Over the last few years, ProSight and RMA have made significant steps to highlight the widening of the industry’s focus on operational risk to prioritize operational resiliency as well. For example, ProSight’s premier spring virtual conference, GCOR, and its former Operational Risk Council have added “resiliency” to their names and missions. More recently, members of the association’s RMA Toronto Chapter and Canada’s Office of the Superintendent of Financial Institutions (OSFI) authored a paper on how banks can strengthen operational resiliency in an era of increasing disruption.
While a primary purpose of the paper is to help banks comply with OSFI’s E-21 guidance on operational risk and resiliency, it provides several insights and ideas that can be applied universally. ProSight recently gathered three of the authors to expand on the paper in a conversation that covered how technology can help and hinder resiliency, the need for a new mindset in a faster-moving world of risks, and how resiliency can be a business opportunity as well as good operational hygiene.
Bryan Tamblyn, chief compliance officer at Cidel Bank Canada, said the growing focus on resiliency necessitates a mindset “about assuming that disruptions will occur like we saw with AWS. You need to plan and prepare for disruptions. They will occur. It’s just a matter of when.”
“Organizations have moved from the journey of operational risk to operational resiliency,” said Sandeep Dani, RMA Toronto vice president. Dani said the recovery of critical operations “requires an integrated approach across several risk programs. Now it is about our stakeholders and customers, about our business.” Resiliency, he said, emanates from “several external factors in addition to being internally facing,” which requires mapping all external and internal interdependencies
Tamblyn noted that operational risk management has traditionally focused on preventing and detecting against risk events. “Resiliency requires that same discipline,” he said, “but it also recognizes that the unexpected will happen.”
The paper notes the importance of senior management and the board establishing a tone from the top on this effort, and that the approach will have to be adapted as the organization learns from events and its performance in managing them.
“A Risk Management function cannot build resilience frameworks alone,” said RMA Toronto President and Equitable Bank Chief Risk Officer Marlene Lenarduzzi. A resiliency mindset “should permeate across the organization [and] across all three lines of defense.” Lenarduzzi said there should be an appreciation for not only the process of “how you identify and manage risks, but preparedness for the unexpected.”
“Black Swan events can occur,” she said. But banks can build capabilities to “survive despite unexpected events and function effectively.”
The chapter members noted the role of advanced technology including artificial intelligence in both jeopardizing resiliency and promoting it. Lenarduzzi said AI is also amplifying fraud, money laundering, and other risks but can help build resiliency if used effectively. Dani added, “AI helps us be more effective. The world out there is changing every day. In the absence of technology, it’s humanly impossible for us to be on top of the evolving risk landscape and assess the impact of these changes on our business. Technology helps us reduce the time to address and respond to an incident” and be more effective, he said.
To start on a resiliency journey, banks define and map what is critical—services that, if interrupted, would jeopardize customer trust, safety, or financial stability.
“That’s what the Canadian regulators are focused on now,” Tamblyn said. “Once you’ve done that, you can look across the organization, identify where they’re mapped, and begin setting tolerances for disruption.” Tolerance levels can be arrived at by identifying how outages or other events would affect particular areas or services, he said, and how that would “impact your critical service delivery to clients.”
“Is it OK for that [disruption] to occur for one hour or two hours?” he said. “Or two days? You need a methodology based on the client’s perspective to define your critical services and the operations that support them.”
Another key step is gaming out how the organization would react to specific scenarios, whether that means natural disasters like floods or technology events like cyberattacks.
It takes more than crisis management and disaster recovery plans and policies—although they are important as well, Lenarduzzi said. If an outage occurs, she said, “What are you going to do? Are you going to execute a failover to your redundant system? If you do have a redundant system, test that it actually worked properly. Playing it out live helps to shape how you would react.”
“It’s thinking right down to ‘are our clients going to be able to access their money,’” Tamblyn said. “Are they going to be able to see their accounts? Are branch locations going to be open? We are constantly going through those exercises.”
In all likelihood, an emergency will unfold differently than the way it was practiced, Lenarduzzi said. “But building muscle memory through scenarios, having practiced a coordinated approach means that when the crisis happens, teams can react more quickly,” she said.
That’s when being resilient can provide opportunity as well as a solid backup. When an organization knows exactly what steps to take, responding quickly and cohesively, that could translate to “faster system recovery than your competitors,” Lenarduzzi said. “You can show your customers—and perhaps future customers—the bank is well managed and organized to handle expected events, she said, while competitors “might be struggling to figure out their playbook.”
“Reputational risk associated with being the bank that’s in the headlines for not having managed things well is detrimental,” Tamblyn said. “If your bank is the one that can’t service their clients or is experiencing more severe or frequent attacks, that …
is going to impair your ability to deliver on your business strategy or even run your business.”
When considering brand or reputation, Dani added, how the performance of a financial institution in crisis resonates in the market “can be very, very real.”
Customer service and experience is critical. Organizations risk losing critical customers if they do not get the required level of services, he said. “These are not hypothetical impacts. These are impacts that we are seeing on the ground. The customer tolerance to poor service is low. Hence, operational resiliency becomes so important especially from a customer retention perspective.”
By Frank Devlin
