AS we move forward into the new reality, financial regulators view operational resilience for banks and insurers on an equal footing with, and as a key driver of, financial resilience and recognize that poor resilience has the potential to impact not only individual firms and wider financial stability, but also to cause significant customer detriment. For fiduciary businesses, deficiencies in operational resilience have potential implications for investor returns and security of client assets.
There has been a tangible shift in perspective. Regulators are taking a new approach to resilience: not if, but when. They now expect firms to consider not only what would happen if they were to experience disruption, but how they will respond when it does. And although firms were always expected to manage their operational risk, plan for contingencies and have business continuity and disaster recovery plans, in the new reality operational resilience is much more.
Historically, the primary resilience focus for global regulators was cyber and ICT security. These remain critical, particularly under the current stresses of the Covid-19 pandemic, with accelerated adoption of technology and increasing sophistication of external bad actors. Firms must consider the possibility of multiple concurrent disruptions and the emergence of new threats and vulnerabilities.
Extreme events arising from climate change, from floods to wildfires to unexpected snowstorms, could impact physical operations. Geopolitical events could challenge operating models, for example through the loss of operating licenses in certain jurisdictions. And evolving business models due to innovation or changes in economic conditions could lead to skill shortages.
Regulatory authorities have realized that a broader approach to operational resilience—incorporating equally important components such as people, processes, technology and information—is needed.
Customer impact is always in mind and governance and accountability are in the spotlight. Proposed regulations highlight the importance of identifying severe but plausible tailored scenarios, and of performing stress-tests to reveal weaknesses in operating models. Firms are required to define the amount of disruption that they would be willing to tolerate and to monitor and measure their ability to remain within these tolerances.
Operational resilience becomes a key driver of investment and business strategy. Firms must have a clear understanding of their end to-end processes, including critical dependencies, and how these would be impacted by disruption. Increased operational resilience should lead to greater trust amongst all stakeholders including regulators, customers, employees and third parties.
Connectivity is key. The financial services sector in the twenty first century is more interconnected and technology-driven than ever before. Outsourcing has been on the radar for some time, but never on the scale seen now as firms seek to manage down costs and create efficiencies through greater reliance on third parties. Regulators recognize the dominance of a small number of large global technology and infrastructure providers and are seeking to update and expand requirements accordingly.
The excerpt was taken from KPMG International ISG Audit Quality Leader-Financial Services Andrea Schriber’s blog post entitled “Climate risk is financial risk – For banks it’s a board-level issue.”
© 2021 R.G. Manabat & Co., a Philippine partnership and a member-firm of the KPMG global organization of independent member-firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
For more information on KPMG in the Philippines, you may visit www.kpmg.com.ph.