Business continuity plans and risk management play a crucial role in any financial services company’s objective of achieving operational resilience. The disruption caused by the coronavirus pandemic has made this even more important – Geordie Clarke, Riskonnect, explores how financial institutions have reacted this year.
Risk is familiar territory in financial services. Loan books, insurance underwriting, and investment portfolios all require careful financial risk management. Along with this, banks and financial services companies face a litany of operational risks that have the potential to threaten business continuity and, in the event of an unforeseen crisis, result in insolvency.
Corporate leaders are navigating a world that is changing at a brisk pace, bringing with it increased automation, shifting consumer behaviour, and tighter regulations. On top of this, concerns around climate change and geopolitics are ever-present. While most companies have disaster recovery plans in place, the disruption brought on by the coronavirus pandemic is putting their operational resilience to the test.
“Threats to organisations come in many forms, from unforeseen pandemics to sophisticated cyberattacks,” says Alan Calder, founder and executive chairman of GRCI Group. “Strong operational resilience accepts there is a risk that any attack or threat to your business could be successful, no matter how well prepared your defences are.”
Those threats have widened as a result of technological innovation in a more digitally connected world, says Jason Edelboim, chief operating officer at Dataminr. He says this creates a greater number of opportunities and challenges for business continuity teams.
“More than ever, it’s important for risk management and business continuity to work in tandem, united under one integrated, holistic framework that takes into consideration multiple decision-makers across an enterprise and co-ordinates processes and roles to produce a unified, agile system and approach,” he says.
To their credit, financial services companies know a thing or two about volatility. While the global financial crisis took place more than a decade ago, its memory is unlikely to fade. During that 18-month period in 2007 and 2008, global economic growth plummeted by 1.9 per cent, then the biggest contraction in the modern era. Industrial activity and trade dried up, while unemployment levels skyrocketed.
Strong operational resilience accepts there is a risk that any attack or threat to your business could be successful.
Some companies managed to survive that challenging period, but others struggled. According to research by McKinsey & Company, some companies proved to have a greater degree of resilience than others, and this allowed them to ride out the turbulence and deliver above-average growth to shareholders.
For David Poole, chief executive of Emergence Partners, risk management needs to be agile and adaptive so the teams responsible for guiding the business through a crisis are able to adapt to new circumstances.
“Indeed, the key to effective risk management is being agile and adaptable as new risks and situations emerge,” he says.
Mitchee Chung, partner and European director at Mercer Sentinel Group, says business continuity plans are a critical part of a company’s approach to risk management.
“Effective planning requires a firm to undergo a thorough self-analysis of how it operates to identify what systems, functions and roles are critical on an immediate, short and medium-term basis in the event of a business disruption,” she says.
Crucially, companies need to strike a balance between the differing objectives of risk management and business continuity teams, and instead bring them into a collaboration, says Simon Bittlestone, chief executive of Metapraxis.
“The secret to a good response to a crisis is strong and continuous communication between these teams, but also with the finance function that is ultimately responsible for managing one of the largest risks organisations face: financial insolvency,” he says. “While it is often hard to predict crises, they can be mitigated and organisations can be ready to act.”
Although some may insist the Covid-19 outbreak was predictable, it’s fair to say that few businesses could have been fully prepared for the way it unfolded. Nevertheless, those with effective and flexible risk management and business continuity plans may emerge from the health and economic crisis in a stronger position than those that buried their heads in the sand.
The digital pardox
The coronavirus pandemic has forced companies and employees to change the way they operate and embrace remote working. Digital tools such as video conferencing and cloud computing are critical for making this possible, but they also bring with them their vulnerabilities. Here, experts discuss what companies need to do to prevent their systems from being compromised.
What have we learnt about business continuity from the coronavirus pandemic?
Mitchee Chung, partner and European director of Mercer Sentinel Group: “Covid-19 clearly stressed investment managers in a way not previously experienced. Typical arrangements such as having critical staff work from a secondary location from the primary office were not feasible. Firms needed to adapt plans quickly and those that had weak or no plans in place were caught out, facing a scramble to put in place measures to continue operating. Those that had a strong plan in place were able to focus on adapting existing practices, giving their staff much needed capacity to prioritise strategies around market volatility, investor demands and managing a remote workforce. We think the best plans are ones that are the result of collaboration across IT, business functions and risk management, with clear, accountable owners and oversight from a board-level committee.”
How are banks and financial services companies addressing vulnerabilities?
Mark Hepsworth, chief executive of Asset Control: “In the past, financial services companies were cautious when it came to using cloud computing and open source technology. But around 18 months ago, a corner was turned and organisations are now embracing these because they offer significant costsavings and productivity gains. As a result, we’re also seeing a lot of focus around cyber security; it’s one of the largest areas of focus of security for financial services at the moment.”
What are some of the techniques companies use to protect themselves?
Jason Edelboim, chief operating officer at Dataminr: “We are seeing an increasing number of modern financial services firms implement risk detection technologies, such as our real-time alerts, and placing it directly in the hands of the people responsible for evaluating and responding to potential threats, allowing them to quickly assign ownership of risk evaluation to the appropriate stakeholders across the enterprise. Through this framework, all decision-makers receive the same high-quality information as an event unfolds, and can best position themselves to confidently launch a co-ordinated response and be flexible in unpredictable situations.”
Many companies are still grappling with legacy systems and are not as digitally integrated. Does this mean they are less vulnerable to cyber-attacks?
Ed Gouldstone, chief operating officer for northern Europe asset management at Linedata: “Technology and increased digitalisation are seen as the saving grace for effective risk management, leading to widespread adoption. A surge in automation is helping to reduce the margin for human error, though automation should not be the only answer as not all errors are human. This crisis is the ultimate test of how financial institutions manage risk. Those that have adopted these technological solutions, and particularly moved more systems to the cloud, are faring better, while companies still reliant on more manual and fragmented systems may be exposed to a higher degree of risk.”