Institute of Risk Management experts outline global risk predictions for 2021
18 February 2021
THE COVID-19 pandemic, increased geopolitical risk and Brexit are just some of the areas that have been highlighted by the Institute of Risk Management (IRM) asking senior members from its Special Interest Groups about their views on the outlook for the risk management landscape in 2021.
Operational risk professionals are readying themselves to deal with a multitude of possible risks and events in 2021. Undoubtedly, for many reasons 2020 was an extraordinary year for many industries including financial services.
The last 12 months witnessed a long-term planned for, yet wholly unexpected business continuity event unfold alongside the determination of the Brexit process in the final moments of 2020.
How, though, have these major – in tandem with somewhat less high-profile – events changed risk considerations and risk, security management and business continuity professionals’ readiness and response?
“Resilience has been absolutely key during 2020,” asserted Paul Saunders, chair of the Operational Risk Special Interest Group at the IRM and managing partner at GD Financial Markets LLP. “Enhancing the operational resilience of the financial services sector remains a strategic priority for the regulators. The advent of the COVID-19 pandemic has only served to reinforce its importance and, although firms successfully responded to the pandemic to ensure that their operations could continue, in some instances risk appetites were adjusted in order to accommodate deficiencies in controls.”
In 2021, regulators will continue to challenge how firms are ensuring that risk and control frameworks are operating effectively under the current working environment. This includes the capabilities of what Saunders references as the traditional ‘three lines of defence’ in addition to the monitoring of material residual risks against risk appetites.
“Further, and following on from policy consultations, the industry will be expected to meet formalised standards for operational resilience and outsourcing during 2021. Firms will need actionable plans in place that enable them to achieve these standards. In the coming year, firms should address the lessons learned from the pandemic and determine to review how these experiences might impact the development of operational resilience as a continuing discipline.”
The regulatory agenda continued and progressed during 2020 despite the challenging conditions realised by the pandemic. This year, Saunders believes that firms should continue to recognise the truism that regulatory health and readiness involves not focusing solely on the macro picture such as Brexit or COVID-19 or only on micro risks in the business. Rather, preparations for managing future regulatory risks mean adequately covering all bases and, in particular, the somewhat all-encompassing regulations designed to ensure responsibility and governance, customer protection and market integrity.
During 2020, the industry heard from regulators that regulatory conformance should not be lessened as a by-product of remote working. “For the year ahead,” observed Saunders, “firms should take this steer and leverage the structure that regulation offers to ensure the delivery of robust, practical and pragmatic governance and control. With regulation now more important than ever in terms of its contribution towards market stability and continued penalties levied, it stands to reason that regulatory risk in a new working environment simply must be adequately managed.”
For its part, cyber crime continues to grow exponentially and 2020 saw many firms even more exposed to such risks as a result of pandemic-enforced remote working. That situation remains amplified by a shortage of trained and skilled cyber security professionals, a lack of understanding of the threat and its delivery mechanisms, the continued development and availability of Cyber Crime-as-a-Service and the firm stance of the Information Commissioner’s Office (accompanied by the potential levying of significant financial penalties).
“The prevalent 2020 risk of a ransomware attack will continue to be faced by firms into 2021,” continued Saunders. “The impact of such an attack can be devastating and highly disruptive to business. This growing trend has expanded to criminals copying data prior to encrypting systems, in turn limiting a firm’s ability to offset risk through the availability of back-up data. That being so, firms face the risk of blackmail to recover data or the exposure of
data by dint of it being offered for sale in criminal online forums. This activity serves as both an industry and a firm-level macro risk, operating in tandem with implicit pockets of risk within the firm’s business activity and the potential for inadvertent regulatory breaches.”
Expanding this threat arena to encompass financial crime, many firms continue to refine implementation of the 2017 Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations. On this subject, Saunders stated: “The impending regulatory updates which expand the regulations’ scope and responsibilities could well expose individuals to the risk of criminal proceedings if they’re not adequately managed. In 2021, firms must ensure that they’re well positioned to comply with those requirements designed to protect their business and clients and to mitigate this newly introduced personal risk.”
Under pandemic conditions, there have been some limitations on the traditional processing approach introduced through remote working. Moving further into 2021 and with the highly likely continuation of this working environment, firms should mitigate risk by ensuring that they’re addressed on a more permanent and robust basis to alleviate inadvertent and undue exposure in the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations and the customer due diligence space, which is of course a fundamental ongoing requirement for business operations.
Saunders concluded: “While the pandemic has introduced a blanket operating risk for firms, business operations have continued and firms have adapted, commendably rising to the challenges presented in these areas. In 2021, firms should remain vigilant, agile, objective and alert when it comes to their management of risk. This should put them in the perfect position to continue mitigating against the risks posed by an ever-changing environment, increased regulatory obligations, the growing sophistication of cyber criminality and the real life testing of operational resilience.”
Aileen Wallace CIRM and Socrates Coudounaris CFIRM are the co-chairs of the IRM’s Non-Executive Directors/Chief Risk Officers Special Interest Group which was formed in February last year to provide a ‘vertical specialism’ promoting Best Practice and focusing on Board governance in addition to risk-related matters.
With COVID-19 necessarily being the most topical Board risk agenda item at present, Board expectations are changing fast and relationships between chief risk officers and the Board have arguably never been tested to such an extent.
“Our discussions have duly highlighted the importance of having strong and effective relationships between Boards, Risk Committees and chief risk officers,” said Wallace. “As the first wave of COVID-19 set in, we saw individuals’ willingness to roll up their sleeves and make instant decisions, thereby demonstrating a strong and collaborative risk culture.”
Continuing this theme, Wallace asserted: “We also found that Boards were genuinely enquiring about the health and well-being of employees. Communication, both internally and externally, with the appropriate speed and clarity has been key when it comes to explaining to clients, regulators and the media alike how today’s companies have remained in an effective operational mode during the pandemic.”
Risk management teams have continued to be a consistent critical friend, according to Coudounaris, adapting and innovating their approach with that of the business as a whole given that thousands of members of staff have been largely working on a remote basis since March last year.
“Considerations of appropriate and effective risk controls formed part of such discussions while also checking-in with colleagues on their well-being,” explained Coudounaris. “As organisations adapted to the new ways of working, their operational resilience was being tested. At the end of November, we held a virtual round table discussion on operational resilience and the participants agreed that COVID-19 has been the mother of all stress tests. Indeed, it has acted as a valuable stress test on both organisational culture and operational resilience in general.”
COVID-19 has undoubtedly put companies through a real-life test. It has been the moment in time when actual organisational culture crystalises and staff are able to witness company actions and assess in detail where the business stands on the culture maturity scale.
“Companies have recognised the strength of their human capital and their ability to carry on operating via remote connectivity,” said Wallace. “The ‘people agenda’ and mental health and well-being have never been of greater importance than they are now. Organisations are necessarily revisiting their people agendas which were really designed for a different paradigm.”
If 2021 allows for some degree of return to the office environment with social distancing in place, it would be under a ‘new normal’ offering a physical location for colleagues to meet and interact in person, but with remote working remaining the norm. That’s the belief of Wallace and Coudounaris.
The importance of risk management and operational resilience strategy remains front and centre on any Boardroom’s agenda. Risk professionals are presented with the opportunity to engage with the Board and steer the conversation in a dynamic manner towards the formation of a truly resilient organisation by design.
Going forward, Wallace and Coudounaris point towards new technologies, data protection, cyber security and outsourcing arrangements being the key areas of focus for risk professionals, who must also keep an eye on horizon scanning.
Coudounaris concluded: “For those companies who are taking into consideration the lessons learned from 2020, this will give the Board, the senior leadership team and members of staff the confidence they require to deal with any future demands that may come their way.”