Control Assurance During the Pandemic Era

The pandemic era has seen financial institutions activate their business continuity plans in the shortest possible time. The current situation has defied the duration of most “worst-case” scenarios. Organizations have been forced to operate in a “business as usual” manner while in continuity mode, and many have continued to be in a “makeshift” model. Due to many factors, including the nature of the prevailing situation, the organizations may not have assessed the new normal for inherent risks and threats.

In the new norm, financial institutions may need to deal with newly exposed threats and vulnerabilities. The remote nature of business and working has made it imperative for organizations to revisit how they function. From addressing challenges in accessing their clients and providing seamless services, financial institutions have reimagined their business, technology and processes. For example, the number of organizations converting to digital and cloud services is increasing. The pandemic has given a sudden thrust to this conversion.

Technology functions, which are the backbone of financial institutions, must work around the clock to make delivery seamless. At the same time, they need to minimize risk and ensure regulatory compliance. Demonstrating compliance with multiple regulatory requirements and adhering to the industry standards is also one of the top agendas for most risk organizations, as the threat levels have increased. Due to these external situations and internal vulnerabilities, the controls need to be beefed up and enforced to address the elevated risk levels.

Reconsidering Risk Identification and Risk Assessment

There is a need to relook at the basics and revisit the risk identification and risk assessment process across the organization. A remote, digital environment warrants a review of the end-to-end life cycle of every process and technology.

Risk identification needs to consider both the “top down” and “bottom up” approach. This two-pronged approach for revisiting the risk assessment processes will help organizations address the immediate threat they have been exposed to. A holistic approach is needed. It includes identifying and assessing risks that are emerging (top-down view). Climate risk, operational resilience and new regulatory risk are a few top-down risks to be considered. Furthermore, the financial industry at large faces several significant events. Hence, identifying and evaluating external events that have impacted other financial institutions for applicability and subsequent gap assessment on any applicable external event will help plug any similar weakness within the organization.

Similarly, it’s important to identify and assess those risks that have crept in due to changes in process, technology or infrastructure (bottom-up view); for example, cyber risks, money laundering, fraud, etc.

A Collective Assessment

Organizations must also assess risks collectively to identify real exposure from threats and to identify areas of opportunity. For example, a process with weak controls for high-value transactions coupled with a compromised technology and infrastructure can have a ripple effect on inherent risk. Risk interactions also need to be considered from both top-down and bottom-up risk views.

Organizations also face added exposure to fraud risk, regulatory breaches and cyberattacks. These risks may not be alarming in isolation; however, if combined, they can have a damaging effect. Hence, there is a need for every organization to review the risk identification and assessment for every process. Any new risks identified and any increase in the risk posture of an already-identified risk must be mitigated, and controls identified and tested.

The risk assessment criteria should not only look at the impact, probability and speed of onset, but also at the duration of the event. These assessment criteria could either be clustered together or carried out individually. While identifying and assessing the risks, organizations should consider multiple sources of anomalies and breaches. For example, when looking at operational losses during the period, customer complaints, frauds, ethics issues, significant incidents and audit findings may not be significant when reviewed individually; however, when analyzed together, they may help to identify significant control gaps at the organization level, thereby leading to high residual risk.

Residual Risks

Most organizations carry out the risk identification and risk assessment process but do not discuss the inherent and residual risks separately. For each risk assessment process, there must be a residual risk assessment followed by risk treatment criteria. Determination of whether the risks would be accepted, transferred or mitigated should be conducted depending upon the residual rating of the risk and risk appetite of the organization.

Risk-Rating

For a holistic approach, the residual risk-rating process should consider all significant breaches and incidents before the risk can be considered or rated as “medium” or “low.” A continuous review mechanism of inherent and residual risk assessment in this manner will ensure that there are no surprises and that risk management organizations are looking at risks dynamically as the environment is changing. The idea is to identify the anomalies and address them rather than addressing every risk event.

Thresholds

The risk thresholds also need evaluation, given the changing environment. For example, with the number of transactions taking place online, the earlier KRI’s (key risk indicator) and thresholds may be misleading, increasing the workload of risk analysts by creating “false positives” while ignoring “true negatives.” Similar changes need to be identified and addressed in the risk threshold definitions so that appropriate breaches can be identified. In addition to individual KRI and threshold, cumulative thresholds need to be defined to address the collective impact of multiple control breakdowns and trigger a risk treatment if the cumulative threshold is breached.

The risks identified thus – rated as high inherent risks and high/medium residual risks – should be reported at the risk committee level for review and action, with final reporting to the board risk committee for appropriate oversight and to prevent surprises to the board.

Given the exposure in most financial institutions, there is a need to focus on revisiting risk exposure and the control foundation. Digital and cognitive interventions to assess controls may be deployed, freeing up risk resources to focus on the foundation review and prepare for the future. Besides, technology can also be used to speed up the risk identification and risk assessment process. Similarly, a single view of regulatory and compliance requirements to the control environment can be built using digital interventions. Implementing automated controls where applicable also reduces the element of error and provides greater assurance.

With added pandemic stress on the financial and economic health of most organizations, it is imperative for financial institutions to revisit their risk and control assurance processes. This will help them detect vulnerabilities and identify opportunities, making them stronger and more resilient to face any upcoming challenges while also supporting their growth goals.