Sara Ricci, Former Head of Information Risk Governance and Resilience HBC, HBC

Below is an insight into what can be expected from Sara’s session at Risk Americas 2024.

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

1. Why should financial institutions drive resilience programs in times of heightened volatility?

Resilience is about bouncing back from a disruption. It is about surviving AND thriving through a crisis.

The global financial crisis of 2008 and the COVID-19 pandemic that hit in 2020 each made it clear that a robust resilience program is key to survival of the financial system. We saw many large institutions fall by the wayside during these periods of uncertainty and heightened volatility.

Stresses in the system may be financial or operational.

While the Fed intervened to address stress during the financial crisis and again during the recent failures of Silicon Valley Bank and Signature Bank, organizations had to quickly adapt their operations to the COVID-19 pandemic. COVID-19 was a global phenomenon that left no sector untouched, including the financial institutions.

Although many financial institutions had worked on Pandemic Planning during the SARS crisis, it had a much smaller footprint, mostly contained to a limited geographical area, of a shorter duration and was not as catastrophic as the COVID-19 pandemic which very quickly became a global phenomenon, resulting in a situation that was quite volatile for several months.

Many organizations already utilized remote work as a recovery strategy for some critical functions but now the entire workforce had to work remote or some functions could not be performed at all for a period of time.

Our technology teams had to quickly come up with solutions to implement remote access for employees to work from home where they had not been utilized prior to the pandemic or ramp up the capability where they had some existing remote workforce to now cover all workers who worked on processes that could be performed remotely.

Therefore, we have seen that having plans in place to ensure a strong resilience posture helped financial institutions that understood how to pivot and orchestrate people, process and technology capabilities to continue business while minimizing impacts of disruption due to the crisis at hand.

There is no way of knowing when a crisis may present itself, whether in the form of a public health event, natural disaster or a widespread system outage due to a cyber or other technology event that impacts availability of people, technology, facilities and other assets, disrupting business processes. Business disruption results in not only financial loss but also loss of reputation. In the increasingly demanding regulatory regime requiring resilience of the financial system in order to protect consumers and the financial system as a whole, it is imperative that financial institutions establish, maintain and can validate their ability to be resilient to shocks from heightened risks of disruption.

Business Continuity Planning, supported by resilient Technology Recovery Planning and Emergency/Crisis Management Planning are key pillars of a Resilience program.

2. Why is it important to manage a number of geopolitical risks whilst staying resilient?

There are several heightened risks that require consideration.

Physical distance from volatile geographies is not enough of a cushion any more as geopolitical risks resulting from active war and unrest in Europe, Middle East and conflicts in other parts of the world have global impact. Today we have dependencies on other countries with global supply chains that have been disrupted.

This increases the cost of doing business and also of items for daily needs to support our lifestyle. Resilience programs need to include planning for Supply Chain Resilience and managing Third Party Risk from service providers and ensure that vendors have Business Continuity Plans that prepare them for maintaining critical service levels agreed on during a disruption. The components of software in the supply chain and sub service providers should also be resilient to any disruption or security vulnerabilities.

3. What impact do you foresee climate risk having on the industry?

Climate change is a source of physical and transition risks.

Climate risk is manifested in volatility in weather patterns with more frequent and intense severe weather events. The issue with Sea Level Rise is that there is a heightened risk of flooding with increased frequency and magnitude that can cause widespread destruction of property and loss of life. Changes in weather patterns such as increased heat or cold, where infrastructure is not capable of taking on the additional demand, increases the vulnerability of the population to life threatening extreme heat or cold. Therefore, physical risk due to climate change is related to destruction of physical assets and harm to life due to extreme weather events which are occurring at an increased frequency.

Resilience of critical infrastructure is an imperative required by the US Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience. The financial system is one of the 16 critical sectors covered by this order. While it is dependent on utilities to run its processes, the financial sector itself is critical for ensuring resilient payments processes for functioning of the economy.

Transition risks faced by financial institutions are related to climate change mitigation through climate policies, development of green technologies or reorientation of financial flows and consumer preferences from high to low-carbon activities. So, a change in business strategy or development of new financial products would require resilience planning that takes into account the criticality of processes, people and technology that support these climate related products.

4. What are the key concentration risks with cloud providers?

The move to the cloud has created opportunities for minimizing the on-prem footprint with increasing workloads in the cloud “data center”.

This results in less dependence on physical infrastructure, facilities and people resources to be directly managed and maintained.

However, with increased dependency on a third party, namely the cloud service provider, there is an increase in the Third Party Risk to be managed. The cloud provider must be assessed for its security posture based on the service it provides, the sensitivity of the data in the cloud and its stability in the market as a reliable business partner.

It is important to have a clear understanding of security in the cloud, who is responsible for securing what part of the entire environment and roles and responsibilities during a disruption. The contract should include provisions for return of data in the cloud and an exit strategy in case of unsatisfactory provider performance.

Cyber resilience requires continued focus. The financial system, which includes markets, nonbanks, and banks, is subject to cyber risk and to operational risks in general. There is continued supervisory scrutiny on ensuring that financial institutions are making the investments in prevention of cyber incidents and in capabilities to respond and recover in a seamless, timely manner.

The ability to switch to a different zone or region of the cloud infrastructure with minimal lag to ensure high availability is one of the benefits of leveraging the cloud based on the level of cloud service one pays for. A higher level of resilience can be achieved also by avoiding cloud concentration risk by having a multi-cloud strategy. While organizations focus on a few strategic cloud providers to reduce IT complexity and cost, it ties them to those few providers. Also, regulatory regimes have an uneven view of concentration risk, anti-competition, data sovereignty and privacy rules for cloud services.

What can be the impact of concentration risk?

• The higher the number of applications in the cloud, the higher the dependency on the provider and risk of disruption from a cloud outage
• Dependency on one vendor may limit the organization to that provider’s technology offerings
• Regulatory compliance risk may occur as different regulatory regimes may have different views on concentration risk

Therefore, a Business Continuity Plan that accounts for dependencies and risks should be maintained and tested to ensure that the organization can be resilient in the event of a cloud service disruption.

5. How can financial institutions effectively enhance their resilience post pandemic?

As the events of COVID-19 showed us, organizations must be flexible, always learning and plan for disruptions such that recovery is scalable as the event unfolds, in order to face uncertainties successfully. Strengthening financial buffers helps in responding to supply chain disruption, societal changes and emergence of new technologies. The lack of information at all levels was a key obstacle to timely and quick decision making. Establishing better public-private partnerships would help enhance resilience planning and ability to respond and recover from disruption due to better communication and information sharing.

Scenario planning, testing of recovery plans and incorporating the new reality of work from home to some extent, at least partially, into an updated business model should inform the Business Continuity Plan.

Collaborating across the organization, leveraging Enterprise Risk, Operational Risk, Cybersecurity and other capabilities across the financial institution to mitigate the risk of disruption in a holistic manner, would be more effective in managing resilience than operating in siloes.

Financial institutions that are successful in enhancing their resilience posture in the post pandemic era, based on lessons learned during COVID-19, will not only improve their bottom line by reducing the costs associated with loss of business due to a disruption, while being better situated to comply with regulatory expectations for resilience of the financial sector, but also gain competitive advantage.