Y ou have joined the Operational Resilience workshop being hosted - - PowerPoint PPT Presentation

Y

• u have joined the Operational Resilience

workshop being hosted by RiskSpotlight. The session will start at 1pm UK time.

3

Co-Founder and CRO @ RiskSpotlight (last 7 years) Passionate about utilising risk management as a management tool to define and execute business strategy Part of UK delegation for revision of the ISO 31000 standard Member of the IOR project team for developing and rolling out Certificate of Operational Risk Management (CORM) Designed world’s first forward-looking operational risk content service “RiskSpotlight Portal”. Utilised by over 100 financial services firms for horizon scanning and monitoring emerging operational risk topics. Trained 1,000+ operational risk professionals through classroom and

• nline courses

LinkedIn: www.linkedin.com/in/manojkulwal

4 Stressors Firm Firm on track to achieve business strategy Stressors Firm Firm faces strategic & operational issues and incidents in some areas Stressors Firm Firm faces significant crisis in key parts of the business Stressors Firm Firm faces existential crisis Stressors Firm Firm can quickly recover from the crisis Stressors Firm Firm requires a long time to recover from the crisis or is unable to recover

Level of Resilience

High Low

5

Strategic Objectives Investments/Capital Processes/Activities People Tangible Assets Intangible Assets Value Creation Targeted Strategic Objectives Risk Exposures Compliance Boundaries

6

Strategic Objectives Investments/Capital Processes/Activities People Tangible Assets Intangible Assets Value Creation Targeted Strategic Objectives Risk Exposures Compliance Boundaries

Resilience is an outcome of making right business decisions, successfully executing these and managing risks

7

Value Creation

Measures undertaken to create value that directly contributes to strategic objectives. Examples include: - Provide website for customers to purchase financial products Provide online banking website for customers to manage their funds Operate sales team to sell financial products to clients

Value Protection

Measures undertaken to ensure firm’s ability to create value in the long term is not affected. Examples include: - Prevent criminals from using financial products for money laundering Prevent cyber criminals from gaining access to customer accounts Prevent sales team from mis-selling financial products to clients

Typically considered as similar to accelerators in cars Typically considered as similar to brakes in cars Winning cars requires effective accelerators and brakes. Similarly successful firms require optimal balance of value creation and value protection. Only firms that can find the optimal balance will be successful in the long run.

8

Value Creation

Measures undertaken to create value that directly contributes to strategic objectives. Examples include: - Provide website for customers to purchase financial products Provide online banking website for customers to manage their funds Operate sales team to sell financial products to clients

Value Protection

Measures undertaken to ensure firm’s ability to create value in the long term is not affected. Examples include: - Prevent criminals from using financial products for money laundering Prevent cyber criminals from gaining access to customer accounts Prevent sales team from mis-selling financial products to clients

Typically considered as similar to attackers in a football team Typically considered as similar to defenders & goalkeeper in a football team Winning teams requires effective attackers and defenders. A team will be defeated even when attackers score 20 goals but if the opposite team scores 21 goals.

9

Level of investment in value creation measures Level of investment in value protection measures New challenger bank Large national bank New fintech firm 0% 100% Large global bank

10

Strategic Objectives Investments / Capital

Compliance Boundaries

Processes / Activities People Tangible Assets Intangible Assets Investments / Capital Processes / Activities People Tangible Assets Intangible Assets

Value Creation Value Protection

Inherent dilemma to allocate resources between value creation & value protection

Board Senior Executives Sales Team Marketing Team Product Team Technology Team Group Risk Team Risk Committees Audit Committees Control Performers Internal Auditors Compliance Team Information Security Team BCM Team

11

Resilient Not Resilient (Fragile)

• Robust preventative controls to minimise disruption to key

business activities

• Weaker preventative controls resulting in periodic disruption

to key business activities

• Robust detective controls to facilitate early detection of

disruption to key business activities

• Weaker detective controls resulting in delayed detection of

disruption to key business activities

• Robust responsive controls to facilitate rapid recovery of

disrupted business activities

• Weaker responsive controls resulting in delayed recovery of

disrupted to business activities

• Lessons are learnt from failures in a structured manner and

applied to continuously improve the level of resilience

• Lessons are not learnt from failures in a structured manner –

same type of failures re-occur

• Periodic stress testing exercises conducted to evaluate

resilience level under different extreme & plausible scenarios

• Stress tests are not conducted or scenarios are not extreme
• Focus on concentration risks and minimise these were

possible

• Little or no focus on concentration risks
• Recognise that increasing efficiency can reduce the level of

resilience

• Excessive focus on increasing efficiency without adequate

consideration of resilience

• Recognise that adequate capital/reserves should be allocated

for dealing with an extreme crisis

• Believe that allocating emergency capital/reserves is sub-optimal and

attempt to minimise these to meet regulatory requirements

• Balanced focus on value creation and value protection
• Excessive focus on value creation at the cost of value protection
• Recognise that complexity as a key driver of resilience.

Complexity is managed in a structured manner.

• Do not understand the relationship between complexity and
• resilience. No structured approach to manage complexity.

www.riskspotlight.com

12

New!

www.riskspotlight.com

13

Products

• Current Account
• International Payments

Process 3 – Customer driven international payments processing (self-serve) IT System

• Core Banking System

Software

• SAP Core Banking Software

Server

• IBM Servers

Third-parties

• IBM

Third-parties

• SAP
• Accenture

Facility

• IBM Data

Center, London Service = Make payment from UK account to an international account Channel 1 = Branch Channel 3 = Online Banking Channel 4 = Mobile Banking Channel 2 = Phone Banking Process 1 – Process international payments in branch Process 2 – Process international payments through phone banking People – Branch staff IT System – Branch computers & software People – Call centre staff IT Systems – Call centre computers & software External IT System

• Industry Payment

Processing System

www.riskspotlight.com

14

Business Services

• Customers mainly care about whether the service they require is available or not - irrespective of

the issues a firm may be facing with the channels, systems, processes, people. Services provide an

• utside-in perspective enabling valuable insights on prioritising resource allocation decisions.
• Providing alternatives to services becomes a key driver of resilience. Services with alternatives will

be considered more resilient than services without alternatives. Firms may need to create manual alternatives in some cases.

• Mapping services to key business components will highlight constraints / vulnerabilities /

bottlenecks / dependencies

www.riskspotlight.com

15

Business Services

• 1. Withdraw cash from account (e.g. non-bank ATM, ATM in bank branches, branch counter)
• 2. Open new current account (e.g. online banking, new account website, mobile banking, phone banking,

bank branch)

• 3. Get access to bank account statements (e.g. online banking, mobile banking, phone banking, bank branch)
• 4. Setup standing order (e.g. online banking, mobile banking, phone banking, bank branch)
• 5. Make payments (e.g. online banking, mobile banking, phone banking, bank branch)
• 6. Deposit cheques (e.g. cheque deposit machines in branches, branch counter)
• 7. Report credit card fraud (e.g. dedicated credit card fraud hotline)
• 8. Apply for new credit cards (e.g. online banking, online new credit card website, phone banking, bank

branch)

• 9. Close saving account (e.g. online banking, mobile banking, phone banking, bank branch)
• 10. Request new security key (e.g. bank branch)

www.riskspotlight.com

16

Business Services

• Account operation services

q Online banking service Ø Make payments ü Make payments to international bank accounts

Selected granularity will drive the number of business services that need to be managed as part of

• perational resilience initiative.

FCA/PRA – “It should be clearly identifiable as a separate service and not a collection of services.”

www.riskspotlight.com

17

Business Services

• 1. Services that allow customers to transfer funds between accounts
• 2. Customers claiming on an insurance contract/policy
• 3. Making loan repayments
• 4. Checking account balances
• 5. Accessing deposits and savings
• 6. Renewing a general insurance contract
• 7. Obtaining life insurance
• 8. Receiving mortgage advance
• 9. Processing direct debit payments

www.riskspotlight.com

18

Business Services

Priority 1:

• Services associated with primary revenue source for the firm (e.g. apply for new mortgages)
• Services that are frequently used by customers (e.g. checking account balance, making payments)
• Services that can cause financial harm to customers (e.g. customers unable to receive salary payments into their

bank accounts)

• Services that can impact a large number of customers if disrupted in peak time (e.g. online banking website down

between 12pm and 2pm on weekdays)

• Services that can impact other firms who rely on the service (e.g. Tesco Bank relying on Travelex services for

providing foreign exchange services)

• Services that can impact the wider financial system of a nation or region (e.g. VISA or Mastercard unable to

provide credit card processing service)

• Services meeting above criteria and where no alternative services are available

Priority 2

• Services associated with secondary revenue source for the firm (e.g. revenues from providing financial advise)
• Services that are infrequently used by customers (e.g. pay electricity bills in bank branches)
• Services that are not considered time sensitive by customers (e.g. getting access to bank account statements)

Priority 3

• All other services not covered above

www.riskspotlight.com

19

Initial Setup

1. Identify and document key business services 2. Map business services to business components such as processes, assets, products etc. 3. Define the methodology to assess resilience (e.g. setting impact tolerances, scenarios) 4. Embed resilience methodology into existing risk management processes (e.g. operational risk, business continuity management) 5. Define impact tolerances for business services 6. Review and update service disruption communication strategy for external stakeholders (e.g. customers, regulators) 7. Review and update resilience reporting processes at the business unit and group level 8. Review and update processes to analyse service disruptions and implement the lessons learnt

On-going

1. Periodically update the business services to reflect changes to the business components 2. Periodically assess services to identify whether the defined impact tolerances can be met 3. Periodically review and update impact tolerances 4. Evaluate services as part of any business decision making (e.g. launching new products) or change management initiatives (e.g. outsourcing a critical IT system) 5. Evaluate services when there material changes occur within the internal or external business environment Business Services

20

Practical Example

21

Business Services: Working Group

Create an industry standard library of business services in collaboration with RiskSpotlight and other financial services firms Working group participants will get free access to the business services library Send email to manoj.kulwal@riskspotlight.com if you want to join the working group

Y

• u have joined the Operational Resilience

workshop being hosted by RiskSpotlight. The session will start at 1pm UK time.

25

Co-Founder and CRO @ RiskSpotlight (last 7 years) Passionate about utilising risk management as a management tool to define and execute business strategy Part of UK delegation for revision of the ISO 31000 standard Member of the IOR project team for developing and rolling out Certificate of Operational Risk Management (CORM) Designed world’s first forward-looking operational risk content service “RiskSpotlight Portal”. Utilised by over 100 financial services firms for horizon scanning and monitoring emerging operational risk topics. Trained 1,000+ operational risk professionals through classroom and

• nline courses

LinkedIn: www.linkedin.com/in/manojkulwal

26

Resilience is not something you can do/perform. It is outcome of making good quality business decisions and executing these effectively. Balanced focus on value creation and value protection is critical for achieving resilience Regulatory focus on business services to achieve operational resilience How business services are different to processes, assets and systems Granularity at which business services need to defined

www.riskspotlight.com

27

Organisational Resilience Strategic Resilience Financial Resilience Operational Resilience

Currently fragmented across different topics such as OpRisk, BCM, Cyber Risk, Third- party risk etc.

www.riskspotlight.com Operational Resilience – with focus on key business services

Operational Risk Business Continuity Risk IT System Risks IT Security Risk Info Security Risk Cyber Risk Third-party Risk Outsourcing Risk Product Risk

28

www.riskspotlight.com

29

1.BCM is a very important function that can contributes to the achievement of

• perational resilience

2.In most firms, BCM is treated as a tactical function and hence does not get the due attention at the board and senior management level 3.Operational Resilience will transform BCM from a tactical to a strategic function. But BCM should continue to focus on their current priorities and not expand their scope to cover leadership on operational resilience as this will distract them from their core objectives and stretch the scarce resources available to them 4.BCM is a subset (very important) of overall operational resilience requirements 5.Operational resilience will ensure that business continuity topics get due visibility at the board and senior executive level. It will ensure that business continuity topics are considered as part of strategic decisions (e.g. mergers and acquisition, changes in strategic direction, defining competitive strategy, changes to product portfolio)

www.riskspotlight.com

30

Risk Appetite

• E.g. The firm will provide 99.90% availability on all customer facing processes, systems and services
• Typically, defined at a very high-level (certainly not at individual process, system, service level)
• The focus is more on preventing risks and protecting the firm

Recovery Time Objective (RTO)

• E.g. RTO for online banking system is 60 mins
• Expressed in time
• Typically, defined at a very granular level (e.g. process, system or asset level)
• The focus is more on recovering as quickly as practically possible (practical best case scenarios)
• Aims to balance the consideration of the firm and external stakeholders

Impact Tolerance

• E.g. Impact tolerance for processing overdue direct debit payments is 24 hours
• Can be expressed in time but can be expressed in other units too e.g. number of incoming calls into the customer call centre

exceed 125% of the call handling capacity

• Regulatory requirement is to define for each key business service
• The focus is more on defining the maximum disruption level beyond which the disruption will result in intolerable harm to

consumers and market integrity (severe but plausible worst case scenarios)

• Reflects extreme & exceptional circumstances/situations/crisis (online banking service disruption due to a large scale cyber

war launched by a rogue nation state). There is a high likelihood that RTOs will be breached in these cases.

• Aims to prioritise the external stakeholders

31

Ø Technology Risk Ø Technology Failure Ø IT System Disruption Ø Disruption to customer facing IT Systems Ø Disruption to online banking IT System Ø Disruption to online banking IT System due cyber attacks

• Few risks
• Very high level
• Difficult to assign risk ownership
• High-level assessment of risk
• 1st line finds very difficult to relate to these as risks

they are dealing with in their day-to-day activities

• Easier for 2nd line to aggregate and develop a top-

down view for reporting to board and senior executives

• Difficult to understand & manage risks from
• perational resilience perspective
• Large number of risks
• Detailed level
• Easy to assign risk ownership
• Assessment of specific risk
• 1st line finds it very easy to related to these as risks

they are dealing with in their day-to-day activities

• Very difficult for the 2nd line to aggregate and

develop a top-down view for reporting to board and senior executives

• Easier to understand & manage risks from
• perational resilience perspective

32 32

Report Link - https://www.tsb.co.uk/news-releases/slaughter-and-may/slaughter-and-may-report.pdf

33 33

Report Link - https://www.tsb.co.uk/news-releases/slaughter-and-may/slaughter-and-may-report.pdf

www.riskspotlight.com

34

Initial Setup

1. Identify and document key business services 2. Map business services to business components such as processes, assets, products etc. 3. Define the methodology to assess resilience (e.g. setting impact tolerances, scenarios) 4. Embed resilience methodology into existing risk management processes (e.g. operational risk, business continuity management) 5. Define impact tolerances for business services 6. Review and update service disruption communication strategy for external stakeholders (e.g. customers, regulators) 7. Review and update resilience reporting processes at the business unit and group level 8. Review and update processes to analyse service disruptions and implement the lessons learnt

On-going

1. Periodically update the business services to reflect changes to the business components 2. Periodically assess services to identify whether the defined impact tolerances can be met 3. Periodically review and update impact tolerances 4. Evaluate services as part of any business decision making (e.g. launching new products) or change management initiatives (e.g. outsourcing a critical IT system) 5. Evaluate services when there material changes occur within the internal or external business environment Business Services

35

Business Services: Working Group

Create an industry standard library of business services in collaboration with RiskSpotlight and other financial services firms Working group participants will get free access to the business services library Send email to manoj.kulwal@riskspotlight.com if you want to join the working group

36

RiskSpotlight Portal for

• perational risk horizon scanning

Monitors 126 operational risks for financial services firms Monitors emerging topics and incidents 2 months free trial from www.riskspotlight.com/portaltrial Annual subscription starts from £990 for one user

37

Strategic Objectives Investments/Capital Processes/Activities People Tangible Assets Intangible Assets Value Creation Targeted Strategic Objectives Risk Exposures Compliance Boundaries

Resilience is an outcome of making right business decisions, successfully executing these and managing risks

38

Every key business decision

Can introduce new

• perational risks

Can change the exposure of existing

• perational risks

Examples of business decisions that can impact operational risk exposures: -

• Which critical functions/processes/services should be fully operational during the government lockdown?
• When should the offices be reopened after the government lockdown is revoked?
• Which employees should be allowed to continue to work from home after the government lockdown is revoked?

39

D D D

Past decisions Outcomes of past decisions Current state of the business

D D D

Current decisions Outcomes of current decisions Future state of the business Timeline

40

D

Desired Outcomes

• Create value e.g. Restore revenue levels to the pre-crisis level
• Protect value e.g. Minimise the level of COVID-19 infections in the

work environment

Planned Inputs

• Investment e.g. invest £5 mln to

upgrade system capacity to handle higher use of online channels

• Costs e.g. cost of deep cleaning offices

to reduce COVID-19 infections

• Intangibles e.g. management time to

deal with COVID-19 crisis

Risks

• Inherent e.g. disruption to key business

processes due to government lockdown decision

• Optional e.g. disruption to key business

processes due to third party failures

Ø Three aspects are typically inter-related Ø Typically, desired outcomes and inputs are considered in detail during decision making but risks are not Ø Risks introduce uncertainties on achieving the desired outcomes and planned inputs

41

High Quality Decisions Risk informed decisions Low Quality Decisions Inadequate consideration

• f risks

42

Strategy Definition & Direction Strategy Execution Operational

D D D D D D D D D D D D D D D D D D D D D D D D D D D D D D D D D D D D

Identify key business decisions across the

• rganisation and embed

management of

• perational risk
• Investment business cases
• Encouraging decision makers (e.g.

committees) to challenge their teams on adequate consideration

• f risk for decision making

43

Make the decision Implement the decision Post decision

• perations

E.g. Make decision to resume business operations after the government lockdown is revoked E.g. Implement recovery measures E.g. Monitor business continuity & workplace safety Ø In all three phases, consideration of relevant risks and managing these is important in order to achieve the desired outcomes Ø Some risks may remain relevant across all phases e.g. Illness or death of employees due to COVID-19 infection Ø Some risks may only be relevant for specific phases e.g. The risk “Disruption to key processes during the recovery phase” is

• nly relevant for the second phase

44

Review video of Session 3 from www.riskspotlight.com/integrate 3 workshop series titled “Integrating The Management of Operational Risk Into Core Business Processes”

45

What topics would you like me to cover in future workshops? Please share your topics with me at manoj.kulwal@riskspotlight.com

Check 100+ risk management learning videos on www.riskspotlight.com/youtube-risk-management Register for 2 months free trial of operational risk horizon scanning service at www.riskspotlight.com/portaltrial

46