Operational Resilience Post COVID-19
As businesses recover from COVID-19 they find themselves balancing new demands from regulators with rapidly changing business models.
As businesses are recovering from COVID-19 they face a much-changed world. The pandemic highlighted the need for action on operational resilience, and regulators have seemingly moved as one to require a new approach while new ways of working complicate the risk landscape. While business is returning to something approaching “normal”, compliance teams will be balancing many different issues.
Outcomes-based regulation
The first issue is how regulators are changing their expectations. The most important of these is the focus on outcomes-based regulation.
Speaking at the UK Finance Webinar, Lyndon Nelson, deputy CEO of the PRA, acknowledged that their focus comes from a desire to steer clear of meaningless box ticking exercises.
“We heard from, and agreed with, industry contacts that the explosion of operational resilience and cyber standards risked shifting the effort of firms towards regulatory compliance and away from risk management,” he said. “Furthermore, industry added to our to-do list with a request from more than one location for harmonised global standards not just of regulation but also supervision.”
In other words, they want regulation to be less prescriptive and to focus on outcomes. This is something that firms have often been saying they want, but this more holistic approach may, in the short term, potentially make things more difficult.
As stifling as the old way might have been, it was relatively easy to tick off each requirement and show compliance. This more holistic approach, on the other hand, makes things somewhat more fluid.
Changing business models
The other challenge businesses have to focus on is how operational resilience is changing along with the world of work. COVID-19 has been a game changer for businesses. Overnight they had to shift into a remote working pattern holding together teams in many different locations.
For the most part, it worked. Business models proved more resilient than many feared and remote working which was rejected by some, proved so successful that some firms plan to keep it for good.
This shift greatly accelerated the uptake of technology, particularly using cloud-based collaboration software, contributing to a surge in the use of third parties - which creates a multitude of operational risks.
Firms will have to establish how they manage the risk of data loss coupled with the uncertainty surrounding third party relationships. Each of these has the potential to create new vulnerabilities which existing operational resilience measures are ill equipped to handle.
The race is very definitely on for compliance teams to both adjust to the new normal and satisfy the changing demands of regulators.
In doing so, it is perhaps wise to realise that this is not going to be an overnight process. The first stage will be to perform a gap analysis so that firms understand where their shortcomings are. This, for the time being, is perhaps the biggest challenge facing the financial world. It’s not just that their business models are open to risks, it’s that many teams currently have little idea where their vulnerabilities are to be found. Identifying and plugging those gaps is the first and arguably most important task in building operational resilience.