COO Magazine Q3 2024

A perspective from Armstrong Wolfe’s COO

Piers Murray
Armstrong Wolfe

Piers has over 30 years of industry experience before joining Armstrong Wolfe as its COO. He is the former Global COO Markets, BNY Mellon, was global co-head of listed derivatives and clearing at Deutsche Bank and as a managing director at JP Morgan, worked within OTC interest rate clearing, global credit risk and credit portfolio trading.

Operational Resilience has been defined in multiple ways through the course of viewpoints submitted, and the costs of failure to be operationally resilient have been well described, so I will focus on a couple of less explored areas:

  • The delta between business objectives and resilience requirements established at a firmwide level
  • The human component of resilience, including leadership in a crisis, the true value of simulations

The value of a Risk Appetite Statement (RAS)

For many years banks have been required to document their risk appetite, defined as: The aggregate level and types of risk that an institution is willing to accept, or to avoid, in order to achieve its business objectives. 

A firm with multiple business lines must prioritize resources to its most valuable business lines first, on the basis of actual cost to meet the stated RAS objectives plus the opportunity cost associated with not doing so, the latter which comes in the form of quantifiable negative reputational, regulatory and client feedback. 

The appropriate place to quantify these risks and the desired outcomes is in the RAS; this document provides a basis for a common understanding across the LoBs and across the firm of the relative prioritization of risks and responses.

In the multi-threat environment we face today with state actors describing “asymmetrical warfare”, financial institutions need to plan for multiple concurrent risk events that will test their operational resilience.  The response may require a “crisis cabinet”, reallocation of senior resources to lead the response, as well as a prioritization process that is clearly articulated.

An effective RAS lays the foundation for subsequent crisis management, as it will lay out the risks, and give a sense of priorities enabling not just the executive leadership but also rank and file to understand and get behind the firm’s response.

The Human Component & Simulations

Leadership, clarity of thought and communication are all key elements of a response to a crisis. Unfortunately, these events are rarely tested in practice on a firmwide basis, but generally covered in one-off, time and seniority limited exercises, with little consistency in feedback to participants, value attributed by senior management, or solutioning from lessons learned: these tend to happen only after real-life events occur.

Risks identified in the RAS need playbooks, but taking comfort in the existence of playbooks without creating institutional muscle memory through simulation doesn’t lay the ground for surviving “first contact.”

Senior leadership engagement with cyber, default or other risk simulations has typically waned with time post crisis or post regulation. There was no playbook for banks to deal with the invasion of Ukraine: it took the combination of multiple playbooks simultaneously, BCP, default, cyber, sanctions to respond to that event.

Simulations that were undertaken for each of these playbooks without the participation of the senior leadership wouldn’t have helped decision-making process at the exec level without witnessing the process and give and take of the simulations. 

This is where some new thinking needs to come in: simulations provide the muscle memory to participants for the engagement model needed to respond to a crisis.

The value builds up over time through alternate scenarios and one up/one down participation. Firms need to expressly value the work put into live simulations, to incentivize participation, to extend learning down into the organization and to keep increasing the challenge provided by the simulation over time.

Well conducted live simulations with active executive management participation are worth significantly more than rote training modules. Bringing third-party vendors into the simulation would be an incrementally positive step that firms can take.

Just as simulations provide internal learnings, public events that create an environment of stress for an organization do the same and need to be accompanied by an increased flow of timely communication for the organization to fully rally to the occasion. 

While both political and legal considerations risk curtailing needed words of encouragement to the troops, management needs to find a way to communicate the urgency with which it is responding and expectations of the teams to help manage the portfolio of risks, expected and unexpected, that have surfaced. (These communications are another process than can be tested in an effective simulation.)

Lastly, an effective post-mortem process to every crisis is also vital, as findings need to be acted on and can also provide material for future simulations, creating a virtuous cycle of simulating, upskilling & process improvement all of which contribute to operational resilience.

Also in this edition...