Reporting and Governance

With a second wave of Covid-19 sweeping through the UK, the operational resilience of banks and their suppliers is once again under the spotlight with many of their staff having to once again work remotely. By Heather Adams, managing director at Accenture’s UK risk practice 

Despite the unprecedented scale and scope of the Covid-19 shock to financial services, there is a consensus among regulators, central banks and policy-makers that the sector has responded well to the coronavirus crisis.

But, while financial markets have remained orderly and customers continue to access financial products and services during the pandemic, the sector cannot let its guard down. 

Up until now, financial firms have weathered the pandemic well thanks to their existing global operations, established processes, and extensive use of technology. Recent investment in business continuity planning has aided banks’ ability to respond to customers’ changing circumstances. Even in areas where “physical” processes dominate, such as trade compliance, banks have been able to replace physical controls on the trading floors with surveillance technologies. 

But ensuring operational resilience extends beyond business continuity and disaster recovery. It requires an enhanced awareness of and an adaptability to the evolving risk landscape – one that has shifted with the pandemic, challenging regulators’ and firms’ assessment of risk as well as commonly-held business continuity assumptions. 

People risks

Covid-19 has served as a timely reminder of the continuing need to identify and manage people-related risks. The new focus on people risks was given added impetus in March with the publication of the UK government’s list of key workers which included financial services. The Financial Conduct Authority (FCA) subsequently published guidance covering a wide range of business operations falling within the key worker definition. This recognises the essential role financial services play in the wider economy – and heightens the regulatory focus on people risks. 

With many of the key worker functions now subject to prolonged, if not permanent, home working, this presents myriad challenges to resilience, conduct, data protection and professional indemnity. 

One example is the heightened interplay between people and cyber risks. The number of phishing attempts has risen by a staggering 260% since the UK’s lockdown started in March. The aim of attackers is to get hold of personal credentials and side-step firms’ cyber protocols. This shift in cyber attacks towards indirect channels risks making people the weak link in spite of the industry’s technology investment in cybersecurity. 

Cyber vulnerability is just one of many channels through which people risks could manifest. Challenges from the reassignment of the workforce across different products, processes and roles; or heightened internal fraud risks from declining employee morale all threaten to undermine resilience both during Covid-19 and as it eventually recedes. 

Third-party risks

The evolving relationship firms have with third parties is another area to come under the spotlight. In many cases, third-party partners have enabled firms, particularly smaller, local ones, to adapt quickly, lending a helping hand with cloud services or their own global footprint. These warrant an updated view of risk assessments and regulatory assumptions. 

For example, the focus on concentration risk traditionally has been through the lens of technology dependency on third-party suppliers, in particular cloud providers. During Covid-19, however, cloud operations have thus far proved to be scalable at pace and secure. 

This calls for a more balanced assessment of the cloud’s promises and perils: while a continued focus on concentration risk is key to competition promotion and financial stability, broadening the security benefits of the cloud and promoting its agile scalability will be key to consumer welfare and market integrity. 

At the same time, Covid-19 has highlighted the extent to which financial services firms depend on offshoring operations in the provision of critical products and services. Concentration risks can emerge through the clustering of offshoring in certain geographies. This calls upon firms to incorporate operational resilience considerations alongside traditional factors (e.g. cost, talent access, business environment) in their global locational strategy. 

Enhancing the monitoring of risk over third-party jurisdictions will be key – this calls for a more nuanced understanding of hub locations’ vulnerability, robust contractual framework, as well as continued assurance over the effectiveness and transferability of firms’ controls. 

Proactive resilience

Operational resilience traditionally looks at technology failures and cyber resilience. The pandemic has highlighted the need to place technology risks and people risks on a more even keel.  

This requires the regulator and firms to recalibrate their scenarios to place more emphasis on human factors, as well as the closer monitoring of offshoring and third-party suppliers.  

As new ways of working, living and consuming cast a new contour for financial services, the resilience agenda should be a catalyst to building the organisational DNA of adapting to changes and thriving in the new norm. Covid-19 reinforces the strategic intent of operational resilience. Embedding proactive resilience as a board culture lies at the heart of making that a much-needed reality. 

A Speakers’ Corner is an area where open-air public speaking, debate and discussion are allowed. The original and most noted is in the north-east of Hyde Park in London 

This article is free to read, request a no obligation trial access to Global Risk Regulator.