COO Magazine Q2 2023
Resilience
The COO leading through perpetual crisis
Since 2008 and a crisis of its own making, the banking community and its siblings within financial services have lurched from one crisis to another.
Each of these had their differences and similarities, with the four notable 21st century crises (leaving the pandemic and collapse in economic activity aside) including:
1. Argentina 2001 – 2002, leading to the country’s government losing access to capital markets.
2. The 2007–2009 global financial crisis, considered the worst global economic crisis since the Great Depression.
3. Falling commodity prices following the annexation of Crimea from the Ukraine in 2014 led to the partial collapse of Russia’s economy, followed by the full Russian invasion of the Ukraine in 2022 which has led to unprecedented sanctions by the West, and unexpected deep-rooted worldwide economic impact.
4. The 2023 bank upheaval with the failure of the US banks Silicon Valley and First Republic, and the Swiss banking giant Credit Suisse.
Managing the business through crisis is the principal responsibility of the COO. Reacting to and coordinating action to such events is a mainstay of their mandate. As we exit the recent regulatory era, much linked to the 2007 – 2009 crisis, the attention of the COO is shifting to managing what many believe to be the challenge for the coming epoch, non-financial risk.
Shifting the attention to emerging risk and horizon scanning will be key to effectively meeting unforeseen challenges and events, getting on the front foot and building in operational resilience to minimise impact.
Conversely, since 2008 much of the attention of the COO has been inward and backward facing, tasked to ensure the events and practices that led to the crash do not happen again. You can argue the comparatively smooth execution of business by the industry to deal with the failures of Silicon Valley Bank, First Republic and Credit Suisse is testament to the embedded resilience of the industry born from a decade plus of post-Credit Crunch regulation, matched by the industry’s determination to tidy up its own backyard.
There is no doubt the regulatory ripples of 2008 have ensured banks are certainly no longer as vulnerable as they were pre-financial crisis. They have faced an unprecedented level of regulatory scrutiny and are far better positioned from a liquidity perspective. All be it, the demise of Credit Suisse demonstrated the exposure of any bank to a market run on their reserves, whilst conversely the expediency with which the Swiss regulators, government and UBS responded to the demise of Credit Suisse, showed that lessons had been learnt. Decisive action was taken to avoid contagion.
Capital and leverage ratios for banks are now significantly stronger and the so-called “too big to fail” global banks have never been better positioned from a solvency and liquidity point of view going into the next potential recession. Banks are also less complex and face harsh stress tests annually to check their ability to withstand severe losses.
It has been an intense and demanding period for the industry to get it to this point, with much of the responsibility to do so resting with the COO and their supporting teams dedicated to regulation, controls, governance, risk and conduct.
The challenges of the 2020 pandemic once again exposed the financial system, albeit this time for a very different reason. Governments around the world invested taxpayers’ money, this time into their economies as opposed to the banks, again using unconventional monetary policy to prop up commerce and industry and directly support a workforce mostly put on pause.
Additionally, the tasks for the COO in navigating their company through the pandemic were layered and complex, with the overriding challenge being staff management, morale, productivity and maintenance of the culture. Post-pandemic and a return to normal working conditions things for the industry are far from normal for many companies, as they are now dealing with the adoption of hybrid working patterns that were granted with little evidence to truly understand the medium to long-term impacts of assuming such policies.
In 2022 Russia invaded the Ukraine. As with the pandemic such an event was plausible, even probable. In both cases the industry’s propensity to look at the today and the near horizon allowed a collective failure of the imagination to prevent the industry being better prepared for either event.
Step in the regulators. Released in March 2021, the FCA operational resilience policy provides a framework for financial services firms to strengthen their resilience against operational disruptions. To do this, the policy required firms to establish robust plans for ‘severe but plausible’ risks earlier this year. Created alongside the Bank of England and the Prudential Regulation Authority (PRA), the policy came about in response to Covid-19, and regulators wanting to prevent a similar situation from occurring. Moreso, the impact of the Russian-Ukrainian crisis and on-going rise in cyber-attacks all point to companies needing to achieve, embed and prove a heightened level of operational resilience.
What is operational resilience?
The FCA and PRA define operational resilience as the ability of financial services firms and the finance services sector to:
“prevent, adapt, respond to, recover, and learn from operational disruptions.”
Similarly, the Basel Committee (on Banking supervision) defines operational resilience as “the ability […] to deliver critical operations through disruption”. Globally almost every regulatory jurisdiction has adopted and communicated a requirement pertaining to operational resilience.
Essentially, all relate to ensuring that your organisation has contingency plans and risk mitigation strategies in place. Why? So that you are as prepared as possible for adverse scenarios. This should prevent harm from manifesting or will help you to recover more easily if something does go wrong.
As a principle-based regulation, the industry is now navigating its way through the ambiguity of such a policy communication. Not until a company is hauled in by the regulators and considerations, observations or criticism made will there be a reference point as to what looks good. Regardless, the approach adopted is infolding, being a holistic, horizontal one, bridging across established vertical silos and establishing the references for the low and high bar, and what country nuances need to be accommodated at local level, but not necessarily globally.
As the industry moves forward with its planning, it is generally accepted there are five key ‘pillars’ of resilience:
- Risk Management
- Information Security (including Cyber Security)
- Incident Management (including Crisis Management)
- Business Continuity
- Disaster Recovery
The COO community are well placed to work together on this common, market-wide, non-proprietary challenge and to build a consensus on the five points or others noted above. Sharing thought and action on how best to build individual and collective resilience will help all, their clients and the global society the industry serves.
In an era when one form of crisis appears to seamlessly dovetail into the next, the role of the COO to lead their companies through continued crisis will be significantly aided by an evolving approach to operational resilience, just as they will be aided by their interconnectivity affording peer group insight into how best to build resilience. In doing so, they will create a more robust, reliable industry prepared for the unlikely and the unforeseen, let alone the possible or plausible.
Maurice Evlyn-Bufton
CEO, Armstrong Wolfe
Workforce Management: Caught in the hybrid cul-de-sac
The honeymoon period for hybrid working is over, the hopes of a new epoch in working practices has hairline cracks, and companies that embraced this new dawn are facing difficult decisions. It is too simplistic to draw a line mid-Atlantic to define where banking and asset managers position themselves on workplace policies; those west of it steadfastly committed to staff being in the office, those east of it embracing hybrid working models.
American banks have largely remained committed from the outset of the pandemic to an all back in the office mantra, with Goldman Sachs and JP Morgan Chase CEOs David Solomon and Jamie Dimon commenting that working from home is an ‘aberration’ and ‘doesn’t work’ respectively. Wells Fargo, Morgan Stanley and Bank of America’s policies are in line with JP Morgan and Goldman Sachs. Citi is a lone star in the US amongst the bulge bracket banking community, with its CEO Jane Fraser, choosing to differentiate Citi by adopting a variant of hybrid working. Elsewhere in the Americas and north of the US border the Canadian banking community appears committed to hybrid working.
Managing vendor relationships
Vendor relationships are like a marriage, in that both pares to the contract need to have a mutual interest in seeing the relationship flourish and succeed.
Each party must have a good understanding of the other’s capabilities, current needs, future growth plans and desired outcomes for any dependants before the marriage contract is signed and the delicious 3-tiered cake is cut. But this knowledge alone is not what makes a couple click – they need a special connection that cannot be quantified.
COO Operational Resilience versus Agility
Questions arising for the COO in relation to agile and operational resilience working in harmony:
1. How should the COO navigate this delicate balancing act between both operational, even organisational resilience, and business agility?
2. What are the real challenges and issues in trying to balance resilience on the one hand and agility on the other? How conflicting are they?
Leading your organisation to stronger cyber resilience through multi-tiered exercising
Cybersecurity incidents such as ransomware, business email compromises, and spear phishing can have wide-reaching impacts on organisations’ operations and bottom line.
24 things on the Chief Control Officer’s Mind
Q1 Chief Control Officer Survey: What are the 3 top things you wish to debate with your peers in Q2 2023?
In March 2023 iCOOC members participated in a Control and Business Risk survey. Despite a pressing need to adapt operating models and securing funding to further develop emerging risk…
3 of 24 things on the Control Officer’s mind
Reference: https://www.armstrongwolfe.com/pov/armstrong-wolfe-24-things-on-the-ccos-mind/
1. What’s in a name?
2. Can you measure culture?
3. Emerging technologies
Behavioural Risk Management
Developments in big data analytics and behavioural science are driving new approaches to the understanding of culture and behavioural risk within Financial Services. In a companion article in the Q1 edition of this magazine we set out two trends for 2023 and beyond that will inform the approach to cultural and behavioural insight in financial service firms…
SMF24 COOs Roundtable Dinner
6.30 pm – 9.00 pm, June 20th 2023
State Street, 20 Churchill Place, London E14 5HJ
Join us for an open discussion on principal concerns, best practices and a targeted debate on decision rights with Group and/or HQ; addressing lack of progress on regulatory implementation and governance.
Back to the top