What comes to mind when one pictures resilience? How should banks be resilient in today’s world?
“We’ll start with the definition,” said Laureline Senequier, director at Deloitte Luxembourg. “Operational resilience is the capacity of the organisation to be prepared for disruption and to adapt and thrive to a changing environment.” It’s not just defensive. Resilience also needs to be progressive, allowing organisations to handle more complex events and to be prepared for the future.
Jean-Philippe Peters, partner at Deloitte Luxembourg, used Rocky Balboa as an image of resilience. The boxer trains hard, prepares for fights, absorbs the risks, then progressively adapts to his environment, adapts to his opponent, counter-attacks, goes on the offensive, and at the end of the fight, wins the game.
More than ever, being resilient is important for banking organisations.
“That will be a nice summary for being a resilient organisation nowadays. When you think about the uncertainty in which we are living, and the unfortunate events that occur around the world, this uncertainty is something you need to take care about,” said Peters. “More than ever, being resilient is important for banking organisations.”
Crises are not new for banks, added Senequier. But “we actually see that the frequency and intensity of crisis has considerably increased in the last 10 years.”
Connecting the dots between clusters of risks
“There is actually a certain number of clusters, of topics, on which we have to be resilient,” said Senequier, which include financial risk, strategy and reputational risks, operational risk and cyber risk. “These subjects are interconnected. Now the regulator is seeing that interconnection, and the regulation that has been published is looking at those subjects and that interconnection also.”
You have to know what risk you are exposed to.
Businesses have to “connect the dots” and to see the link between these blocks and regulations, as that will allow better implementation, said Peters. “More and more, when you look at the regulatory text, you can see the references and the cross connections between the different texts. So looking at the overall picture is very important to start with.”
A “recipe” for resilience
So how can companies be resilient? There are common characteristics, “the different ingredients of that secret recipe of resilience,” said Senequier. Companies have to understand and identify risks, put in place measures to manage issues and prevent crises, be capable of responding in case a crisis occurs and learn from experiences.
“You have to know what risk you are exposed to. If you’re a bank more in the wealth management part, then potentially, the risk exposure to reputational risk is larger, while if you’re a bank in more capital markets, then maybe it’s more on the operational [side],” Senequier said.
“Knowing yourself, knowing your risk--because you are that bank, or that other bank--is really important,” she explained. Then it’s key to prepare to receive ‘hits.’ That’s about preventing an issue, preparing for an issue and managing the issue. Some of these issues happen on a regular basis, “but then on the other side, you can have a crisis. Crises are bigger, less frequent--you don’t expect them to happen, but sometimes they happen. And you have to be able to respond to that crisis, recover from it, and come back to business as usual.” Once the crisis has occurred, businesses can then learn from the experience.
Dora and sustainability regulation as examples
Senequier used Dora--the digital operational resilience act--which entered into force at the beginning of 2023 as an example. “It has four dimensions. The first dimension is ICT risk management. If we look at our secret recipe, it means that ICT risk management is about knowing your risk and being able to manage those risks,” she said. Part two--crisis management--involves the reporting of major cyberattacks or ICT incidents.
Pillar three is digital operational resilience testing. “You need to train yourself and train the defence system of your information system,” said Senequier. “And last but not least: ICT third party risk.” Sometimes, ICT systems are handled by third party providers--it’s key to manage the risk and issues linked to these providers as well.
Those common aspects of a resilience strategy not only apply to Dora, but also to sustainability regulations like SFDR, or the sustainable finance disclosure regulation. As of 1 January 2023, companies must comply with the regulation and disclose sustainability-related information, Peters reminded attendees at the conference.
In itself, it’s an important regulation that will have an impact in 2023, but it’s key to “connect the dots,” said Peters. “A lot of new provisions have been added to this framework around sustainability and climate finance, including a public report with indicators,” he said. “So the information provided there is, of course, very important, and you need to make sure that it is correct, accurate and complete.”
Key takeaways for resilience in the exco agenda
The first element is to set a goal, said Senequier. “Choose your resilience objective as a strategic decision.” Banks have to decide how strong they want to be to resist issues and crises. “Once you set a target, you have to assign the right budget and the right governance for this.”
“The exco also has the right perspective to connect all those topics together, connecting the different silos, between the different experts within a bank,” she continued. “And last but not least, if you set a target, make sure that you’re still on the right track. So you have to monitor any deviation [from] that target you are setting.”