Operational risk & coronavirus: how are firms responding?

Helping financial organisations respond to coronavirus

We want to do everything we can to support our member firms in dealing with this new and continually evolving challenge. So, we’re holding regular calls to give our members the chance to discuss coronavirus (Covid-19) and its impact on operational risk. We also ran a survey on how financial organisations are reacting to coronavirus. Read on for a brief summary of the main discussion points of each call. If you're an ORX member, you can read a full summary of each discussion on our members-only website.

Summary of calls held on 2 June

Managing an increasing and changing risk and impact profile

Discussion summary

As we draw to the close of our weekly series of calls, members commented that this week’s topic was the most challenging to speak about. After a sharp initial increase in risk exposure (particularly business continuity) due to a rapid shift to remote working for most institutions, members felt that the situation had mostly stabilised and reached a plateau. This, of course, is highly dependent on the progression of the pandemic where they operate. Many predict a gradual decline in risk profile, but one where some risks potentially never return to their previous level.

There was consensus that despite the change in exposure, risk appetites have not changed. Some are currently entering the review phase for their risk appetites and acknowledged that the lessons learnt throughout the crisis would be taken into consideration – perhaps leading to a set of “shadow limits” for stressed situations such as this. One member described how they are working with business units to examine where exposure may be out of appetite, and what steps need to be taken to reverse this – sometimes referred to as “the route to avoiding red”. In some cases, operational risk has received requests from business units for increases to the loss tolerance thresholds, although all agreed that this was not an appropriate allowance to make.

Members were also in agreement that even though their risk exposure is heightened, there is limited loss event data to back this up.

From ORX’s recent Covid Risk Review survey, we see that the most common top risks are short term: Business Continuity, Information Security, Transaction & Execution, People, and Third Party. We will continue to monitor this to assess any shifts as the pandemic continues.

When asked about how long they expect this heightened risk exposure to persist, all agreed that this would be driven by the wider state of the pandemic but believed it would last between 18-24 months.

Current priorities

• As initial risks begin to plateau, focus turns to longer term concerns
• Individual and institutional people risk are an ongoing focus
• Managing the many conduct risk consequences of the pandemic
• Assessing and mitigating reputational risks associated with relief packages

Read the Covid Risk Review survey results for more information

Summary of calls held on 26 May

Productivity and efficiency through the crisis

Discussion summary

The consensus view is that productivity within operational risk through the crisis is as high, if not higher, than in normal times. While no institutions appeared to have KRIs that formally tracked productivity, the anecdotal evidence is strong. They are managing to support specific crisis activity, but also maintain underlying essential operational risk management. In some cases, this has been made possible by finding more efficient streamlined ways of operating, or by prioritising the most value add activities.

There is evidence that some institutions are beginning to restart longer term strategic activities that were paused during the crisis. A key question here is, are prior assumptions still correct, or do we need to re-evaluate what is needed long term given the change that the pandemic has accelerated?  

Despite an optimistic view of short-term productivity, the long-term sustainability is a concern for all organisations. Many are nervous about individual people risks, such as stress and wellbeing, and institutional people risks, such as recruitment and long-term nurturing of talent, which are heighted as a consequence of working remotely.

Current industry priorities

• Evaluating which practices or changes can be carried forward beyond the pandemic
• Assessing and resuming paused and deferred activities
• Assessing long-term individual people risk, for example impact on staff wellbeing
• Considering wider aspects of institutional people risk as a consequence of widespread remote working

Summary of calls held on 19 May

The role of scenario analysis during the crisis

Discussion summary

Scenarios analysis is the primary tool within the operational risk framework that is used to understand exposure to extreme and rare events, particularly where there is limited historical experience. The coronavirus pandemic has highlighted the importance of considering these tail events, not simply from a financial perspective, but also in terms of operational resilience.

Some firms are revisiting existing pandemic scenarios, using the coronavirus crisis as a “live back-testing" exercise to challenge their previous assumptions. Lessons learnt on how and why prior assumptions differed from reality, will be applied to many scenarios.

Specifically, understanding what was lacking, which is one the most valuable lessons learnt. For scenarios to be useful in a crisis, details such an exit plan around how to return to normal is needed. Akin to observations made in business continuity planning, “plans are just plans until you put them into action”. Other scenarios, such as mis-selling and data loss where assumptions need to be challenged in light of widespread operational changes, are also under the microscope.

What is evident from our discussions with members is that scenario analysis is perhaps more important than ever as we move into the new normal, and will remain an essential tool when planning for future unknowns.

Current industry priorities

• Using scenario analysis as a risk management tool
• Re-evaluating existing scenarios and their assumptions
• Linking scenarios to mitigation strategies and controls
• Including thinking within a scenario on how to safely “exit” from an event, not just the circumstances that lead to it occurring

Summary of calls held on 12 May

Recording the cost of the pandemic – early days

Discussion summary

Understanding the true financial cost of coronavirus is central to assessing its impact. Both in the form of pure operational risk losses, which will be required for future capital calculations and stress tests, and broader costs which will be needed for budgeting and strategic planning.

For such a wide-ranging crisis, there is a challenge both of scope – in collecting information from every area of an organisation – and of definition – deciding what is and is not a genuine impact of coronavirus. This has led to a variety of approaches such as centralised or decentralised, and broad or focused models for gathering data.

As we are all unlikely to return to the same working environment, there is also a conceptual challenge. What would normally be considered a loss, measured as a cost of returning to a prior or modified operating state, may simply be considered a cost of doing business in a ‘new normal’. Raising the fundamental question of: how long should response costs constitute a loss?

Members are all still at an early stage of identifying and capturing operational risk losses. All reported that they had not seen significant increases in operational risk losses, but many cautioned that it was still early in the process and losses may yet materialise. There is also the risk of under-reporting due to operational disruptions. The crisis is on-going, and challenges with the identification and aggregation of losses make the total cost of the crisis very difficult to assess.

Current industry priorities

• Providing guidance on capturing impacts
• Aggregation of data to get a complete picture of the total cost
• Assessing when to consider the pandemic as “over” and when a cost is simply BAU
• No significant increase in operational risk losses, but caution in assuming this will continue

Summary of calls held on 05 May

Managing the risks of returning to the office

Discussion summary

This week we spoke to our members about the topic of returning to the office. Almost everyone agrees that working remotely has been successful, reducing the pressure for an immediate transition of the workforce back to the office. Many plan to take a conservative approach, moving their staff back to the usual work sites slowly, taking guidance from local authorities, while also carefully considering the health and safety and wellbeing of their staff.  

Aside from returning to the office, many institutions are also planning for a “return to the field”, which may include meetings with clients, brokers, and agents. Some also highlighted a “return to BAU”, where deferred activities will be caught up, or permanently cancelled.

Current industry priorities

• Planning phased return to work strategies, proceeding with extreme caution
• Ensuring the safety of staff and customers
• Catching up on any deferred activities
• Surveying staff on their thoughts about returning to the office
• Assessing, then unwinding or permanently adopting changes in operations

Summary of calls held on 28 April

Preparing for lessons learnt: the role of operational risk

Discussion summary

All the financial organisations involved in our discussions are in the early stages of formal reflection on the coronavirus pandemic, driven by the ongoing and changing nature of the crisis. However, they are all are actively learning from their responses, their changes to operations, and seeking to look forward and understand what it means for their future operational risk profile.

Institutions are also laying the foundations for future introspection. This involves capturing all relevant information, including event data, and maintaining a record of how thinking and their response has evolved throughout the crisis.

How can ORX support them in this?

We're planning to dive deeper into first lessons learnt from the pandemic with a dedicated study. This work will incorporate observations from the discussion calls, publicly reported impacts of the coronavirus, and potentially a short survey aimed at capturing an industry-wide perspective.

We are also commiting to support any future regulatory lessons learnt exercises in the form of working group discussions and parallel studies where appropriate.

Current industry priorities

• Ongoing assessment of response to identify first lessons learnt
• Rapidly responding to changes in the risk and control environment
• Gaining an accurate aggregate view of changes to operating environment
• Risk managing a return to work strategy
• Evaluation of a future risk profile

Summary of calls held on 21 April

Impact on cyber and information security risk profiles

Discussion summary

The disruption caused by coronavirus has resulted in rapid changes to cyber, information security and third party risk profiles. Many institutions have seen an increase in malicious attempts, particularly social engineering campaigns leveraging coronavirus, but none reported an increase in cyber events.

From a risk management perspective, there is a significant focus on training and awareness campaigns on information security hygiene to mitigate potential vulnerabilities of remote working, particularly where new third party virtual communication technology has been rapidly adopted. There are also efforts being made to understand the extent of policy and control exceptions, to both provide an aggregate view of this change and to allow an orderly reversal of them in the future.

You can read more detail about the impact of coronavirus on cyber risk profiles in our recent blog. 

Current industry priorities

• Increased monitoring and reporting of cyber and information security risk
• Training for colleagues, specifically on information security
• Introduction of metrics to monitor the effectiveness of risk management awareness
• Large scale phishing simulations and in-house testing
• Refinement of policies and controls to support business as usual
• Creation of a centralised view of policy and control exceptions

Summary of calls held on 14 April

Impact on fraud, conduct and reputational risk profiles

Discussion summary

Coronavirus has rapidly changed operational risk profiles across banking and insurance, but understanding the precise details of this change, during ongoing and elevated uncertainty, is inherently difficult. This week our discussions focused on fraud, conduct, and reputational risk. Two key themes emerged:

1. Coronavirus has overnight changed the fraud risk profile. With institutions closing branches and driving more business through online channels in response to lockdown, external fraud is now concentrated more heavily in digital and cyber threats. Likewise, the rapid shift to remote working environments has created new challenges for managing internal fraud where existing control frameworks designed for office-based working have been urgently reassessed.
2. Longer term, financial institutions are focusing on conduct risk. There is concern that conduct exposure may be created by the new business environment adopted in response to the pandemic. Temporary assistance to customers, such as mortgage holidays, and the delivery of rapidly deployed government aid projects, could manifest as conduct risk events over the next 12-18 months. The potential for lasting reputational damage due to firms’ response to the pandemic is apparent. As we enter a period of economic downturn, institutions will be making conscious efforts to retain their customers, and during this period clear communication is more important than ever.

Lastly, we heard concerns that coronavirus disruption may come to impact anti-money laundering risk profiles (AML). Some firms are increasing AML transaction scrutiny and are beginning to work collaboratively to investigate whether new typologies of AML breaches are emerging. We will return to the topic of financial crime in the context of the coronavirus crisis in future discussions.

Current industry priorities

• Increased transaction monitoring
• Training and awareness campaigns for colleagues
• Clear and consistent messaging to customers
• Ongoing assessment of changes to conduct risk profile associated with rapidly changing or deployed products
• Monitoring of any emerging risks

Summary of calls held on 7 April

Resilience of key services and processes

Discussion summary

Coronavirus has tested the operational resilience of financial services on an unimagined scope. Entire countries have faced lockdown, but despite this key services continue to be delivered. Moving beyond the initial response and a rapid transition to remote working, organisations are now focusing on ensuring that critical customer services continue to function. Reprioritisation has meant the deferral of change initiatives and the reassignment of staff to support key processes. It is encouraging to hear the efforts on supporting clients through the disruption and institutional collaboration at a national level to ensure the 'lights remain on' in the financial system.

Institutions are also starting to consider what the risk landscape will look like post-coronavirus, and what this means for operational risk. Concerns currently revolve around the stability of IT infrastructure, the elevated cybersecurity threat and the new avenues for external fraud through the exploitation of state financial support schemes.

Finally, we heard emerging concerns about the potential for conduct risk exposure. As the economic cycle moves toward a downturn and consumers face financial difficulty, previously unidentified issues may surface.

Current Priorities

• Maintaining critical business services
• Reprioritisation of projects and reassignment of staff
• Deployment of debt relief packages
• Looking to the future risk profile and operational risk practice

Summary of calls held on 31 March

Third party, outsourcers, and supplier risk impact

Discussion summary

As the coronavirus pandemic continues to impact financial institutions globally, it is worth commenting on the progress made. Business continuity plans appear to have been largely successful. Thousands of employees have been successfully transitioned to remote working as social distancing restrictions have come into force in most jurisdictions. Key operating activities are continuing and appear broadly stable.

As we begin to adapt, our members are starting to consider how their risk exposure has changed and the longer-term sustainability of this new operating model. Third party risk presents an acute and common challenge, as changes in suppliers’ operating environments or financial stability carry the potential to have widespread, potentially systemic, impact. This note addresses these issues in more depth.

Current Priorities

• Initial focus on immediate operational resilience turns to financial stability
• Assessing the criticality of suppliers
• Frequent engaging with third parties
• Rapid “triage” to coordinate 3^rd party risk management approvals

Summary of calls held on 24 March

Moving on from immediate business continuity concerns

On 24 March, more than 60 organisations joined us to discuss virtually the impact of coronavirus and what operational risk functions are doing in response. Among other things, they told us they are moving away from focusing on immediate business continuity concerns. These are the areas they're focusing on now:

• Assessing a new risk profile
• Streamlining and focusing risk management
• Identification of critical operations key to resilience
• Assessing and developing pandemic scenarios
• Preparing for loss event collection
• Preparing for lessons learned

Future topics for discussion

Based on our initial discussions with our member organisations, here are some of our proposed topics for future calls focused on coronavirus:

• Impact on third party and supplier risk
• Pandemic scenario analysis
• Impact on conduct, fraud, and cyber risk
• How to record the cost of pandemic, and future consequences for capital and stress testing
• Regulatory interactions and focus over this period

Responding to coronavirus: ORX membership survey Febuary 2020

In February, we surveyed our member organisations to see how they were currently responding to coronavirus from an operational risk perspective. Here's what they told us at the time.

Here’s a quick breakdown of our key takeaways so far:

1. Communication is key

All our members have agreed that good communication is vital. Make sure that all communication is clear, timely and factual.

2. Business continuity plans are being stretched

The global nature of coronavirus means that everything, and everywhere, is being hit at once. Businesses need to be prepared for simultaneous impact across multiple locations, rather than just one office, town or country being affected.

3. Evaluate your response daily

As the Coronavirus situation develops, organisations need to evaluate their response regularly – usually on a daily basis. This then needs to be communicated internally (refer back to the first point!).

4. Consider the impact of your organisation’s response

It is important that you take into account the impact of your institution’s response to coronavirus. For example, more people working from home may change your risk profile or, in some cases, employees are unable to carry out certain tasks if they are not based in the office.

Don't go it alone

ORX is founded on the principle of bringing financial organisations together to share data, experiences and ideas, and it's exactly at times like these when working together is definitely more valuable than working alone. Find out how you can become part of a global community at the forefront of operational risk management,

Find out more about ORX Membership