Turn Operational Resilience into a Competitive Advantage
If you ask me one lesson I learned about today’s crisis, it is how vital operational resilience is for organisations.
On April 30, Christophe Kempkes introduced us to foresight and horizon scanning and how this will make organisations more resilient. Last week’s session on June 4 is a follow-up, a more concrete deep-dive in the world of operational resilience in the financial services industry. For this deep dive, we invited David Suetens, Independents Director, former CEO of State Street Bank Luxembourg, and former Board Member at Luxembourg Fund Association and LHoFT, the Luxembourg House of Financial Technology.
Defining Operational Resilience
We learned from the first session that it is essential to find your highly uncertain events with a potentially significant impact. Essentially, you are looking for the ‘crown jewels of your organisation. Your crown jewels are those systems and platforms that are supporting your critical economic functions, for the economy as a whole, the market or your customers.
Operational resilience answers the question of how, and how quickly, you bounce back in case your crown jewels are affected. In other words: what critical economic functions do you manage and how will you make sure to keep your vital business running in exceptional changes in your business?
It should ideally be business-led and business-owned. The consequences of not having resilience right can make or break your business: from tremendous financial losses, reputational damage, and regulatory fines.
Only recently, banks started investigating their ‘conveyor belt’ to find the critical components in the production of financial products and the delivery of financial services. The trick is to gather all the data of all the risk teams and map it back to your value chain, your conveyor belt.
With COVID-19, banks showed a high resilience to change
From an institutional banker’s perspective, David concludes that the banking industry showed a high resilience to change in the last few months. Repetitive exercises of the supervisor prepare the industry for years.
What helped the industry to prepare for unexpected events like COVID-19, is SREP, a new acronym I did not know yet. SREP, the Supervisory Review and Evaluation Process, assesses and measures the risks of each bank. Four elements complete the evaluation:
- Business model
- Governance and risk
The governance and risk section takes care of operational resiliency.
Retail banks had a digital banking offering running, without interruptions. In less than a week, most (Belgian) banks could switch to home working, without any critical failures. BNP Paribas Fortis was so well prepared for a pandemic that they assisted healthcare by sending part of their stock of face masks to hospitals.
The health industry is an excellent example of not being operationally resilient: they were unprepared. Hospitals were counting on each health workers’ personal resiliency, instead of having backup plans in place to organise themselves on a national level.
The Financial Crisis Prepared the Industry for Today
Operational resilience became a topic after the financial crisis, driven by the regulator in the UK. In the financial crisis, the primary focus was on capital and liquidity in the first 4–5 years after the crisis.
Everyone knows Lehman Brothers, the domino that started the financial crisis in 2008. Lehman Brother an American bank, with branches all over the world, including the UK. To avoid bankruptcy, Lehman Brothers pumped away capital and liquidity to the headquarters in the US. Lehman is not a unique example: many international banking groups have a branch in the UK market and act as a full-fledged bank. The inaccessibility towards these regulated entities is a challenge for a regulator, who cannot impose capital or liquidity rules to a branch.
The only possible answer was by asking these branches if they are operationally resilient: the regulator enforced procedures and processes to ensure, as a bank (or a branch), you keep your vital business running in exceptional changes in your business.
Operational resilience started in separate, decentralised risk teams that each investigated the topic in their silo. Within their silos, experts looked at the data on outsourcing on process errors, on fraud, technology… Rarely they made a connection to a bank’s value chain.
This legacy thinking is the result of legacy systems. Over 40 years, a bank evolved from a centralised entity with all risks covered within their scope, to a hybrid model where banks have outsourced some activities and commercialised others. Processes are hard to documents, which make risk management highly complex.
Dear Fintech: How Do You Make Me More Operationally Resilient?
Outsourcing services, the setup of joint ventures to improve efficiency are typical in the business industry today. Technology creates many questions in the resiliency debate and many opportunities. Outsourcing is a chance to be more resilient, if well managed. Specialised companies have more knowledge on outsourcing; they have better IT platforms on it; they cope better with incidents…
A fintech that supports the bank in providing this critical economic function must make sure they have the right measures and processes in place to keep working in exceptional circumstances.
Koen Vanderhoydonk joined the discussion in saying that there are several standards in the market, like ISAE3402 (International Standards on Assurance Engagements 3402) to help a fintech to identify their core processes. An external auditor will assess companies for this standard and certify them if they comply. Only a few start-ups are aware of these standards.
The administrative burden ahead of a partnership, the due diligence, are there for a reason. A bank is highly regulated and used to measure risks and to avoid possible threats. For some financial institutions, partnering with a fintech with direct impact on the crown jewels is relatively new.
Successful fintechs understand these three lines of defence and will proactively communicate and report on three levels:
- Business needs to like the product
- Compliance needs to validate the product
- Audit needs to approve the governance
A fintech that understands that superior UX should not be a trade-off with reduced operational resilience is in a pole position to sign the deal. Providers that are unable to instantly respond on an incident that touches the crown jewels of a financial institution will be replaced.
David agreed and advised fintech to prepare the dialogue to a prospect bank to multiple departments, not just the business or innovation team, but also risk departments, compliance, audit, IT. If a fintech knows how the prospect deals with outsourcing, it will be miles ahead of the competition.
From “Bounce Back” to a “Bounce Forward”: Operational Resilience As a Competitive Advantage
Today’s crisis will stimulate organisations to look for more cost savings and efficiencies, which in turn will put more priorities on the outsourcing agenda. Banks will spend less than they do today, but the spending they do in the coming 2–5 years must increase their efficiency and resilience.
Organisations that help their customers turning a bounce back approach in dealing with resilience into a ‘bounce forward’ approach have a competitive advantage. They anticipate on possible events to happen, instead of preparing workarounds.
Bounce back: how do you get back in the air if things go wrong?
Bounce forward: what can we learn and how to anticipate going forward?
Bounce back: is it adequately documented for EBC?
Bounce forward: is it embedded in our technology and innovation agenda?
Bounce back: do we wait for an answer from the market when the crown jewels go down?
Bounce forward: to you have the talent and the risk team to improvise for a solution to get the crown jewels back up?
Artificial intelligence, robotisation and machine learning become essential technologies in flipping bounce back aspects into bounce forward elements. Today KPI and KRIs are often still tracked and reported manually. Image technology takes over: AI-enabled systems can track performance automatically. One step further, the system can even learn from its mistakes and become more resilient by itself, through robotisation and self-learning solutions.
What’s Next for Operational Resilience?
Can we expect more regulation because of today’s crisis? David does not think so. Firms did relatively well, so he does not see the need for more regulation either. The impact of non-performing loans is hard to measure at this stage. Capital buffers are there. David hopes that banks can deal with this, as managing financial risks is supposed to be their core business.
One change we can expect is an evolution from one generic SREP test to tailored tests for each type of financial institution (retail vs institutional vs corporate). Translated to operational resilience, retail banks will focus more on retail payments, asset management will need to answer more question on their portfolio management systems…
Climate change will get more attention in the future. In preparation of Davos, the leaders of the industry always prepare a risk register, an update for the most significant risks for the global economy. Climate change was high on the agenda this year, more than a possible pandemic. Financial institutions will need to integrate climate change in one of their scenarios in the operational resiliency framework. We know that the number of victims resulting from climate change will be much higher than the number of victims of COVID19.