Operational Risk Case Study

Why was it difficult for financial institutions and global governments to respond to the risk of COVID-19 during the early phase?

In early 2020, as COVID-19 started its rapid transmission, there were a lot of assumptions around the scientific aspect of the disease. Hence, the range of controls available to different countries were often incorrect. It was especially  difficult for financial institutions to respond during this early phase as the risk posed first needed to be identified then evaluated, then mitigated and then monitored. Whilst some East Asian financial institutions had plans for a SARS style threat, however for most other institutions resilience to such events were small or often missing.

Typical business continuity plans involve the following processes:

• Incident management procedures, groups and ancillary processes
• Identification of key assets
• Disaster recovery sites for end-users and/or centralised IT hardware
• Committees and Governance to review management information
• Scenario testing for plausible and severe threats.

Even institutions that had plans, either through past experience or via scenario testing often found that they were inadequate or insufficient, especially with the quickening pace of the pandemic, the extensive government interventions in financial and non-financial spheres and employee and other stakeholder responses.

How did the UK Government respond to the threat?

On the 7th February 2020, UK government and its various departments said the following:

• The UK Department of Health & Social Care said there was a “Severe and imminent threat to public health”
• Public Health England (part of the Department of Health & Social Care) said “overall threat from COVID-19 was moderate” and that the risk to individuals was low

Risk evaluation was difficult due to mixed messages and frequently changing rules. Eventually, with more information on the risk of COVID-19, financial institutions coalesced a view that this was serious and a major threat to business operations. The pandemic also had heightened existing residual risks. As the risk profile changed, the risk evaluation process concluded that COVID-19 was a severe threat. This meant the risk response phase accelerated and resulted in a prioritisation of COVID-19 actions above other business-as-usual needs.

What were the concerns and tactical problems that needed to be looked at?

• Whether a bank’s IT systems could manage higher WFH concurrent logins
• Whether employees have sufficient IT equipment to WFH
• How to ensure compliance with regulations
• What MI can be created for senior executives

How can tactical issues around COVID-19 morph into wider enterprise-wide strategic concerns?

• Analyse HR policies and procedures to deal with COVID related sickness and an understanding of resilience through the lens of total sickness tolerance
• Processes and procedures needed to be built to support
• Government intervention in the lending market
• Whether markets were dislocated and whether the bank’s liquidity resources were safe
• Additional assurance testing was required over key controls to evidence their effective operation despite changed conditions
• Whether modelling such as the ICAAP or ILAAP was sufficient
• Whether integration with the Bank’s Recovery Plan was sufficient and well understood

These assessment and mitigation steps allowed the risk assessment cycle to revert to a more business as usual approach, returning COVID from being the top risk, to being a risk under management.