Five ways to help an operational risk and control framework meet pandemic-induced change head-on

  • Subscribe to updates

  • Privacy
  • This field is for validation purposes and should be left unchanged.

A pertinent question for most financial services professionals today is: “What changes should we be making to our risk and control framework as a result of the Covid-19 pandemic.” The answer is that it is far too early for anything like a complete and final list of adjustments. The initial shock to the operational ecosystem of financial services firms as a result of the pandemic should not be underestimated. And the aftershocks of the pandemic will continue to play out for some time, meaning that risk and control frameworks will continue to be in flux. In short, change is the only certainty.

However, firms can start to take action now to put their operational risk and controls frameworks on an improved footing to meet what are sure to be challenging times ahead. Five steps firms should be taking today include:

1. Review your operational risk management processes – What did the pandemic reveal about your existing operational risk and control framework? How agile was it under pressure? Could it deliver high quality information to stakeholders in a timely fashion, to inform decision-making? Did it enable stakeholders to communicate about emerging risks? Or rapidly resolve process breakdowns in response to control alerts? Many firms found that during the peak of the crisis, manual processes within their operational risk and control framework – based on emails, spreadsheets, and shared folders – did not bear up under pressure. As a result, the pandemic is accelerating digital transformation across many organizations, and particularly within their governance, risk and compliance (GRC) teams.

2. Consider how your operational risks might evolve – The changes wrought by the pandemic have altered the likelihood and impact of many existing risks for firms. For example, remote working – often working from home (WFH) – effected compliance requirements around the monitoring electronic communications, sharing of material non-public information (MNPI), and managing levels of cyber risk exposure. WFH has also caused deterioration in the mental health of many employees, which could create operational risks through errors, fraud, or diminished decision-making capacity. Firms should consider running a risk and control self-assessment (RCSA) exercise soon, if they have not already, to begin to capture changes to existing risks. There are also emerging risks, which need to be identified and understood – these could be tackled through brainstorming within groups that include all three lines of defence.

3. Rethink your controls – Are some controls now more likely to fail? Will the firm need additional controls, or different controls? For example, if your firm is moving rapidly to digitise its supply chain and its customer channels, what new controls will the firm need? Which controls broke down during the pandemic and need to be adjusted or replaced? How has your firm’s controls appetite changed since January 2020? Specifically, how is it changing your:

        • Causes controls appetite – This is the appetite for controls that can prevent a loss event from happening. By their nature, causes controls will only change the likelihood of a loss event happening.
        • Effects controls appetite – This is linked to management’s willingness to correct for the effects of the impact of a loss event on the business. Again, by their very nature effects controls will only change the impact that a loss event has had on an organization.
        • Controls relationships – Consider modelling control clusters to obtain a deeper understanding of the consequences of failure of individual controls

4. Update your stress test programme – At the beginning of 2020, most firms did not have a stress test that covered pandemics. Today, firms should have remedied that oversight, particularly as it’s clear that Covid-19 will be with us in one form or another for quite a while. However, there are other stress tests firms should be performing, too. For example, for some time now the FCA has been encouraging firms to think through how customer relationship risk might change in a downturn, by performing a stress test. Firms should also review their stress test processes to ensure that they are producing useful insights.

5. Connect operational risk to operational resilience – The Basel Committee on Banking Supervision made it clear in its August 2020 paper that operational risk and operational resilience should be explicitly linked within firm’s approaches. What this means in practice is that these two disciplines can leverage each other’s data and workflows. This is important for firms who need to make fast progress around operational resilience – not just to ensure compliance with new rules that will probably emerge in 2021, but to make the firm have genuine operational resilience in the face of what looks to be a turbulent 24 months ahead.

In short, while it’s almost impossible for firms to predict what might be lurking around the corner at the moment, they can take important steps to make their operational risk and controls framework more robust. These can help ensure the firm thrives in these changing times.

To learn more about how you can improve your approach to operational risk and controls through technology, consulting and training, please call or email us.

Related Posts

How to Foster a Culture of Risk Awareness in Your Bank: The Role of GRC Technology
The financial industry underpins the entire economic system by fostering trust and stability. Banks, a cornerstone of this ecosystem, play a critical role for individuals and businesses alike. For individuals, they act as trusted custodians, safeguarding hard-earned assets in the form of checking and savings accounts.  On a broader scale, banks facilitate commerce by offering …

How to Foster a Culture of Risk Awareness in Your Bank: The Role of GRC Technology Read More »

When managing People Risk, what are the key indicators?
In this, our final blog on the topic, we discuss the Key People Indicators for risk management. Operational Risk Software can be key to supporting this discipline.    Taken from: Mastering Risk Management  If people are, as a category, a firm’s biggest potential risk, it’s fair to ask what indicators are available to monitor that risk, …

When managing People Risk, what are the key indicators? Read More »

How do you mitigate People Risk?
In this blog we talk about key strategies for mitigating people risk and present a table to demonstrate context. Operational Risk Software can be key to supporting this discipline.    Taken from: Mastering Risk Management  Creating the right risk culture will do much to reduce people risks. After that, the fundamental way of mitigating those risks …

How do you mitigate People Risk? Read More »