Thriving in the new resilience normal

While the Covid-19 pandemic may be largely behind us, new challenges emerge as firms renavigate and optimise operations in the ‘new normal’. Today the focus has shifted to making operational resilience scalable and sustainable. In a Risk.net panel session convened in collaboration with Fusion Risk Management, risk leaders discussed the growing need to move from being reactive to proactive

Like most people, operational risk managers will be glad to see the back of Covid-19. But, unlike most, their concerns show few signs of easing. The pandemic paved the way for several new sources of operational risks – world conflict, opportunistic cyber attacks, creative money laundering and increased possibilities for internal fraud – and they’re not going away, even as the world slowly gets back to normal.

So how has the pandemic changed the future of operational risk? How will it change the distribution of risk going forward, and how can one prepare for what lies ahead?

Industry experts believe this is a new era of true operational resilience. “Resilience is now everyone’s problem – now it is about businesses thriving. We are not just bouncing back, we have moved the dial,” says Rich Cooper, global head of financial service go-to-market at Fusion.

“This is about businesses being able to proactively mitigate those risks and move forward. There’s a risk with trading from home, but there’s also a benefit, and there’s a way that you can continue your business and be resilient,” he adds.

Flourishing in a new era

Risk and resilience forms the nerve centre of the modern enterprise. Today, preventative proactive resilience means:

• Getting ahead of issues before they happen, teams understanding the impact of change before it happens
• Continuous learning, improvement and prevention woven into the daily cadence of operations
• True operational ‘single pane of glass’ – insights delivered where teams live and work.

As the financial services community refines its operating model, there is increased focus on third-party risk management and supply chain. With the acceleration of technology and the increased use of fintech solutions, “firms are now more vulnerable than before. Mapping important business services via an operational resilience programme highlights a complex ecosystem of not just dipping inside and outside of your firm, but also inside and outside of your jurisdiction. Working through with these partners and this ecosystem is now something we’re really trying to get to the bottom of and looking at all of that data and seeing concentration risk,” says Cooper.

In addition, experts say, as the adoption of digital capabilities has accelerated, the world has made more progress in the past two years than would have been made in the previous 10 to 15 years.

However, one of the aspects to bear in mind during this rapid change the world is undergoing is the control environment and the fact it needs to keep up with the changes.

Control frameworks

Firms need to monitor, review and continue evolving the control frameworks. Even though firms may have changed the control framework to flex with the change in the environment, experts don’t yet know entirely whether the controls being put forward are the most effective.

As firms shift the control frameworks, they learn which ones work, which ones don’t and what is sustainable.

Cooper says it is still a minefield. “We were definitely taking more risks when we moved to allow staff to work from home and invite fintech and third parties into our ecosystem. So it’s always going to be a challenge, no-one is ever going to be 100% resilient. However, we can’t stand still; technology is advancing so fast we need to realise this is not a project, it’s an ongoing cultural programme we’re trying to build. We’re never going to be finished – there are more risks emerging every single day.”

So how long will supervisors remain comfortable with the level of flexibility exhibited during the pandemic with regard to control environment, and how do they foresee the impact on risk acceptance?

One expert says: “It really comes down to risk mitigation, so it’s a new operating model. I don’t think our risk appetite has changed, but the inherent risk has changed because now people are operating in a different way to what they were doing in the past.

“So, now, what capabilities and controls we need to keep our residual risk at the same level is important. That obviously means we have to have different mitigating controls, compensating controls to be able to manage that residual risk. I don’t think we are going back to the old days of everybody being in the office all day every day, so we’re going to have to figure out what those additional control capabilities are to be able to mitigate the additional risk they pose.”

Decentralised workplaces also introduce new risks. Cooper says: “One of the problems with a decentralised workforce and a very high turnover is where my risk is situated. Before, if you had a call centre in Houston and there’s a hurricane coming in, you could manage that risk and know where your people were. Now, you have people spread not only all over the country, but also moving abroad.”

He adds that they [Fusion?] are witnessing firms putting a stop to that because of the internet protocol (IP). “They’re following IP addresses and making sure that people are in-country when they’re doing things and that they are in jurisdiction for various things, but it is a challenge to even understand that risk but, when you can, you can start putting those controls in place to mitigate it. This is a good example of getting in front of a risk before it impacts you.”

Making resilience simple yet effective entails:

Faster time-to-value – turnkey solutions for common use cases to get technology in your hands quicker and with less implementation effort

Role-based personalisation – meeting the needs of varied perspectives, from the front line to the boardroom

Connected experiences – to bring your integrated data to life in new ways: moving from system of record to system of action.

Embedding for the future

Cooper says resilience needs to be embedded into company culture. “One of the things we’re seeing in the market is a greater increase in trying to look at key performance results and key performance indicators that are out there in the organisation. To try to start gathering information that is truly first-line information about trading parameters, degradation of service or latency of a system, but also performance of the people that are doing this, performance of vendors and tickets being fixed and trying to catch things before they impact the organisation.”

He adds that there are lines of information that can provide insights. Being able to harvest some of that data to inform decisions and to try to stop something that’s going to eventually impact business before it does is a better way to monitor and respond.

Overall, risk leaders say it’s going to be a journey over the next couple of years to move into the new operating environment.

To keep up with the new normal, firms need to adopt risk intelligence, which means proactively mitigating risks by leveraging real-time data to continuously monitor the vendor ecosystem and analyse trends, with an overlay of geopolitical external data to mitigate issues before they happen. Build an informed perspective by cutting through the noise and surface actionable insights with dynamic dashboards, visualisations and real-time data. And, finally, making data-driven decisions by saving time and focusing on what’s critical, and making data-backed decisions by automating manual process and integrating reliable, quantitative insights.

Sponsored content