Given how fluid the on-going challenge of containing Covid-19 is at present globally, this article will explore how risk professionals are currently managing the unprecedented threat that Covid-19 is having on risk management across the industry.
The impact that Covid-19 has already had on the supply chains, operational controls, credit, contingency planning, and stress-testing, whilst meeting customer expectations has unsurprisingly put enormous pressure on risk managers. Trying to effectively deal with new emerging threats, volatile markets, and to remain resilient in a turbulent and unfolding situation that continues to change week by week, is extremely challenging. In this new era of risk, many questions need to be addressed, for example, how ready can risk management be for black swan events such as pandemics? How can we practically move forward whilst mitigating potential risk factors and ultimately returning to profitability?
Covid-19 and the markets
As markets are more connected than ever before, more concerns for credit and market risk across the industry have arisen. In recent years, these more traditional risks were deemed more controllable and less of a threat than new emerging risks such as cyber or AI, which have taken centre stage at the top of many CROs’ agendas for the last few years. However, since the start of this pandemic, credit and market risks have been brought back to the forefront of concern for risk managers due to great uncertainty and extremely volatile market changes.
The interest rate plummeting even further down to zero is not making this situation any easier. Operating at this rate is very difficult and the need to find alternate sources of income is key, along with the re-assessment of the balance sheet to ensure it is the right sensitivity. In addition to this, liquidity risk is a big topic of conversation at present. We have seen a huge response across the industry for a non-economic issue, in which there is now new information that we need to consider. The pandemic has been a clear example of how liquidity will be your first domino to fall and how you need to ensure what your commitment of liquid assets are and what is promised to investors. In trying to measure liquidity for example, is the market using the same providers? What are your best assessments of liquidity risk and how long does it take you to make liquidity presumptions? Do you wait for more clarity first or for added security, do you classify now?
With poor indicators and severe economic disruption caused by the Covid-19 pandemic, how do we take this into consideration and gage whether this is something that will a short or long-term event? With the possibility of a second wave now a concerning reality and with the economic impact being so severe, how do we truly understand what’s recoverable and what is not?
Covid-19 and operational resilience
In addition to the severe impact that Covid-19 has had on the economy, the industry’s operational resilience strategies and processes have been put under an enormous amount of strain. As a result, the fear of an operational breakdown is one of the top concerns for risk managers during this pandemic.
The tragedy of 9/11, superstorm travel restrictions, and other unforeseen events in past years has meant that updating contingency plans has always been high on the risk agenda. The industry went through several operational exercises following the SARS epidemic but the enormity of the fallout from Covid-19 has caused a great deal of concern. As a result, there is now a greater attempt to understand and deal with unforeseen circumstances from an operational standpoint.
Business disruption has the potential to ground the financial services industry to a halt with supply chains becoming very fragmented, along with an increased dependence on third, fourth, and fifth parties in firms’ operational controls. As a result, we are seeing concentration risk that builds up. Risk managers need to ensure that all their operational exercises have the necessary risk controls in place, looking closely at the process in detail – we need discipline. Risk managers need to poke holes in these processes to identify where enhancements can be made, whilst ensuring all documentation is up to date. As we have seen in many high-profile cases, errors can happen, and you might have assumptions that are no longer valid.
Risk managers are also facing a unique situation in managing operational risk with employees working out of the office, from home, posing several risks. These include:
- Threat of cyber risk through unsecure Wi-Fi networks
- Performance issues such as IT system glitches
- Employee conduct such as trade surveillance and market abuse
- Meeting customer expectations
From a reputational risk standpoint, investors will be paying close attention to the management of businesses’ continuity performance and resilience during this unprecedented time. There is no doubt, an increased level of fear in operational disruption or gaps in delivery of services heightened scrutiny and potential reputational damage following these failures. Staying on top of expectations of output and controls, including data protection, sustainability, customer protection/expectation, employee compliance, ethical operations and organisational culture, is putting a continued amount of pressure on risk managers today.
Covid-19 and cyber risk
The link between pandemic disruption and increased bad actor activity has not gone unnoticed. The reported cyber-attacks on hospitals put the financial services industry on full alert for similar potential breaches. As such, risk professionals are closely monitoring vulnerabilities in their systems, so once again, cyber risk is a top concern that risk managers are facing today.
Prior to Covid-19, cyber was not as high a priority as it was two years ago. However, since the pandemic, a re-assessment of cyber risk is needed because hackers are becoming more sophisticated than ever before. The biggest problem with cyber security is that so much of it is uncontrollable. For example, a lot of breaches happen as a result of human error, so the new patterns of systemic cyber risk, ransomware, and phishing attacks in different jurisdictions should be cause for concern for risk managers.
Financial crime experts are also seeing an increased number of online fraud activity with many Covid-19 scams arising. Criminals hacking into systems and accessing personal identifiable information, taking over accounts, and withdrawing money are very big causes for concern for customer vulnerability at present. This is not entirely unexpected, but analysis post Covid-19 will be able to assess the real impact this has had across the industry. Collaboration in the industry is key right now – CROs, CCOs, CTOs and MLRO’s must share their expertise with each other to find out how they can better monitor and manage customer vulnerability during this pandemic.
Whilst the pandemic has highlighted many concerns that were already being looked at in monitoring cyber risk management, it has pushed certain projects further into the limelight. Questions around what industry practice can do to mitigate this risk, what training and new service systems should risk managers be looking at, and what could the whole industry do are frequently being asked. Risk managers are also keen to hear how other banks are dealing with cyber risk, both on the 1st and 2nd lines of defence, accountability, and looking between these lines.
Covid-19 and digital transformation
Digital transformation projects across risk have been high on the CROs’ and CTOs’ agenda for quite some time because of the exponential speed of tech evolution.
Banks are feeling the pressure to innovate. They are being encouraged to look at credit risk in a different way, along with tackling AML/fraud, improving user experience, and are being advised that automation is the only way forward. However, there are many uncertainties around such big transformation projects in moving away from legacy systems. For example, how will this work in real time? Current legacy systems in place where banks are working in silo are deemed unsustainable and the real winners will be those who can break through and innovate. There are many shaky conversations that have come into play once again on traditional banking vs challenger banks and Fintechs. However, Fintech collaboration remains a key area of discussion for the industry and it will be very interesting to see how those who embraced the Fintech revolution fare during this pandemic versus those who are still using legacy systems.
Fintech development is a topical discussion for risk managers in exploring open banking, digital enablers, cloud computing, crypto currencies and more, whilst weighing up potential risk factors. There are many questions around best practices, exemption, and new regulations on digital transformation projects that need to be addressed. For example, how can we manage risk for ML and AI and how are we addressing this? Similarly, what risks are associated with using outdated legacy systems? This is still an evolving discussion among the financial services industry and regulators alike. New technology, automation, robotics, and AI in operations, systems, and controls don’t work perfectly yet. It’s still a trial and error stage for many organisations because the technology hasn’t delivered as expected.
It has been argued that many banks are simply not doing enough and the fear that digital transformation projects will further be put on hold as the industry tries to navigate their way through this crisis is causing concern. Keeping abreast with technology remains a big challenge for the industry but the pressing need to innovate in speeding up processes, improving accuracy, tackling crime, data breaches, protecting customers, cutting costs and mitigating risk is essential to moving forward.
With many questions still unanswered around Covid-19 and resilience in the industry, we need to better understand what the crisis has taught us already. How can we prepare for the future? How can we get back to business as usual? What is the new normal?