Is there a gap between past pandemic scenario analysis and the reality today for financial services firms in the middle of the Covid-19 lockdown? This blog examines four key questions boards and C-suites could be asking their risk teams, to reshape pandemic scenarios and better connect them with the firm’s risk appetite going forward.
As a result of the recent global Coronavirus Crisis – as well as the UK Financial Conduct Authority’s (FCA’s) ongoing work around operational resilience – boards and C-suites are beginning to ask important questions of their risk teams about the pandemic scenario analysis work firms have undertaken previously. These senior stakeholders are wondering if those pandemic scenario practices are reflecting what their organizations are experiencing today in the middle of the Covid-19 lockdown. Four key questions to ask are:
How have the firm’s pandemic scenarios been structured in the past?
Often the pandemic scenario workshops that firms completed were conducted in a “greenfield” way, based on a hypothetical event. The greenfield approach was used to minimize the pre-existing biases of participants and increase the chances that creative thinking could produce ideas about potential emerging risks. To further encourage “thinking outside the box,” the scenarios used were extreme – total failure of a piece of technology infrastructure, such as the settlements system, for example. Outcomes of these exercises were usually focused on disaster recovery activities in a severe situation. These “all or nothing” scenarios have their place, and can help firms to understand what is needed if a whole system does go down. However, this sort of analysis does not help firms understand what happens if a business process is partly compromised, and often the outcomes of the “all or nothing” scenarios were not mapped to the existing risk and control framework or taxonomy.
What role have risk and control self-assessments (RCSAs) played in past pandemic scenario exercises?
The thinking about the relationship between operational risk elements, such as RCSAs, and operational resilience, is changing as a result of recent work by both regulators and the industry. Operational resilience is the ability of firms, financial market infrastructures, and the sector as a whole to prevent, respond to, recover and learn from operational disruptions. Operational resilience is an outcome, like financial resilience, and it is the outcome of risk and organisational processes. So, by definition, operational resilience needs to be connected to, and be informed by, the firm’s operational risk programme. One logical outcome of this is to rethink how scenarios are completed, including pandemic scenarios. It now makes sense to base a scenario on the flexing of existing risks and controls, by analysing the impact of the scenarios on RCSAs. This enables a more structured approach to scenarios, which is capable of supporting a granular analysis of the impact of events. Importantly, it also enables this analysis to be linked to the existing operational risk framework.
How well does the firm understand the impact that a significant deterioration in controls on a business process might have?
Up until now, most scenarios have been event-driven and binary in nature – for example, the settlements system stops being available. Firms often do not explore what would happen if the controls around a business process deteriorated – say 30% – instead. Now, firms that are seeking to improve their understanding of their operational resiliency are focusing on an analysis based on the sensitivity of the changes to an RCSA assessment.
Firms are seeking to answer the question, “How much do our controls need to deteriorate by before we start exposing the firm to an expected loss outside of appetite?”
How does the firm analyse the impact of controls deterioration on the overall risk appetite?
Analysing the impact of a deterioration in control effectiveness – a potential decrease in an RCSA score for that particular control – requires risk management software designed for this task. Attempting to do this manually, using spreadsheets, could result in errors as linkages between risks and controls could be missed – a control could have relationships with multiple risks in different ways. Chase Cooper’s Risk Intelligence Module is specifically designed to fit a curve around risks and controls, and allows a firm to analyse the impact of changes in RCSA scores by individual risk and individual control. This allows a much more granular approach to scenarios.
In summary, one of the likely outcomes of the current crisis is going to be an overhaul in how scenario analysis is conducted. While “all or nothing” scenarios will always have their place, increased focus will be put on helping boards and C-suites to better understand what happens if there is a degradation in the risk and control environment instead. Firms will also seek to better connect up this work to their risk and control frameworks.
For more information on pandemic scenarios, operational resilience, and risk management software to support firms’ work, please do contact us.