The journey to an outcomes-approach to operational resilience

In this article by Heidi Richards, Independent Consultant and former APRA Executive of APRA Prudential Standard CPS 230, she explores the evolving concept of operational resilience as well as the history and reasoning behind today’s outcome-based approach.

By AnsaradaMon Jan 29 2024CEO-CFO, Audits and compliance, Security and risk management, Governance Risk and Compliance, Environmental Social and Governance, Board

Operational resilience may be the latest buzzword that regulated financial institutions need to learn, but it’s not a new concept. The emphasis on resilience to operational disruptions is just the flip side of the management of operational risks. But the shift in language reflects an important evolution in regulatory philosophy - toward targeting good outcomes for companies and their customers, with accountability on the company to achieve those outcomes.

This shift in thinking results from decades of regulatory experience with enforcing more and more standards, checklists and processes, which have not resulted in any obvious reduction in operational failures among regulated financial institutions.

APRA’s new standard CPS 230 is, in fact, largely a restatement and to some extent a streamlining of existing prudential requirements. What’s new is the expectation of a more comprehensive and outcomes-focused approach to operational risk management across business units and across the traditional risk and compliance silos of business continuity planning, outsourcing and information security.

The outcomes focus is evident in the requirement that financial institutions set their own risk tolerances for resilience outcomes, and demonstrate that they are managing to those tolerances. To do this, the operational resilience mindset starts with the critical business processes and product/service operations, rather than risk management teams, processes and controls.

To understand the shift in mindset that is occurring, it’s useful to consider how we got to this point.

Operational risk management as a discipline came into the regulatory gaze back in the 1990s after a series of rogue trader events at major global banks. At the same time, banking regulators from around the world were working on a new and (it was thought) more sophisticated regime for calculating capital requirements.

For a bank, capital on the balance sheet is critical to absorb unexpected financial losses and can help quantify and price risk. But capital comes with a significant cost to profitability, so, despite these benefits, banks have an incentive to minimise capital requirements.

A push by global banks for a more ‘scientific’ (and less costly) approach to model possible future losses for traditional bank credit and market risks led to the Basel II capital reforms in 2004. The thinking was the operational risks could also be managed in terms of financial loss impacts and risk-adjusted returns.

Under Basel II, banks would be accredited by their regulators to model regulatory capital requirements for operational risk, based on factors such as historical data, scenario-based potential losses and implementation of controls.

But unlike credit and market risk, quantitative modelling of operational risk capital was largely an experiment. There was no historical data, and little evidence that operational risk losses could be scientifically modelled or managed via capital incentives.

Despite this, the Basel II Advanced Modelling Approach was in place for 15 years at many global banks, including the major banks in Australia. At the same time, as technological change intensified and accelerated, information security, contingency and other technology-related risks grew in importance. Concerns emerged that the capital regime encouraged banks to focus on minimising a financial number, rather than minimising risk to them and their customers.

Ultimately, as part of the post-Global Financial Crisis regulatory reforms, operational risk capital modelling was largely abandoned. But this prompted some countries to push for a better approach – operational resilience.

Unlike capital or traditional risk silos, the concept of resilience is an opportunity to get business units and management involved. Modern tools to track and monitor resilience indicators, rather than backward-looking controls and risk maps, can be accessed by the whole organisation to provide transparency and accountability. Specialist skills may be required in areas like cybersecurity, but operational risk management will struggle to avoid being viewed as little more than a compliance exercise if it doesn’t start and end with the business.

Stay ahead of evolving regulatory requirements

Download the Operational Resilience Outlook Report 2024 for expert advice and actionable steps to progress your resilience strategies.

Heidi is a former senior regulator with 30 years experience leading policy and regulatory reforms at APRA, the Reserve Bank of Australia, the US Federal Reserve Board and US Treasury. Since retiring from the public service, Heidi provides guidance on regulatory strategy to banks and regulated financial institutions, fintechs, boards and CROs. Currently Heidi is focusing on scaling up risk and compliance functions, banking-as-a-service, operational resilience and open data. She loves to talk about improving how we design and implement regulation.
Heidi Richards, Independent Consultant, Former APRA Executive

You may also be interested in