4 minute read
IOR England & Wales Chapter – perspective from IOR/ Operational Risk
Dr Jimi Hinchliffe, Chair
Covid–19 has had a truly global impact, highlighting the interconnectedness of the modern world. It has caused both supply-side and demand side shocks. The supply side may recover relatively quickly, but demand may take time to recover as big increases in unemployment, businesses failures, and a general loss of consumer and business confidence will supress demand for the foreseeable future. A longer-term consequence of the Covid–19 crisis may be increased fragmentation of the global economy as countries become more inward looking and seek to build increased self-sufficiency. Increased fragmentation may impair the recovery from the economic damage caused by the Covid–19 crisis. The impacts of the Covid–19 crisis on organisations are both direct (e.g. closure of premises, loss of staff capacity, home working etc) and indirect (on customers, suppliers and vendors). With social distancing measures set to remain for some time, firms will have to adjust to a ‘new normal’. Until such time, firms will have to continue operating with a significant proportion of their staff working from home and manage heightened operational risk (including cyber, information security and conduct related risks). When staff do return to the office, they will need to find new ways of working that are consistent with social distancing requirements and may be faced with staff who are reluctant to return to work. There will need to be more collaboration, robust governance and careful management of concentration risks (including in third party suppliers). Maintaining operational continuity of important business services will be critical and firms will need to ensure they have ‘Plan Bs’ in place where the usual methods of delivery are not possible. Operational risk managers broadly considered the impact of a pandemic in modern times and the anticipated extent of the required cross-border and national government response. Many firms did consider pandemic scenarios and as such this is certainly not a Black Swan event as some have suggested. However, it’s clear that many firms considered the likelihood of a pandemic to be remote and did not anticipate the scale of impacts we’ve seen in many countries driven by an extraordinary policy response to Covid–19 e.g. shutting down entire economies and lockdowns. The retail banks also could not have anticipated being required by governments to develop and deliver emergency loans to millions of businesses temporary closed by the Covid–19 response, which exacerbated existing operational challenges of delivering core banking services with reduced staff capacity. However, whilst it would have been difficult to anticipate or predict the nature and scale of the Covid–19 crisis, and the government responses, these ‘radical uncertainties’, as coined by Mervyn Lewis and John Kay describe them in their recent book “Radical Uncertainties”, are inevitable and firms must ensure they are resilient to them. The trend of the last decade to remove redundancy and eliminate spare capacity on grounds of improving efficiency has made organisations more vulnerable and fragile to Covid–19 - like shocks. Boards and senior management, in partnership with Operational Risk functions, have a key role to play in improving operational resilience so that in future organisations can better withstand and absorb similar shocks.
As was indicated in the recent IRM survey on the Covid–19 response:
https://www.theirm.org/news/irm-survey-risk-management-response-to-the-pandemic/
Although firms could have done better in considering and preparing for pandemic scenarios (1/3 of respondents didn’t consider pandemics or anything similar as relevant to their organisation, and 1/5 of those who did consider a pandemic didn’t do anything about it), many firms, based on the survey, seem to have coped by using BCM plans and home working contingencies. Most firms in the survey established crisis management teams with Operational Risk Managers playing a key role. However, it remains to be seen whether we will see a spike in operational risk incidents due to the crisis, as intense pressure on firms’ systems, processes and people, coupled with less effective controls, including in relation to home working, increases the likelihood and potential impact of failures (including those due to weakened detective controls).
Operational resilience was already a hot topic before the Covid–19 crisis and will dominate in operational risk for the foreseeable future. The UK regulators published proposals in December 2019 (following a Discussion Paper in 2018) which will have the effect of elevating operational resilience alongside financial resilience. This is not only a priority for regulators in the UK, but under the auspices of the Operational Resilience Working Group at the BCBS, will be a global regulatory priority. Delivering regulatory requirements and expected outcomes on operational resilience will require a partnership between operational risk functions and risk owners and should leverage existing frameworks and tools of operational risk management (rather than creating duplicative new frameworks and repeating the mistakes made by many firms in the UK on conduct ‘risk’ following the Global Financial Crisis). Covid–19 is causing impacts across the spectrum of risks, including operational, market and credit risk. A key learning from the GFC and Covid–19 is the importance of having a sound understanding of risk that is not siloed but holistic and integrated across all risk types. Operational Risk increasingly performs an umbrella role for Non-Financial Risk (NFR) by bringing together numerous risk silos, including regulatory compliance, people risk, financial crime, fraud, cyber and vendor risk management under an integrated and consistent risk framework with common language and tools. ERM in turn brings financial and NFR together under one risk umbrella under the oversight of the CRO. The IRM’s professional training courses in ERM are an ideal way to gain the necessary skills and knowledge that can then be applied in practice. The Institute of Operational Risk Certificate in Operational Risk Management (CORM) also provides an excellent foundation in operational risk management.