A peek inside op risk managers’ coronavirus response

Op risk managers steel their firms for looming pandemic amid an expected rise in cyber attacks

Coronavirus

Op risk managers steel their firms for looming pandemic amid an expected rise in cyber attacks

It’s the beginning of March, and you’re sitting in a stuffy conference room listening to a torrent of employee complaints. Your bank’s infectious diseases advisory committee, made up of senior representatives of different business lines, is meeting for the third time in less than a week as the coronavirus continues to spread at an alarming rate.

People on the trading floor aren’t happy, they report: recent travel restrictions are preventing relationship managers from visiting their clients. Others want to further limit travel, even between office locations in the same city, to make sure an outbreak can be isolated if it does occur. Staff in countries with school closures are demanding to work from home.

Welcome to a day in the life of operational risk managers trying to contain the risks of a coronavirus epidemic.

Given its relatively low mortality rate, the real danger of the coronavirus lies in how easily it spreads: the average infected person passes the disease to 2.6 other people. That means keeping the spread of the virus between staff to a minimum is banks’ prime focus.

“The worst-case is if it spreads to the point of infecting a substantial number of staff to the point that we cannot continue normal operations,” says the head of operational risk at one global bank. 

Many banks have put in place flexible working options to ensure critical staff can work from home and have the necessary systems and access at their disposal to do so. And op risk managers are making sure key people know what to do if there is a coronavirus outbreak at one of the bank’s offices, or if they themselves catch the virus. One op risk chief recalls that during one previous business continuity management exercise, he ‘died’ early on, to determine what the impact would be on the chain of command.

Prevention is also a key part of preparations – and that goes beyond simply placing hand sanitisers around the office. The head of op risk at a second bank says the upcoming meeting of the bank’s board, which is scheduled to take place at a hotel in London, is being heavily scrutinised and will either be cancelled or carried out from multiple locations via video conference.

“There can’t be more than two people per hotel,” he says.You can’t have a situation where you know there is an infection in the hotel, that hotel is quarantined and the whole executive committee is there and the company is incapable of being managed or making a decision.”

Then, there are the second-order risks. Cyber criminals may take the opportunity to increase distributed denial of service attacks on certain banks’ websites and send out phishing emails. Depleted staff at call centres increases the risk of account fraud if criminals take their chance when the chaos is at its peak.

Some are dusting off old playbooks. Industry veterans point to a pandemic preparation exercise carried out by the Financial Services Authority, the Bank of England and the UK Treasury in 2006 as one reason why the financial industry may be better prepared for the coronavirus than other sectors.

The head of operational risk at a European bank says his team appropriated an action plan from an extreme weather event to reflect the potential impact the virus could have on the functioning of the firm and the wider banking system. “The foundation of that planning could be used for the basic initial planning now if the virus gets more intense,” he says.

Amid the measures taken by banks and reporting of coronavirus cases in the media, operational risk managers have had to counter the other extreme of the coronavirus outbreak – mass paranoia. The human resources department at one bank had to send an email to all employees to quash rumours a senior employee who had been skiing in France had come into contact with a carrier of the disease. Another case saw an employee staying at home after a major operation to recover, only for a rumour to spread that the employee was self-isolating because they had the virus.

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact info@risk.net to find out more.

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here