As operational risk proves itself to be more and more relevant for businesses as firms tackle ongoing global crises, it is not unusual to see regulations also evolve to better protect the financial world from these troubles. However, when it came to the recent re-lensing around the idea of fee-based activities and its status as an operational risk, Fusion Risk Management director Alex Toews had more than a few words to say.
“Personally, I don’t think it’s going to change a ton [in the operational risk landscape],” Toews said in conversation with Insurance Business’ Corporate Risk channel. “The large opinion is we don't need more buffer; we don't need more focus and control and oversight in this part of the business. I think that's speaking to my earlier point around if our fee-based activities disappear tomorrow as a bank, we're not going to go under, and it's not going to kill us.”
To a certain point, Toews believes that some of the more vocal around this issue has anxieties around more oversight and “monotonous checks and balances.” Some companies think that this refocusing of fee-based activities will only slow things down, make parts of it more arduous to control, and effectively lower business efficiency, Toews said. However, he was a bit more open-minded, trusting in the fact that resilient organisations will have the capacity to handle such changes.
“Maybe we need to implement more oversight, more control, whether IT or manual, in that part of the business to reduce our risk exposure that we have historically looked at as relatively low risk for us,” Toews said. “Because what they're being told through regulation, right or wrong, is as regulators, we're concerned about the fee-based side of your business. We need to make sure you have more oversight, you have more control, etc., in that part of the business.”
“For a large part, the operational risk – processes and capabilities and things that they're doing from an organization perspective – companies just need to look at that and reassess: are we too exposed in this area based on regulator opinion? Technology-wise, lots of technology providers, including ourselves, have the capabilities and features to employ that tie to lots of other operational risk areas that again, will simply be pivoted, shifted, and change that lens of capabilities at this part,” he said.
Earlier this year, the financial world was recently shocked by bank shutdowns, both regional and institutional. With evolving risks that seemingly make up “a relatively complex web,” Toews said that while it’s “a relatively known quantity” that regional banks can somehow fail, it’s the institutions that everyone should be worried about.
“There is a couple dozen institutions in the world that we simply cannot lose, they cannot fail,” he said. “We think back to 2007, 2008, you know, Bear Stearns, Lehman Brothers – I think that's the last time we would probably see that happen on that scale; in fact, more should have failed and probably shouldn't be around. But again, from a US perspective, we had the government, the Fed, and the Treasury jumping in to save everyone from that impact, from it spreading any further; it just means we simply can't afford for those large institutions to disappear. The ripple and the impact of that would be unsustainable.”
Avoiding the pitfalls of another looming financial crisis is easier said than done, but Toews believes that it all comes down to handling operational risk; for larger institutions, survival will be tied more to financial risks involving capital adequacy, capital buffers, and the others. For other firms, while the same financial risks apply, it also comes down to things that are tied to their ability to operate.
“If you’re not collecting cash, you're not servicing customers; ergo, you're not providing products to customers. If you don't have the operational capacity to do so, if people can't work, if sites are down, if technology is not operating, if cybercrime has infiltrated your most critical applications and software and IT assets and the third parties that aren't inside your four walls can't operate, you can’t transact wires, you can't send money – all of those things, those are all operational features of your ability to create cash flow and to send cash and manage cash and get cash to your customers,” he said.
“That's a key part of the financial piece and something that will always be critical in our ability to manage systemic disruption,” Toews said. “However, there are things that we need to be aware of when it comes to operational risk; while the financial side will continue to be very important, what are the things that can bring down my ability to operate? Cyber security is probably 1A on that list.”
For Toews, this means sufficient coverage across the IT base that allows a business to sail smoothly and access the data needed to transact daily. Customer information is also something of paramount importance and tied innately to cyber security. Regardless of an entity’s complexity, in today’s business it is the realm of cyber risk which brings everyone together, Toews noted, and with that comes the necessity to prepare against evolving threats, one of them being the hottest topic in the industry today.
“A great example is the emergence of AI, right?” Toews said. “That's going to present an entirely new landscape of risks that we haven't decided yet how we're going to control when it comes to things like global banks or global financial institutions. Cyber risk is going to be a huge, huge piece of that. Regardless, they should be overly aware of the cyber and information security risks, and they should be aware of the threats that are just down the road, given the evolution of technology and the whole digital landscape.”
Talks of possible sequels to financial doom aside, Toews said that handling the current risk landscape comes down to an understanding of the cohesion between financial and non-financial risks. From the perspective of Fusion Risk Management, Toews said that while being single-minded is important, being hyper-focused on just a few areas can spell trouble resulting from overlooking something vital.
“You're not going to be able to effectively manage and mitigate potential disaster if you continue to hyper-focus on single program areas and risk domains in your business, report on those vertical slices in front of a risk committee meeting on a quarterly basis and have third party risk team present their perspective on the highest risks your operational risk team provides,” Toews said. “There needs to be a consolidated, cohesive understanding of the risks that are the most pervasive as well as those which may have the biggest impact on your ability to operate, therefore impacting your ability to provide products and services to your customers and clients.”
In the nearly five years he has spent with the firm, Toews said that this area is something that Fusion really excelled in. Rather than distribute modules that focus on specific trouble areas, the company supports tacking different risk domains and program areas with the intent of connecting them to better understand the relationships, requirements, and dependencies between various operational processes.
As the industry continues to move forward, and operational risks become much more complex, Toews said that helping clients understand these connections to de-risk operations will always be at the heart of Fusion Risk Management.
“A client can ask, ‘how does our business work, how do we operate, and how do we maintain that?’” Toews said. “That to me is the key and something as a solution provider we really obsess on. That is the core of remaining in business and avoiding disruptions, it’s understanding how your business works, both financial and non-financial.”
What are your thoughts on this story? Please feel free to share your comments below.