With the UK government now clearly gearing up for its coronavirus (or COVID-19) response, it’s important for financial services firms to consider what they should be doing as well. Below are some best practices that the team at RiskLogix believe firms – and in particular their operational risk teams – should be engaging in at the moment:
- Ensure a COVID-19, or coronavirus, response team is set up – Organizations should have a team coordinating the firm’s response globally, and operational risk should have a seat on this team. Operational risk should also be involved in any regional or business line-based sub-teams that are set up. These teams should be able to use existing business continuity planning resources as a starting point if these have been drawn up correctly. Help the teams to proactively identify and manage operational risks that are emerging – for example, compliance risks that might surface as a result of employees working off-site or from home for an extended period of time.
- Consider the relationship between credit risk, market risk and operational risk – While it is too early to say how big the economic impact of the coronavirus, or COVID-19, will be, it’s becoming increasingly clear that there will be one, and this will have implications for both credit risk and market risk at firms. Experience has shown that operational risk events often surface when the economic cycle turns – for example, with the Financial Crisis of 2008, mortgage fraud conducted months and years earlier accelerated the nature of an economic downturn. Already some operational risk incidents have bubbled to the surface – for example, some retail brokers in the US have experienced technology issues as a result of heavy equity trading volumes, including Robin Hood, Fidelity, TD Ameritrade and Charles Schwab. It could be a good time to proactively re-examine areas of known control weaknesses or underinvestment, or to have discussions with areas of the business that will be impacted about how to manage risks that may emerge.
- Revisit results of pandemic scenario exercises – Many organizations will have run pandemic scenarios at some point over the past decade as part of their operational risk scenario analysis programme, because of previous threats such as Ebola and SARS. If the results of these exercises have been documented, it is a good idea to revisit them for fresh insight into risks and controls relevant to the current situation. Share these insights with other members of the COVID-19 response team. If such a scenario exercise has not been run in the past – or even if it has – it could be a good idea to take the time to run one now with the team now, based on the impact of one or two economic scenarios on the organization.
- Ramp up operational resilience – Re-read the UK Financial Conduct Authority (FCA) recent consultation paper on operational resilience in light of the current COVID-19 situation. It can provide an excellent framework for thinking about the current situation. For example, identify important business services, and then map the people, processes, technology, facilities, and information that’s needed to keep them operational. Then identify vulnerabilities and how those could be made safe, including potential issues with third parties. Also consider the communications programmes that might be needed, and extra responsibilities that may rest on individuals as a result of the Senior Managers & Certification Regime, in light of the pressures and risks that COVID-19 could create.
- Be ready to learn lessons – Although there have been pandemic threats in the past, this is the first one to fully crystalise in many countries for some time. As a result, there will be lessons for boards, senior managers, and all three lines of defence to learn from the current situation. Consider now how the operational risk team can capture loss events, emerging risks, and control effectiveness information throughout the current crisis and share this information once the crisis is over. Consider now what kind of reports could be produced and the structure of a lessons-learned process.
To steal a phrase from the UK government, it’s important that firms hope for the best but prepare for the worst. Operational risk teams have the opportunity to add significant value to firms’ COVID-19 preparations, helping to improve outcomes for employees, customers, and other stakeholders.