The COVID-19 pandemic brought about an unprecedented set of challenges that are impacting the entire financial services global workforce both personally and professionally. Already months into the crisis and many financial institutions are still struggling to adapt to what is, in effect, a prolonged financial shock with a human resource issue at its heart. To meet the challenges that the pandemic is presenting, investment banks must renew their focus on operational resilience, contingency programmes and business continuity planning. Based on extensive experience working with bank clients, GreySpark has developed a code of practice to ensure ongoing operational resilience, and this article outlines the steps that financial services firms should take to maximise their chance of traversing this turbulent period with all their business lines intact.
By: GreySpark Consultant Mark Nsianguana.
Early in 2020, the global response to mitigate the severity of the pandemic was the imposition of stay-at-home orders by many governments, including the UK, on their entire population. Subsequently, the UK’s PRA & FCA regulators issued guidance that reminded the firms under their purview of their responsibility to uphold market integrity and made it clear that, despite the pandemic, financial services firms must continue to oversee employee activities – despite the change in their location – with a view to detecting and preventing any misconduct.
Maintaining Operational Resilience Post-2020
Operational resilience plans are designed to optimise a firm’s response to any shock that impacts its operation. However, the need to bolster those plans once a risk becomes an issue and a firm begins to be worn down through the long tail of a realised shock cannot be underestimated. In these circumstances, it is important to prioritise areas of the operational resilience framework that will dampen the impact of the specific shock being experienced. That is as true of the human resource challenge arising from the pandemic as it is for another other major event a firm can experience, and Figure 1 identifies where banks must focus their COVID-19 response efforts, currently.
Figure 1: Prioritising Aspects of an Operational Framework in Light of COVID-19
Source: GreySpark analysis
The stay-at-home orders issued at the beginning of 2020, and the subsequent disruption caused by local lockdowns and quarantine rules, created considerable issues for many areas of investment banks.
Teams that were not permitted to work from home historically, such as traders, were forced to operate outside of the physical and supervisory protections of the trading floor. More broadly, all those without working from home privileges and, thus without the required bank-provided hardware, were forced to use their own equipment and utilise applications that were not bank sanctioned to maintain contact with their team and to keep the lights on in the bank. The results of an indicative survey conducted by GreySpark identifies five areas of risk relating to the pandemic and the current working arrangements, as shown in Figure 2, and indicates how severely the bank is impacted by them.
Figure 2: Level of Concern in Five Investment Banks’ of Covid-related Challenges to Operational Resilience
Source: GreySpark Survey of five investment banks
Step 1: Reduce Cybersecurity Risks
Recent reports suggest that banks are experiencing a spike in the number of phishing attacks and malware spam received by its staff as attackers take advantage of the vulnerabilities that the stay-at-home orders created. The use of unsanctioned platforms to ensure a continuation of communication and operation mean that employees may have exposed their personal computers and phones to third-party malefactors. Consequently, some IT teams have needed to conduct more frequent phishing simulations to enable them to develop effective preventative measures. However, as most investment bank employees have a layer of protection on their personal equipment, and have access to VPNs, this is not thought to be the biggest of the threats facing investment banks in 2020.
- Banks should ensure their detection and alerting capabilities are maintained and work to provide platforms and applications that are secure and effective for remote workers.
- Banks should explore co-sourcing with external consultants, especially for areas where ‘key resource’ risks are identified.
Step 2: Alleviate Technology & Bandwidth Concerns
Some front- and middle-office staff have reported to have been struggling with inadequate network speed and bandwidth and the lack of adequate hardware. Remote working is putting unanticipated stress on communications. At the onset of the pandemic, some staff were even unable to connect to their VPN due to the number of people attempting to do so at the same time. While the degree to which this affects financial institutions has become less severe over the last few months, under capacity is still an ongoing issue for banks, and may increase if further national lockdowns are introduced.
- Banks need to prepare for more network traffic by optimising their technology and infrastructure for remote workers.
- Banks should also assist employees with their home-office setup, ensure adequate VPN bandwidth is available and work to provide remote access for applications across all workflows.
Step 3: Mitigate Data Privacy & Compliance Risks
Financial firms of all stripes face the increased use of unmonitored communications channels and this is one of the most concerning aspects of remote working. Where bank staff are forced to use personal devices, and have resorted to unsanctioned communications platforms, there are serious data protection and privacy issues. Concern over unmonitored channels has heightened the operational risk exposure for many firms, as video and chat rooms typically sit outside the firm’s firewall and, in some cases, conversations may not be recorded.
- Banks should adopt a suite of digital tools that facilitate effective communication and decision making, and include video conferencing, file sharing, real-time communication and task management.
- Banks must develop clear policies on working from remote locations for all job roles and communicate them to all employees. Policies must specify methods for secure document disposal and handling of material non-public information, as well as when home listening devices need to be deactivated by employees.
- It is critical to ensure that staff have the necessary tools and resources to handle calls from home while maintaining customer-data-confidentiality standards.
Step 4: Develop Resource Plans for Unplanned Events
Front-office oversight activities were initially affected by a reduced staff workforce and trading supervisors did not have direct oversight over the traders. Supervisors were challenged to triage an unusual number of trade surveillance and communication alerts and there were delays on pre-trade approvals, reviews of operational reports and the close of end-of-day trading books. The risk that illicit market behaviour goes undetected was raised to worrying levels.
- Banks should consider not only whether there is adequate resourcing in surveillance teams, but where that is not feasible, they must ensure that surveillance teams focus on high-priority alerts, rather than closing larger volumes of alerts quickly.
- Banks should also consider leveraging skillsets in their control functions to fill gaps where their surveillance resources are depleted.
- Technology and analytics could be deployed quickly to allow teams to identify and prioritise higher-risk alerts, or to group certain alerts together to allow for an efficient workflow.
Step 5: Remove Dependencies on Critical Environments
Deprived of access to on-site premises, front-office staff were unable to access pricing engines that allowed them to execute transactions. Forced to fall back on a manual excel-based pricing approach, neither in-house downstream systems nor third-party providers were fed the data needed. Workarounds were created that were insufficiently tested for the remote working set up and support teams struggled to ensure they were operational. Some banks faced delays which had consequences for settlements and position-keeping processes.
- Banks should increase automation and make the manual aspect of workflows the exception rather than the rule.
- Banks must collaborate with third-party vendors which provide tools to streamline workflows for sales and traders working from home.
Facing an Uncertain Future
Despite the difference between the Covid-19 shock and other recent global challenges, the experience garnered is a good starting point for tackling the challenges the financial services industry faces today. However, the specificities of the pandemic’s impact, as well as its scale, requires a unique approach. Essentially, banks must create stronger and more automated enterprises that have resilience at the centre if they are to mitigate the far-reaching repercussions of the ongoing pandemic.
In the past, banks have funded expensive and largely dormant BCP sites that host vast arrays of desktops and office equipment for staff to work from. These sites have two major downsides. First, they are typically proximate to the primary offices so that staff can reach them and so are costly to maintain, and second, they typically only cater for a reduced headcount. As many employees are now working from home, the domestic premises used by staff as their place of work throughout most of 2020 have morphed into what is essentially a dispersed network of micro BCP sites. This arrangement is significantly cheaper than a centralised BCP site and allows 100 percent of employees to participate. So, if the issues identified in this article are addressed, this new working paradigm raises the question of whether a central BCP site is needed at all. The closure of some, if not all, of BCP sites will liberate budget that could be reallocated to fund banks’ operational resilience improvements.
In the next article in this three-article series, GreySpark explores the vendor response to the operational resilience challenges presented by the pandemic.