Protecht.ERM Showcase: Manage the full lifecycle of risk management in one system
Register Now

Over the past ten years, consumer banking behaviours have significantly changed. Today, the majority of customers engage banks via digital channels. The change has pushed the resilience of digital-led services under the microscope.

During this transformational shift, multiple highprofile incidents have transpired, often linked to digital services, bringing scrutiny on the operational risk function. The media has ensured customer impact has been front-page news while highlighting the bank’s struggle to effectively manage recovery plans.

Shifting the organisational mindset 

The well-worn cliché “prevention is better than cure” is as true now as ever. Focusing on understanding the root cause of a risk and maximising preventive and early detective controls is critical. This has quite rightly remained a focus of good risk management. However, even good risk management can only achieve reasonable assurance that major incidents can be avoided; there is no guarantee.

The new approach requires a shift in organisational mindset. Firms need to start from a position of “assuming failure” and demonstrate how quickly recovery plans can be executed for critical services under extreme stress including defining impact tolerances for such events.

Adding vigour to existing risk processes?

While risk appetite focuses management attention on managing the likelihood of operational risks occurring, impact tolerances seek to increase management focus on operational resilience before operational risks have crystallised.

An opportunity may exist for risk functions to introduce impact tolerances to the traditional risk-evaluation matrix. This integration could also enhance the Risk Control Self-Assessment (RCSA) process, which is under pressure to be more efficient and informative. Linking the two methodologies could drive board engagement and assist the risk function’s engagement with the business.



Navigating the critical path

Effectively delivering resilience outcomes will require skilled collaboration. This presents an opportunity for the risk function to demonstrate depth of existing knowledge gained from historical scenario analysis and oversight of incident management. We must also consider and prepare for some of the key challenges when implementing:

Access denied(!): Detailing process flows in any firm, especially large and complex firms, is difficult. Validating process design can require multiple iterations; this exercise may be frustrated by components of the process which are not under direct control (i.e. cloud data services).

The new approach requires a shift in mindset.

Visualisation is essential: Boards and senior management will require an integrated view of resilience outputs (i.e. tolerances). Dashboards should be able to connect impact tolerance and scenarios to the risk appetite statement and other risk components, such as KRIs.

Beware of bias: The Financial Conduct Authority (FCA) has said that firms may be guilty of “ostrich bias”, ignoring dangerous or negative information associated with incidents. Firms must be prepared to challenge the various biases which scenario setting can contain.

We live in a world of increasing uncertainty on a global scale, whether from extreme weather events, global pandemics or a targeted cyberattack. Due to globalisation and change in customer behaviours, the impact from these events on organisations is ever increasing. Operational resilience  is therefore becoming a key component of enterprise risk management, the “cure” when prevention fails.

Read the original article here

 Protecht has partnered with Risk Management Institute of Australasia
to provide the online training below.
 DT RMIA 1-1

Related Articles

feature image
Compliance Management, Enterprise Risk Management, Protecht Culture, Compliance Professionals

It all starts with sound Risk Management

This interview was featured in the Forge Magazine. You can access the full publication here.  Too many organisations view risk management as a...
Read more
feature image
Enterprise Risk Management, Health & Safety

Aligning your Workplace, Health & Safety capability with an ERM framework. WHS Series Session1.

What does ERM mean? Enterprise Risk Management (ERM) is becoming increasingly accepted as an integral part of business management processes within...
Read more
feature image
Enterprise Risk Management, Operational Risk, Risk Professionals

Managing the War Room

One of the early observations we have made from the COVID-19 crisis experience to date relates to the operations of the war room and the crisis...
Read more