q2 and possibly Q3
2020). Focus needs to be on stabilizing the operating environment with a combination of
digital and other work-around solutions. A unified operational resilience war room that is able
to document and analyze various risk scenarios with rapid responses, scalable cost-efficient
secure remote working including priority third party services will be key during this period.
The operational resilience war room should be able to deliver a structured, forward-looking
risk scenario analysis that is able to map and predict, the financial and operational impacts
of key supply chain issues, prolonged unavailability of branch network and/or other critical
services, infrastructure and network, and third-party connectivity issues. Cybersecurity, data
leakage protection and fraud risk management should also be enforced in line with the risk
appetite of the bank and as per the expectation set by regulators. The “war room” should
also deal with multiple risk scenarios and outcomes based on the impact tolerances that are
driven by a clear set of self-assessment questions.
3. Longer-term response (2020-2021). In the months ahead, banks will need to utilize
the lessons learned from the previous phases, while also evaluating the impact on its
future strategy and budget. Developing further operational resilience to deal with future
uncertainties and operating remotely yet successfully will become the “new normal”. Banks
should be able to achieve this by delivering a robust change strategy that facilitates digital
acceleration with a focus on cost and efficiency, while extending its digital channels to create
a path for remotely accessible service for its clients available 24 hours a day, 7 days a week.
© Oliver Wyman 4Activating operational resilience in the wake of the COVID-19 crisis
Developing operational resilience to deal with future uncertainties
and operating remotely will become the “new normal”.
Exhibit 1. Key operational resilience considerations by response phases
1. Emergency 2. Intermediate 3. Longer-term
• Have you identified your critical • How are you building your • How will you measure the
staff, data, technology and operational resilience war room impact of coronavirus crisis on
infrastructure, third parties? in order to track events and your strategic direction, future
• How are you responding to risks, compare across scenarios growth plans and investments?
incidents at scale? and provide solutions? • What will be the critical items
• How are you defining the trade- • What is the most cost-effective for inclusion in the budgetary
offs between rapid remote and secure approach to review process?
services and key cyber/fraud/ continual remote working and • How can you further accelerate
privacy risks? customer service? a digital strategy that also looks
• How are you reprioritizing staff • How can you define and roll at your dependency on third
capacity for critical services? out a crisis management, parties for critical data services,
risk appetite action plan that products and solutions?
further strengthens your • How will your new operational
operational resilience? resilience game plan change
• What needs to be done the future direction of risk
to address any regulatory management, including more
questions, including integrated three lines of
forbearance? defense (3LoDs)?
6 CRITICAL ACTIONS FOR BANKS IN ADDRESSING KEY OPERATIONAL
RESILIENCE ISSUES
1. Deploy an industrialized approach to your operations, incidence and crisis management
Mobilize a secure, virtual operational resilience war room or central command center focused
on continuing critical operations and services. Promote forming multi-skilled SWAT teams,
for instance, Proposition and Sales, Products and Services, Technology and Operations, Risk
and Compliance specialists working together by region, product or client segments and
using technologies that enhance productivity in a remote working scenario. Assign such
SWAT teams to these critical operations and services, set up risk impact tolerance to each of
the tasks assigned. Take a number of control steps including daily check-ins and daily close,
management of information dashboards for risk scenarios, regular communication, and
empathetic messaging to staff and third parties providing critical services. Also ensure that
you build enough spare capacity while setting up the impact tolerances for critical services,
infrastructure and operations as sudden shockwaves or unexpected disrupting events will
occur as part of the new-normal. Keep a close watch on the central banks and key regulators
impacting your business, lending capacity and overall balance sheet position.
© Oliver Wyman 5Activating operational resilience in the wake of the COVID-19 crisis
Setup a structured forward-looking risk scenario analysis, predicting the events that could lead
to further disruption or where issues might re-occur (for instance, repeated third party service
failures or a new fraud pattern requiring adjustment of your surveillance checks). Aim to be
prepared for when such events occur, reducing recovery time or even preventing the occurrence
of such an event at all (for example, establishing ability to choose from a pool of third parties to
ensure critical service provision).
2. Protect your most critical assets and services from cybersecurity risks
Banks will already have adopted many cybersecurity controls but now it will need to assign
priority to these controls and decide how controls will be applied to each group of assets. As
such, focus must be given to continuing most critical services and operations, for instance,
interaction with the customers’, bulk payments processing, clearing and settlements, opening
and closing of accounts, daily checks, and transactions reporting. Most of these activities should
already be performed remotely, and banks therefore will need to assess cyber vulnerabilities and
prioritize any testing.
As such, the cybersecurity function should support the war room to provide clear guidelines
on accessing cloud-based applications through desktop apps, must have security protocols for
employees and third parties working on a bring your own device (BYOD) basis, those working in
virtual private network vis-à-vis unsecured networks, interactions on social media and/or chat
engine, authentication and passwords. Such risks must be quantifiable and reportable through
the consolidated risk tolerance of the bank.
3. Be vigilant on new data privacy and data leakage issues
Remote working, including rapid response to new requests from customers, and key stakeholders
will give rise to new data confidentiality, data privacy and data leakage issues. Establish a tight
control mechanism as part of your emergency and intermediate response game plan.
All staff and third parties working remotely shall be routinely reminded of their individual and
collective responsibility to comply with these rules. Often, governments and regulators may relax
some privacy rules to trace mobility of individuals to track down and minimize the impact of
the virus. Any such steps, if taken by the banks, must be communicated to and approved by the
executive management. A clear list of such exceptions must be maintained.
4. Avoid exacerbating third party and outsourcing risks
The critical infrastructure and services listing must help identify where and how third party and
other outsourcing services are being used during the crisis. It should also assess the impact of
the lockdowns across other jurisdictions (for example, in India, the service centers were closed
with the employees working from home), including key risks such as, data leakage, identity and
access, cybersecurity and service continuity, and how this impacts the overall impact tolerance
risk appetite of the bank.
© Oliver Wyman 6Activating operational resilience in the wake of the COVID-19 crisis
This also raises key issues around managing and governing the commercial and business
relationship with the third parties as in most cases these will not be integrated across the
organization. Banks will therefore need to assess the impact of its decisions to either reduce or
change third party service provisions on its business relationships. At such times of stress, it will
be important to demonstrate solidarity and maintain regular communication with all third party
service providers irrespective of their relative importance or access to critical data, services.
5. Limit fraud and money-laundering risks
The National Crime Agency of the United Kingdom are already reporting a surge in fraud and
money-laundering attempts in the wake of the COVID-19 crisis. Banks need to be extra careful
when processing transactions, including new payment requests increased by the announcements
of grants by most of the European Governments.
Steps should be taken to use existing fraud and transactions monitoring data and technology
solutions, including designing and building into new payment fraud scenarios, boosting
accuracies of such data models by changing the impact thresholds and corrective actions for
the next few months. This should also include analyzing various data sources and leveraging
available analytics, reaching out to the regulators and the regulatory technology (RegTech)
solution providers to ask for help. The “war room” should also support updating the standard
policies and controls that ensure only the mission-critical checks are performed in totality,
including necessary documentation.
This set of new controls and daily checks will significantly limit the operational and transactional
fraud attempts, and bogus claims from new customers asking for benefits.
6. Uphold teamwork, staff morale and emotional resilience
As remote working extends beyond weeks into months, the bank’s chiefs including COOs, CIOs
and CROs need to work together to uphold teamwork, integrity and the ethos of staff, and key
decision-makers. This pandemic will test emotional resilience as it changes our usual lifestyles
and it is important to be able to adjust to new work-life balance scenarios, with the same level
of priority afforded to workloads, without being pedantic. Operational resilience must routinely
consider teamwork, integrity, morale and mental health as key considerations for successful
response and business continuity.
Existing 3LoDs activities should be reviewed, prioritizing customer facing work and delaying
or abating routine assurance tasks. As such, the human-resource department should also
look at policies and practices to ensure that appropriate flexibilities are provided with clear
communication channels for all concerned. Any exceptions, if granted, must be approved and
communicated by the senior executives.
© Oliver Wyman 7Activating operational resilience in the wake of the COVID-19 crisis
CONCLUSION
Coronavirus crisis will leave a profound impact on the future of banking and how banking
services are delivered. Self-sustainability will become a major theme in which banks will need to
be able to foresee and manage their risks, reduce dependencies on third parties and prioritize
among key activities. They will need to be better and faster in how they deploy and use digital
technologies, including automation, achieving further cost and efficiency targets.
Operational resilience will become the new imperative for banks. And as has been already
described by a few regulators, it should be integrated with risk appetite, setting impact tolerance
on the provision and availability of critical activities in this time of distress. This will inform
the Board and the senior management on how to react when another disruption, similar to
COVID-19 occurs, and could also be used in running the bank in this new-normal to make
informed decisions on investments or to expand into new products or territories.
Banks have the opportunity to learn from the Covid-19 crisis in a way
that defines a new resilience strategy and future operating model.
© Oliver Wyman 8Oliver Wyman is a global leader in management consulting that combines deep industry knowledge with specialised
expertise in strategy, operations, risk management, and organisation transformation.
For more information please contact the marketing department by email at info-FS@oliverwyman.com or by phone at
one of the following locations:
EMEA Americas Asia Pacific
+44 20 7333 8333 +1 212 541 8100 +65 6510 9700
AUTHORS CONTRIBUTORS
Subas Roy, Murat Abay, Partner
Partner Tom Ivell, Partner
Dominik Kaefer, Partner
Anna Maria Rosati,
Pankaj Khanna, Partner
Principal
Mark James, Partner
Michael Heaney, Principal
Copyright © 2020 Oliver Wyman
All rights reserved. This report may not be reproduced or redistributed, in whole or in part, without the written permission of Oliver Wyman
and Oliver Wyman accepts no liability whatsoever for the actions of third parties in this respect.
The information and opinions in this report were prepared by Oliver Wyman. This report is not investment advice and should not be relied on
for such advice or as a substitute for consultation with professional accountants, tax, legal or financial advisors. Oliver Wyman has made every
effort to use reliable, up-to-date and comprehensive information and analysis, but all information is provided without warranty of any kind,
express or implied. Oliver Wyman disclaims any responsibility to update the information or conclusions in this report. Oliver Wyman accepts no
liability for any loss arising from any action taken or refrained from as a result of information contained in this report or any reports or sources
of information referred to herein, or for any consequential, special or similar damages even if advised of the possibility of such damages. The
report is not an offer to buy or sell securities or a solicitation of an offer to buy or sell securities. This report may not be sold without the written
consent of Oliver Wyman.
Oliver Wyman – A Marsh & McLennan Company www.oliverwyman.comYou can also read
