The journey to an outcomes-approach to operational resilience

Operational resilience may be the latest buzzword that regulated financial institutions need to learn, but it’s not a new concept. The emphasis on resilience to operational disruptions is just the flip side of the management of operational risks. But the shift in language reflects an important evolution in regulatory philosophy - toward targeting good outcomes for companies and their customers, with accountability on the company to achieve those outcomes.

This shift in thinking results from decades of regulatory experience with enforcing more and more standards, checklists and processes, which have not resulted in any obvious reduction in operational failures among regulated financial institutions.

APRA’s new standard CPS 230 is, in fact, largely a restatement and to some extent a streamlining of existing prudential requirements. What’s new is the expectation of a more comprehensive and outcomes-focused approach to operational risk management across business units and across the traditional risk and compliance silos of business continuity planning, outsourcing and information security.

The outcomes focus is evident in the requirement that financial institutions set their own risk tolerances for resilience outcomes, and demonstrate that they are managing to those tolerances. To do this, the operational resilience mindset starts with the critical business processes and product/service operations, rather than risk management teams, processes and controls.

To understand the shift in mindset that is occurring, it’s useful to consider how we got to this point.

Operational risk management as a discipline came into the regulatory gaze back in the 1990s after a series of rogue trader events at major global banks. At the same time, banking regulators from around the world were working on a new and (it was thought) more sophisticated regime for calculating capital requirements.

For a bank, capital on the balance sheet is critical to absorb unexpected financial losses and can help quantify and price risk. But capital comes with a significant cost to profitability, so, despite these benefits, banks have an incentive to minimise capital requirements.

A push by global banks for a more ‘scientific’ (and less costly) approach to model possible future losses for traditional bank credit and market risks led to the Basel II capital reforms in 2004. The thinking was the operational risks could also be managed in terms of financial loss impacts and risk-adjusted returns.

Under Basel II, banks would be accredited by their regulators to model regulatory capital requirements for operational risk, based on factors such as historical data, scenario-based potential losses and implementation of controls.

But unlike credit and market risk, quantitative modelling of operational risk capital was largely an experiment. There was no historical data, and little evidence that operational risk losses could be scientifically modelled or managed via capital incentives.

Despite this, the Basel II Advanced Modelling Approach was in place for 15 years at many global banks, including the major banks in Australia. At the same time, as technological change intensified and accelerated, information security, contingency and other technology-related risks grew in importance. Concerns emerged that the capital regime encouraged banks to focus on minimising a financial number, rather than minimising risk to them and their customers.

Ultimately, as part of the post-Global Financial Crisis regulatory reforms, operational risk capital modelling was largely abandoned. But this prompted some countries to push for a better approach – operational resilience.

Unlike capital or traditional risk silos, the concept of resilience is an opportunity to get business units and management involved. Modern tools to track and monitor resilience indicators, rather than backward-looking controls and risk maps, can be accessed by the whole organisation to provide transparency and accountability. Specialist skills may be required in areas like cybersecurity, but operational risk management will struggle to avoid being viewed as little more than a compliance exercise if it doesn’t start and end with the business.