Protecht.ERM Showcase: Manage the full lifecycle of risk management in one system
Register Now

Over the past ten years, consumer banking behaviours have significantly changed. Today, the majority of customers engage banks via digital channels. The change has pushed the resilience of digital-led services under the microscope.

During this transformational shift, multiple high-profile incidents have transpired, often linked to digital services, bringing scrutiny on the operational risk function. The media has ensured customer impact has been front-page news while highlighting the bank’s struggle to effectively manage recovery plans.

Shifting the organisational mindset 

The well-worn cliché “prevention is better than cure” is as true now as ever. Focusing on understanding the root cause of a risk and maximising preventive and early detective controls is critical. This has quite rightly remained a focus of good risk management. However, even good risk management can only achieve reasonable assurance that major incidents can be avoided; there is no guarantee.

The new approach requires a shift in organisational mindset. Firms need to start from a position of “assuming failure” and demonstrate how quickly recovery plans can be executed for critical services under extreme stress including defining impact tolerances for such events.

Adding vigour to existing risk processes?

While risk appetite focuses management attention on managing the likelihood of operational risks occurring, impact tolerances seek to increase management focus on operational resilience before operational risks have crystallised.

An opportunity may exist for risk functions to introduce impact tolerances to the traditional risk-evaluation matrix. This integration could also enhance the Risk Control Self-Assessment (RCSA) process, which is under pressure to be more efficient and informative. Linking the two methodologies could drive board engagement and assist the risk function’s engagement with the business.



Navigating the critical path

Effectively delivering resilience outcomes will require skilled collaboration. This presents an opportunity for the risk function to demonstrate depth of existing knowledge gained from historical scenario analysis and oversight of incident management. We must also consider and prepare for some of the key challenges when implementing:

Access denied(!): Detailing process flows in any firm, especially large and complex firms, is difficult. Validating process design can require multiple iterations; this exercise may be frustrated by components of the process which are not under direct control (i.e. cloud data services).

The new approach requires a shift in mindset.

Visualisation is essential: Boards and senior management will require an integrated view of resilience outputs (i.e. tolerances). Dashboards should be able to connect impact tolerance and scenarios to the risk appetite statement and other risk components, such as KRIs.

Beware of bias: The Financial Conduct Authority (FCA) has said that firms may be guilty of “ostrich bias”, ignoring dangerous or negative information associated with incidents. Firms must be prepared to challenge the various biases which scenario setting can contain.

We live in a world of increasing uncertainty on a global scale, whether from extreme weather events, global pandemics or a targeted cyberattack. Due to globalisation and change in customer behaviours, the impact from these events on organisations is ever increasing. Operational resilience is therefore becoming a key component of enterprise risk management, the “cure” when prevention fails.

Read the original article here

Next steps

Join our webinar "Operational Resilience: Are you prepared for what's coming?" to learn more about topics like operational resilience components, impact tolerance and operational resilience, and most importantly, what is operational resilience.


Related Articles

feature image
ERM, Risk Manager, Operational resilience

Investing in Operational Resilience – the most lucrative investment you will ever make!

The World Economic Forum has estimated that “Fighting COVID-19 could cost 500 times as much as pandemic prevention measures”[1]. This means that an...
Read more
feature image
Enterprise Risk Management, Case Study, GRC, Risk Management Software

How Melbourne Polytechnic implemented a system that manages risks in a fluid tertiary education environment

Melbourne Polytechnic’s risk reporting was labour intensive and data was scattered across various platforms, making it difficult to access and...
Read more
feature image
Compliance Management, Enterprise Risk Management, Protecht Culture, Compliance Professionals

It all starts with sound Risk Management

This interview was featured in the Forge Magazine. You can access the full publication here.  Too many organisations view risk management as a...
Read more