Covid-19 prompting “institutional rethink” on operational resilience, report finds

Three US regulators have issued a list of “sound practices” banks should follow in operational resilience – as a new report from Norton Rose Fulbright suggests a drastic shift in preparedness for shocks over the course of the covid-19 pandemic.

The US Federal Reserve, Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation issued a paper and explanatory note on operational resilience (OR) on 30 October.

They note the “wide range of disruptive events” banks have experienced in recent years, “including technology-related failures, cyber incidents, pandemics, and natural disasters”. The regulators add that banks’ increasing reliance on third-party service providers has also exposed them to operational risks.

The recommendations apply to banks with more than US$250 billion in total consolidated assets or more than US$100 billion in total assets and other risk characteristics. The regulators emphasised that the paper only brings together existing regulations and guidance, rather than introducing new measures.

The paper recommends 42 sound practices across seven areas – governance, operational risk management, business continuity management, third-party risk management, scenario analysis, information system management, and surveillance and reporting.

It also includes a dedicated appendix for cybersecurity sound practices, which the regulators said was necessary given the “significance and technical nature of cybersecurity risk”.

A 21 October report prepared by Norton Rose Fulbright, which surveyed senior executives and risk and compliance professionals from more than 50 international financial institutions, uncovered evidence of a drastic shift in financial institutions’ operational resilience preparedness in the wake of the covid-19 pandemic.

While only one quarter of the survey respondents felt their institutions had comprehensive risk frameworks in place at the start of the year, 80% said they had enhanced their governance and oversight during the pandemic and 70% expected an increase in their operational resilience budgets next year.

Respondents said that early in the pandemic they had experienced challenges with supervision and oversight, managing external stakeholders and third parties, IT connectivity and business travel disruptions. They said their main issues had been technology-related, and that the pandemic had underscored the need to “future-proof” their IT strategy.

They also said they expected greater regulatory scrutiny on their controls and risk management frameworks, technology and management information, accountability regimes, and financial crime risks.

The report noted that, while “none of these should come as a surprise” in the wake of a pandemic where each area had come under pressure, regulators’ increased focus on individual accountability in many jurisdictions meant they would be readier to identify which senior individuals in an organisation were responsible for failures.

Respondents also backed the move towards remote working triggered by the pandemic, but said while early adopters of the trend before the pandemic had been “un-phased”, others had needed to invest significant time, money and resources to make the transition.

“The current pandemic has meant that firms’ contingency plans are being tested in real time,” said Norton Rose Fulbright’s global head of financial services Jonathan Herbst. “It has incidentally prompted firms around the world to begin mapping, testing and strengthening their operational resilience frameworks, often in advance of the new or revised rules coming into force.”

“Those firms who have generally responded well in this crisis will find that the initial groundwork for operational resilience has been laid,” he added.

Lisa Lee Lewis, head of advisory in the firm’s risk consulting practice, said the pandemic had prompted an “institutional rethink” on operational resilience.

“The question financial institutions need to ask themselves is: can the institution absorb operational shocks when they do occur, while continuing to provide the same level of services to its customers and relevant markets? Financial institutions will continually need to test their ability to remain within their impact tolerances through a range of severe but plausible disruption scenarios,” she said.

Get unlimited access to all Global Banking Regulation Review content