A pertinent question for most financial services professionals today is: “What changes should we be making to our risk and control framework as a result of the Covid-19 pandemic.” The answer is that it is far too early for anything like a complete and final list of adjustments. The initial shock to the operational ecosystem of financial services firms as a result of the pandemic should not be underestimated. And the aftershocks of the pandemic will continue to play out for some time, meaning that risk and control frameworks will continue to be in flux. In short, change is the only certainty.
However, firms can start to take action now to put their operational risk and controls frameworks on an improved footing to meet what are sure to be challenging times ahead. Five steps firms should be taking today include:
1. Review your operational risk management processes – What did the pandemic reveal about your existing operational risk and control framework? How agile was it under pressure? Could it deliver high quality information to stakeholders in a timely fashion, to inform decision-making? Did it enable stakeholders to communicate about emerging risks? Or rapidly resolve process breakdowns in response to control alerts? Many firms found that during the peak of the crisis, manual processes within their operational risk and control framework – based on emails, spreadsheets, and shared folders – did not bear up under pressure. As a result, the pandemic is accelerating digital transformation across many organizations, and particularly within their governance, risk and compliance (GRC) teams.
2. Consider how your operational risks might evolve – The changes wrought by the pandemic have altered the likelihood and impact of many existing risks for firms. For example, remote working – often working from home (WFH) – effected compliance requirements around the monitoring electronic communications, sharing of material non-public information (MNPI), and managing levels of cyber risk exposure. WFH has also caused deterioration in the mental health of many employees, which could create operational risks through errors, fraud, or diminished decision-making capacity. Firms should consider running a risk and control self-assessment (RCSA) exercise soon, if they have not already, to begin to capture changes to existing risks. There are also emerging risks, which need to be identified and understood – these could be tackled through brainstorming within groups that include all three lines of defence.
3. Rethink your controls – Are some controls now more likely to fail? Will the firm need additional controls, or different controls? For example, if your firm is moving rapidly to digitise its supply chain and its customer channels, what new controls will the firm need? Which controls broke down during the pandemic and need to be adjusted or replaced? How has your firm’s controls appetite changed since January 2020? Specifically, how is it changing your:
- Causes controls appetite – This is the appetite for controls that can prevent a loss event from happening. By their nature, causes controls will only change the likelihood of a loss event happening.
- Effects controls appetite – This is linked to management’s willingness to correct for the effects of the impact of a loss event on the business. Again, by their very nature effects controls will only change the impact that a loss event has had on an organization.
- Controls relationships – Consider modelling control clusters to obtain a deeper understanding of the consequences of failure of individual controls
4. Update your stress test programme – At the beginning of 2020, most firms did not have a stress test that covered pandemics. Today, firms should have remedied that oversight, particularly as it’s clear that Covid-19 will be with us in one form or another for quite a while. However, there are other stress tests firms should be performing, too. For example, for some time now the FCA has been encouraging firms to think through how customer relationship risk might change in a downturn, by performing a stress test. Firms should also review their stress test processes to ensure that they are producing useful insights.
5. Connect operational risk to operational resilience – The Basel Committee on Banking Supervision made it clear in its August 2020 paper that operational risk and operational resilience should be explicitly linked within firm’s approaches. What this means in practice is that these two disciplines can leverage each other’s data and workflows. This is important for firms who need to make fast progress around operational resilience – not just to ensure compliance with new rules that will probably emerge in 2021, but to make the firm have genuine operational resilience in the face of what looks to be a turbulent 24 months ahead.
In short, while it’s almost impossible for firms to predict what might be lurking around the corner at the moment, they can take important steps to make their operational risk and controls framework more robust. These can help ensure the firm thrives in these changing times.
To learn more about how you can improve your approach to operational risk and controls through technology, consulting and training, please call or email us.