How Continuous Risk Assessment underpins Operational Resilience.
A key theme – perhaps the overriding theme – for Financial Services in the last 15 months has been Operational Resilience. An observer might suggest that low levels of noise on this topic reflect the Banks’ keenness to avoid scrutiny, by not raising flags about the challenges they have faced.
Whilst working from home has been a boon for many people, personally and professionally, it is undeniable that systems and procedures have been stretched. Few Institutions have not wondered whether ‘things’ could and should be better – ‘things’ being defined as data security, quality of communication, immediate access to data (indeed data and access that persists through time), as well as more sophisticated systems, processes and procedures, which both preserve the integrity of that data while providing an opportunity and a means to keep it current.
The concept of Continuous Risk Assessment (CRA) is not new, but it has been possible to achieve for many years. It is but one part of Operational Resilience. Using email and excel spreadsheets has never been the way to go, but many are now contemplating a concerted effort to move away from this far-from-riskless approach. The genesis of this effort, as always, is good, clean, consolidated data which acts as a basis for CRA. Having a library of templated documents and procedures to call upon is the next step. Initiating a process, almost certainly as part of a wider programme, can all be managed in the same platform and ideally this should be done at the outset of any new relationship. It can of course be introduced, at any time, as an upgrade to current capability.
Clever platforms then extend that capability beyond simple drafting and authorisation, into secure publication and receipt of responses, including ‘consumption’ and scoring of those responses. Sophisticated processes permit perpetual assessment to take place, and by creating the ability to mandate a rolling responsibility on a Provider to submit updates, such updates can have an immediate impact on SLA management, performance reviews and provide alerts and updates directly into the risk management function.
The proposed Digital Operational Resilience Act (DORA), put forward last year, will be another consideration for Network and Vendor Management teams aligned with Operations and Risk. This has slipped by, unnoticed by many. The EU is seeking to impose tighter controls around new incident responses and reporting, and improved third-party risk requirements and monitoring for firms operating within the EU. Without the right systems or platforms in place, this represents a very serious challenge from both regulatory and operational standpoints. Addressing the latter in a coherent way will undoubtedly help address the former. This also brings aspects of EU regulation more in line with some of the OCC’s guidelines in the United States.
DORA heightens the need for a coherent data strategy that naturally precedes a digitalisation strategy. To satisfy that need, systems must be robust, maintainable, extensible and secure, able to evolve and deliver that functionality. The pace of change, technically and functionally, is best achieved using platforms like MYRIAD to underpin Operational Resilience, providing the framework for Rolling Due Diligence, Continuous Risk Assessment and Rolling Risk Reviews.
CEO, MYRIAD Group Technologies Limited June 2021