On 3 September, The London Institute of Banking and Finance hosted a webinar to discuss how risk governance needs to change after Covid-19. The panel comprised risk experts from the first, second and third lines. In today’s blog, Paul Howard, who has over 40 years financial services experience, mainly in senior risk roles, summarises his key points from the webinar where he discussed his view from the Second Line.
In the context of operational resilience, Covid-19 continues to be the single greatest threat. But as steps are taken to ease the lockdown its appropriate to take a moment to think about how risk governance adapted and needs to evolve to face the future?
Everyone has heard of “Back to the Future” and I think it’s fair to say that some businesses have been “Shocked into the future.” It is a brave person that makes predictions at the moment.
Is there a new paradigm for the way of working? Communities of office workers may never again congregate and collaborate physically in the way they have done in the past. People and valuable company assets including information and data are dispersed in ways that they have never been before. This itself creates a whole range of new risks.
As Target Operating Models evolve and settle how does risk governance need to evolve and adjust to identify and keep up with these new and emerging risks?
Readers may be familiar with the regulatory direction of travel around the need to develop ‘operational resilience’ and will have read the papers published by the UK regulators on the topic in the last couple of years. Covid-19 has brought this to life massively and illustrated it is not just about business continuity – it is about the identification of critical functions and services.
Operational resilience is not about how long an organisation can hold its breath. Rather, it is about how the firm can sustain and substitute critical services and do things differently, and effectively, indefinitely in a crisis. This is in addition to remaining in effective control.
What were the issues?
Governing the business in ‘crisis-mode’ and trying to deliver on BAU, is a tough balance for boards
Identifying and managing new and emerging organisational risks in a rapidly evolving scenario
Inability to fully assess, understand, accept, or mitigate the risks emanating from implementing temporary or modified processes.
What have we learned?
It is vital to define and prioritise critical controls needed
There is a need to confirm that these critical controls are in place, and implement and monitor them
Regulatory engagement is critical keep regulators in the loop about issues, plans, and next steps.
What are the challenges when looking at the return to work?
A need to re-establish and adapt post-crisis governance models
Reviewing processes, controls, and systems to reflect the ‘new normal’ and lessons learnt during the crisis
It is important to identify temporary/agile governance arrangements which proved to be effective in the crisis and can be transitioned to business as usual. Never waste the learnings of a good crisis – what did we stop doing that we learned added limited value, and how did we get things done more efficiently without incurring unacceptable increased risk?
Enterprise wide risk registers need to be updated in the light of the “new normal”.
Overall, a broader view of operational resilience will be required. Reactivating business operations will not be easy with new working arrangements.
How did we did things, how we do them now and changes to both ways of working and the operating model will have important consequences for the management and oversight of risk. Governance oversight will need to adjust.
However risk management and risk oversight adjust, the principles of good governance and the risk function’s role articulated in the Risk Coalitio udure. It is the execution of this oversight that may require adjustment in the new normal.
Paul Howard - Interim CRO at Bank ABC in London