The new horizon for risk and resilience

On the brink of regulatory change, the financial services industry is reshaping its own future by putting risk, resilience and reputation at the heart of corporate strategy

The Prudential Regulation Authority, the Financial Conduct Authority and the Bank of England jointly issued a paper outlining a stronger regulatory framework to promote operational resilience across the financial services sector. It determined that resilient organisations are those able to respond effectively to disruption, adapt their systems and learn from crises.

Meeting that standard is a tall order indeed. But for banks operating both within the UK and globally, operational resilience is achievable.

“It seems to me, that the focus of the regulators is absolutely right,” says HSBC UK’s chief compliance officer Ralph Nash. He adds that the interest of regulators in operational resilience is inherently linked to the industry’s ability to continue operating through disruption. If companies are unable to do so, the risks begin to crystallise. “This isn’t a phantom risk; this is a real risk. And we’ve seen it. We’ve seen it damage franchises. And we’ve seen it damage reputation.”

Nash joined a panel of compliance and risk leaders at a recent roundtable examining risk, resilience and reputation in the financial services industry. “Operational resilience is the ability to fulfil your promise to your customers and the ability for you to actually deliver on what you say you’re going to deliver,” says Rich Cooper, global head of financial service go-to-market at operational resilience consultancy and software company Fusion Risk Management.

The panel agreed with Cooper and Nash, while also discussing the difference between resilience and disaster recovery. Covid-19 was a crisis that few could have expected. But the ability of banks to not only survive, but thrive, during the pandemic is an indication they had strategically considered where their risks were and developed plans to address them, regardless of the landscape. Doing so allows an organisation to protect its reputation, thereby ensuring resilience in the future.

Achieving this, however relies on the alignment of internal processes. Long has the sector been plagued by internal silos where data – and potential risks – are segregated by team or stakeholder. Cooper says that Fusion Risk Management’s technology helps companies gain insight into risks across the business, and across the sector more broadly, in order to build a more robust picture of risk. The integrated nature of modern reputation means financial services institutions are breaking down these silos to analyse the organisation’s overall resilience.

Paul Barrett, chief risk officer at AIG UK likens this to ‘reversing the telescope’ to examine the organisation from the customer’s point of view. “Our internal processes will always support the customer, but the prioritisation may actually look different if you’re coming at it from the customer’s point of view, rather than just thinking about the which are the biggest internal departments or where the biggest costs are. That may not be the same metric that the customer would use,” he says.

The customer focus means reputation matters more than it has ever done before. Nash adds that social media means a simple app outage – for example – can appear on social media within minutes, turning a lack of resilience into a reputational issue for the bank and a service and potential conduct issue for customers.

Toby Mason, chief operating officer at Allica Bank, a younger company catering to SMEs, agrees: “We’re drastically impacted a lot more than the big banks if we get things wrong, in particular, if we get things wrong for our customers. Resilience for us is a life and death matter.” He adds that resilience relies on agility. “We’re a speedboat in a world of super-tankers. Although a large super-tanker could theoretically crush us, we are able to turn quickly and adjust our course. That ability to react very quickly helps to build resilience and competitive advantage.”

Even for the larger banks, agility resonates as a strategy toward achieving operational resilience. The challenges posed by the pandemic proved this time and time again. “Historically, banks have been worried about keys and cash. What they should also be worried about is data and systems,” says Nash. “To be resilient, you’re solving for your current and future business model, not your past one.”

If we’ve learned nothing else in the last few years it’s that these black swan events are going to happen. Agility is the only chance that we have to respond to some of these things. We’re going to need to respond in real time and make decisions on the fly

Cooper similarly says the pandemic has heightened the need for resilience. Because Covid touched every element of the organisation’s operations and strategy, companies had to consider their people, their systems and their digital strategies cohesively. That has in turn accelerated operational resilience and risk management.

Risk, resilience and reputation are clearly connected,” says Barrett. When considering operational resilience, as an insurer, AIG has to consider the impact third-parties may have, what matters most to the customer, and above all, focus on the critical services that customers rely on. Ensuring risk is mitigated and the company is resilient has helped it maintain its reputation throughout the pandemic; a sentiment shared by the panel.

But it’s not just the organisation itself that is in control of its own destiny. Relationships with third parties, customers and regulators all shape an organisation’s strategy around operational resilience. David Glendinning, UK head of risk, Société Générale, says: “The way our stakeholders look at it, including regulators, proves that financial services is a process chain… Unfortunately resilience is one of those areas where you won’t get much credit for doing well, but you will attract scrutiny if you get it wrong. For this reason, we don’t have an appetite for this risk in a business sense, but must determine our tolerance level.”

However, the challenge still lies in committing to change. For organisations large and small across the sector, resilience relies on a level of strategic foresight that has been challenging to implement. “Future resilience requires deep technological investment and innovation. That goes beyond the typical three-year planning cycle,” says Blair McAuliffe, VP regional chief risk officer EMEA at Metlife. “It can conflict with more immediate business priorities. But, what I’m seeing, particularly since the pandemic is stakeholders talking about a much longer-term view. And that’s reflected in what many companies are now doing in terms of digital investment and innovation.”

Mason adds: “If we’ve learned nothing else in the last few years it’s that these black swan events are going to happen. Agility is the only chance that we have to respond to some of these things. We’re going to need to respond in real time and make decisions on the fly.”
Cooper echoes that commitment to agile decision making and says that informed decisions are crucial to operational resilience, particularly during times of change. Data and insights helps companies make these fact-based decisions and mitigate risks.
As the new regulations come into place around operational resilience, it seems the financial services industry is well-equipped to meet new challenges. Companies that remain agile in the face of change will ensure that operational resilience truly becomes the new horizon in risk and reputation management.

For more information please visit

Sponsored by

Fusion Risk Management