Resolution, Resiliency & Risk
Two of the most precarious years of financial instability in recent U.S. history were 2001 and 2008.
The year 2001 brought the worst terrorist attack on U.S. soil – an atrocious act we will not forget. The year 2008 revealed a devasting financial crisis that many of us experienced for the first time in our lives. What ensued was a global meltdown across the financial industry. With each crisis comes opportunity to learn, adapt, and become more resilient.
In this article, I will not be analyzing the cause of past events, but I will refer to the past while pursuing and advocating for the fundamental mind shift required to strengthen our individual firms and the financial industry as a whole. From a global and domestic standpoint, we are facing never-ending threats – from the effects of the pandemic and global warming to civil unrest and cyber threats – just to name a few.
Building an overarching understandingto help us effectively manage these long-looming threats is my passion and I want to share with you why bringing resolution, resiliency, and risk together is so important.
Resolution – the Birth of ‘Living Wills’
The events of 9/11 led to a re-evaluation across the industry regarding our geographic footprints and business continuity approach. We focused on threat analysis around the globe and managed the level of investments we were making in higher-risk nations.
Then came the financial crisis in 2008, triggered by poor mortgage lending practices. This catapulted the industry to a financial crisis not experienced since the Great Depression in the 1930s. The 2008 crisis highlighted several shortcomings across the industry. In particular, it highlighted a lack of transparency when considering the level of systemic risk across the markets, as well as the level of interconnectivity.
The financial crisis of 2008 prompted legislators to examine the regulations governing the industry. In 2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) created a new regulatory regime featuring Title I & II Section 165.d, which requires systemically important institutions worth at least $50bn to develop resolution plans, known as “living wills.”
In reality, a firm’s living will is similar to the living wills we use in our personal lives. They help us plan so we can take actions and make decisions during an unforeseen stress event, such as a loss of income or the inability make a decision due to poor health.
Complexity Requires ‘Living Wills’
Today, many of the larger institutions have increasingly complex global structures and activities that require resolution plans. These structures include intricate legal entity structures, interconnected global footprints, revenue sharing agreements, master service contracts, service centers, and people-supported activities for several geographical regions.
When Lehman Brothers declared bankruptcy in 2008, we could not foresee the massive economic jolt to come. The financial fallout reverberated across the industry and around the globe. People worked 24/7 figuring out market and financial exposures, such as who owed and was due money. In an ideal world, this would be a very straightforward process, but that was not the case.
For the last 10 years, banks have been submitting these resolution plans to U.S. regulators, such as the Federal Reserve Board and regulators in different regions. Available to the public, the resolution plans give regulators insight to assess the level of systemic risk and interconnectedness that exists across the industry and key financial institutions.
Financial Resilience Meets Operational Resilience
Since 2008, we have focused a great deal on financial stress and resiliency, which is more tangible and quantifiable and therefore more readily manageable. We create models that tell us our sensitivity to factors, such as interest rate risk, market fluctuations, unemployment levels and more.
In 2020, the world went into a severe stress event with the global pandemic. While not a financially driven event, it resulted in financial consequence.
My point here is a very simple one: operational and financial resilience are very similar, but the former is more difficult to quantify and manage. However, both have the same objective – to limit the amount of contagion.
What is Operational Resilience?
Take a simple example: if you broke your arm, the immediate focus would be for you to do everything you can, such as visiting the doctor, to ensure a smooth and speedy recovery. Now, let’s look at that unfortunate accident from a different angle. Once your arm is in a sling, you must plan ahead so you can keep up with your daily life. You have to look after the kids, get them off to school, drive to work, and cook dinner, etc. How do you do that without the normal function of your injured arm?
You must prioritize what you absolutely need to do versus those things that can wait – all without affecting your core responsibilities. You manage your day-to-day on the critical activities and manage the vulnerabilities you have.
Operational resilience goes beyond recovery, it focuses on how we adapt, manage, recover, and manage through disruptions that can impact day-to-day operations.
The Bank of England’s Discussion Paper Triggers Action
In July 2018, there was another awakening across the financial industry when the Bank of England and the Prudential Regulatory Authority & Financial Conduct Authority jointly issued a discussion paper on “Building the UK financial sector’s operational resilience.” This triggered other global regulators to issue guidelines and papers on operational resilience. This stance helped business continuity move beyond being seen as a compliance-based or a “tick-the-box” function.
This needed to change, as did our thinking. As we have matured our thinking, operational resilience has expanded its scope. We are evaluating our dependencies across operational ecosystems, which is no different than how we managed through a financial crisis.
Attaining operational resilience is the result of effectively managing operational risk, according to the Basel Committee on Banking Supervision (BCBS) Principles for Operational Resilience.
Driven by the increased threat of ransomware, we are seeing increased focus and scrutiny from our regulators on data and third-party suppliers. Just recently, an Interagency Guidance was issued by the Office of the Comptroller of the Currency (OCC), Federal Reserve Board (FRB), and Federal Deposit Insurance Corporation (FDIC) on “Third Party Relationships – Risk Management” offering a framework based on sound risk management principles for banking institutions to consider in developing risk management practices throughout the lifecycle of third-party relationships.
So, how can we maintain operational resilience if we don’t understand our operational risks?
Operational Risk – Managing the Qualitative
What is risk? Financial risk is defined as financial loss that you are willing to accept. It is readily quantified by metrics and thresholds in monetary terms. Operational risk is usually managed in qualitative terms – impact to service-level agreements, change in volumes, customer queries – and it is difficult to financially quantify.
Therein lies the challenge and with that comes opportunity.
Integrating Resolution, Resiliency and Risk
Initially, resolution planning was focused on financial stress. Ten years on, resolution plans now include and increased focus on operational capabilities and limitations.
Today, many senior leaders and professionals see resolution, operational resilience, and risk as separate functions. Given what’s at stake, that’s no longer an option. Connecting these three disciplines together into the operational ecosystem is imperative. Our approach must be all-encompassing, including human resources, procurement, technology, information systems, employee communications, and reputational management in addition to all operational activities which support the business flow.
Considerations also should be given to investing in, developing, and integrating operational and financial stress models in place with Comprehensive Capital Analysis and Review and Dodd-Frank Act Stress Testing.
If we successfully converge these aspects of risk, we will transform the way we manage risk. This, in turn, will allow us to drive more timely, efficient, and effective strategic decisions.