A new era of operational resilience
This decade has been beset with global far-reaching disruptions, from the outbreak of the pandemic to the war in Ukraine, rising US/China tensions, to a rapidly escalating situation in the Middle East. The traditional old school risk management mind set is increasingly shifting to a more proactive, forward-looking preparedness mind set. This has required Chief Risk Officers to focus on operational resilience as banks seek ways to better absorb the shocks of an uncertain world. And emerge even stronger.
Operational resilience, which may refer to as non-financial risk 2.0, combines business continuity management, third party risk management and cyber risk management and is a necessary evolutionary step for global banking, which only last year faced a potential contagion crisis. In March 2023, Silicon Valley Bank collapsed and triggered a US regional bank run, bringing down Silvergate Bank and Signature Bank along the way.
What SVB’s collapse illustrated was that its risk culture was all wrong. People did not properly manage the balance sheet risk even though the bank had pivoted to using deposits to invest not in short-term investments, but longer duration US treasuries which then plummeted when the US Federal Reserve began hiking up interest rates.
In that respect, there was precious little evidence of a robust operational risk framework.
CRO Panel discussion: Operational resilience in practicewith Roxana Branowski, International Monetary Fund, Michiel Haasbroek, Banque Internationale à Luxembourg (Suisse) SA, Mutisunge Zulu, Zanaco Plc
The Leadership Forum - Arora Ballroom
Operational resilience places greater emphasis on banks’ abilities to handle these black swan events by shifting from a passive reactive stance, to a more proactive, dynamic stance that uses scenario planning and having playbooks in place to cope with shocks. Furthermore, this ensures that the bank’s risk culture and governance framework is also more robust, such that an SVB-type event would be far less likely to occur.
CROs are building on banks’ risk taxonomies and updating their business continuity plans and disaster recovery plans. Ultimately, the aim is to expand their existing framework to really focus on critical business services and address questions such as: What are our critical operations? Who are the material third parties we are most heavily reliant on? What are the scenarios most relevant to the organisation to test our critical services?
To simulate the impact of non-financial risks, institutions are engaging in live tests to stress test their operational plumbing and identify any vulnerabilities.
Regulators have picked up on the fact that the global environment is increasingly complex and seemingly in a state of ‘permacrisis’; a term coined by Mohamed A El-Erian who co-authored the self-titled book with Gordon Brown and Michael Spence. Incidentally, in 2022 permacrisis was voted word of the year by Collins Dictionary.
After spending a lot of time looking at financial resilience, global regulators are shifting focus to operational resilience, as evidenced by the introduction of the 2022 Digital Operational Resilience Act (DORA) in Europe. DORA outlines requirements for sound risk management in the financial sector, while in the US, the Interagency Paper on Sound Practices to Strengthen Operational Resilience provides guidance for financial institutions to shore up their resilience to internal and external threats that could cause wide-scale disruptions.
CROs must also consider the newly introduced EU Artificial Intelligence Act, adding another layer of complexity to banks’ risk and compliance frameworks. Organisations are now required to disclose what data their AI is being trained on, ensure that it’s safe to use, and go through risk assessments.
Technology innovation will certainly help banks as they look to build agility and take a more proactive approach to risk. Generative AI is expected to be a big enabler of risk management, as operations teams begin to use AI tools to help with reporting, forecasting, scenario and regulatory analysis. That said, technological disruption – and by association the increasing sophistication of cyber attacks – also presents operational risks. The introduction of AI technologies can lead to unforeseen vulnerabilities if not managed properly.
Geopolitical address: Reviewing a year in elections, the EU AI Act, and the regulatory implicationswith Dan NechitaHead of Cabinet for MEP, European Parliament
Global Risk Regulation Summit - Arora 2 & 5
Political unrest in the Middle East has significantly increased supply chain and country risk, requiring banks to carefully analyse how they operate. Consequently, CROs need to widen out their risk vulnerability frameworks to consider how, for example, regional conflicts are impacting global maritime shipping routes.
There are now several chokepoints including the Straits of Malacca (congestion) and the Panama Canal (drought) but the two highest risk areas are the Suez Canal and the Strait of Hormuz. Surrounding countries are all high-risk countries, like Sudan and Yemen which are facing severe political, economic and security perils.
Today’s modern CRO has to evaluate how these supply chain and country risks could impact the organisation’s operations at a global level. GCC countries depend on the Strait of Hormuz for the exportation of 20 million barrels of crude oil per day. In the Red Sea, the Suez Canal is surrounded by high-risk countries such as Sudan, which is experiencing serious civil war. Whoever has control of these routes, ultimately controls global oil prices.
The result of this is that maritime shipping companies are having to use alternative routes. The Cape of Good Hope is seeing a big uptick in daily maritime transit volumes, while the opposite is true for the Suez Canal because of the security risks.
If that wasn’t complex enough, climate risk must also be factored into one’s resilience programme. The El Nino effect has led to increased flooding in East Africa, Europe, with parts of southern Africa and Latin America experiencing heating effects. This has impacted the Panama Canal, leading to reduced shipping volumes. Disruption to cocoa and maize production in Africa is creating food price inflation and social unrest. Zimbabwe and Sudan had the 1st and 3rd highest inflation rates in 2023.
Operational resilience should not only protect banks against these volatile conditions, but also enable them to explore potential opportunities. In Africa, the mining of critical minerals is leading to geopolitical competition between the EU and the US. Both need to secure these supply chain ingredients to power the fourth industrial revolution and green energy transition.
Large investors – not only in China but globally – are returning to countries like the Democratic Republic of Congo to secure access to critical minerals, as they weigh up the political risks relative to the position of its copper and cobalt mines, which are located some distance from the country’s volatile borders.
In addition, western investors are collaborating to build up regional infrastructure. The Lobito Corridor, allowing exports from the port of Lobito in Angola, will revolutionise the way the West accesses critical minerals. These are opportunities for global banking groups, as they consider strategic growth options for the years ahead.
Supporting global companies in these pursuits will require CROs to enhance their analytical capabilities and foster agile risk management practices, to safeguard their organisations against potential disruptions.
The new era of operational resilience is well underway.