How coronavirus has impacted operational risk profiles and how firms are responding

  • 30 July 2020

We caught up with one of our researchers, Lauren Kelleher, to learn more about our recent Covid Risk Review report. Lauren worked on the study, which followed weekly meetings with the ORX membership to discuss the impact of coronavirus (Covid-19) pandemic.

These discussions highlighted just how much operational risk profiles have changed for financial organisations since the start of the pandemic. We asked Lauren to tell us a bit more about the results of the survey and discussions. If you’d rather watch the interview, then it’s available as a video on our Youtube channel.

Lauren, from ORX’s calls with our member firms, how have businesses coped so far with the business continuity disruption caused by coronavirus?

From what our members are telling us, it seems that the immediate business continuity risk has reduced. Continuity plans have proved to be quite successful, with the majority of work forces able to work from home and carry out their regular activities.

However, I don’t think the danger is completely over. Obviously, every organisation is heavily reliant on technology right now. So, many firms are starting to think about and plan for failures – asking themselves ‘if this technology fails, what will the back up be?’

Another thing many businesses are planning for is returning to the office. For a global firm, this can mean meeting a range of governmental rules, legal expectations and regulations in different jurisdictions. Compounding this challenge is the fact that guidance is not always clear and there is often conflicting information.

So, it sounds like business continuity plans were mainly successful, but do you think that there are still lessons financial firms can learn for the future?

I think there are probably two main lessons that have emerged. The first is that scenarios need to cover more extreme events than they do currently. This will mean a change in mindset from traditional, often siloed scenario planning to a more holistic approach looking at the end-to-end process.

The other is around the complexity and potential exposures of third-party supply chains. Really, the focus now is on supporting third parties to make sure they continue operating. We’ve heard from some of our members that they’re actually proactively supporting third parties – for example supplying laptops, making sure their internet is stable and so on.

ORX has recently published a report on the first lessons learnt from the pandemic. The report is freely available to download on the ORX website for anyone who’d like to read more.

Moving onto operational risk profiles, how might changes in operating environment affect risk profiles?

What we're seeing now is a combination of factors which haven't really been seen together before. So, there’s remote working, and with that we have adapted controls and processes to make sure businesses can continue to operate. There’s also mandated measures and government-backed products. It’s because of this combination of factors that our members are telling us is that there is the potential for an increase in internal and external fraud across the course of the crisis.

Cyber is the other main concern. From our conversations with the industry, there seems to be an increase in attempts, but these are not necessarily successful attempts. This could indicate that cyber controls are still operating normally, but that will remain to be seen over the course of the year.

ORX recently published the Covid Risk Review, which looked at how coronavirus has affected operational risks. People risk was one of the key risks highlighted in this report – how might this increased focus on people risk affect organisations post-coronavirus?

Many of our members are telling us that they’re thinking more now about employee well-being as a result of changing work environments. They’re bringing in additional measures to ensure that employees are properly supported, motivated and developed. And, due to our changed ways of working, this could be a real challenge to do via email, video calls and so on.

Another thing that we're hearing from financial firms is how this disconnected way of working with no, or very little, face-to-face contact might actually be impacting spontaneity, creative ideas and so on. You can't really bounce ideas off each other over email in the same way that you could when you’re in the same room. This could actually have quite a significant long-term impact.

Another point we saw from the results of the Covid Risk Review was that ‘people’ is not only important in terms of a risk but also as a driver. Most of the top risks that came out in the review were driven in some way by people, which really does highlight the importance of this aspect in risk management.

At the start of the year, the ORX Operational Risk Horizon study was published which looked at the top operational risks for 2020. Have these risks changed in relevance as a result of the pandemic?

All the risks that came out in the Horizon report are still relevant, they have just changed in criticality. This really does demonstrate how quickly the situation has evolved and how rapidly things are moving in terms of the coronavirus crisis.

I think the pandemic has caused the most dramatic shift in operational risk profiles since the financial crisis. So, over the remainder of the year, ORX is planning to continue monitoring the situation. We'll be running this risk review again just to see how things are developing.

This leads us on to my nest question – how should firms think about capturing losses that have happened as a result of coronavirus?

Although our members are currently telling us that they’ve not seen significant losses caused by coronavirus, we expect to start seeing these losses caused by coronavirus materialising in the second half of the year. At ORX, we’ve been working closely with our member firms since the start of the pandemic to identify the best ways to report coronavirus-related losses – you can read our guidance here. Once we’ve started to collect these losses as part of the ORX global loss data, we will analyse the impact.

And finally, the pandemic will cause an economic downturn. What additional risks could be exposed because of this?

The biggest concern that we're hearing from our members is the potential for an increase in conduct risk. There's a number of factors that are driving this. Firstly, there’s government backed products that were very quickly set up. In addition, we’re in an environment where we've currently got fewer supervisory controls, and usually these controls were designed to operate in an office environment rather than remote working. This means that there’s more opportunity for things to go unnoticed opening up more exposures. Combine this with an economic downturn, and I think there’s the potential for people to be more motivated to sell and therefore mis-sell.

Another thing which might develop, although it's been somewhat addressed initially, is third party risk. As we develop into the economic downturn, there's more chance that third parties aren't going to be able to maintain liquidity. Many third parties aren't really prepared in the same way as financial firms, which have large reserves and extensive business continuity plans. We’re hearing from our members that they're starting to focus on maintaining the financial resilience of their third parties, in addition to their own financial resilience.

Thanks for your time Lauren. If anyone reading would like more information, then the Covid Risk Review and lessons learnt reports are both available to download:

Download the Covid Risk Review
Download the Coronavirus: first lessons learnt report

Covid Risk Review

Download the full report to read more.

Covid Risk Review