APRA Chair Wayne Byres - Remarks to the BCBS outreach meeting on operational resilience

Some lessons on operational resilience from COVID-19

Good morning, good afternoon and good evening to everyone participating in today’s event. Let me start by thanking the Basel Committee for organising it, and for asking me to kick things off.

There’s rightly been a great deal of attention lately on financial resilience, given the world we’re operating in. But it’s equally important to stay focused on the operational resilience of the financial system as well. The ability of participants to continue to perform their core functions seamlessly and without disruption is obviously important to community confidence – and especially critical at a time when confidence might be a bit fragile. It will also play an important role in facilitating the economic recovery we’re all hoping for. Against that backdrop, today’s event is very welcome.

COVID-19 has been a very real test of banks’ operational resilience. Restrictions on social mobility have forced banks to rapidly adjust to new ways of doing business. While critical services have been maintained, key processes had to be changed – in some cases dramatically – to support customers, to address service provider failures, and to respond to local and overseas lockdown measures. 

From my viewpoint, Australian banks have navigated the past six or so months quite well. Importantly, at a time of extreme community uncertainty and nervousness, there has been no significant degradation of services provided to customers. 

But that doesn’t mean there aren’t already some lessons to learn, and I want to quickly list seven now. They don’t map perfectly to the Committee’s seven draft principles, but they’re quite well aligned. 

• The first relates to board oversight of risks exceeding risk tolerance levels. At least in the early stages of the pandemic, many banks found themselves operating beyond their risk tolerance and, at least in some instances, this persisted for quite a while. While inevitably there was a need for speed, and often little choice in actions taken, quickly identifying and specifying the expectations from the Board and executive on their willingness to accept risks outside tolerance can undoubtedly strengthen response and recovery plans to get back within risk appetite.
   
• The second issue goes to the robustness and breadth of business continuity plans. For a situation that was routinely referred to as ‘unprecedented’, we shouldn’t expect perfectly formulated contingency plans that can be executed without a hitch. But there are a few areas to emerge where plans can reasonably be strengthened, including the repatriation of services previously conducted by offshore service providers; the impact of global offshore service providers impacted by lockdowns; and dealing with work-from-home for a very long period of time. Banks will need to re-evaluate what scenarios they consider plausible, and what additional scenarios they need to cater for in business continuity planning and testing. A key dimension will be the longevity of the disruption.
   
• Turning to technology, the third issue is the increased risks to information security. Health restrictions have compelled large numbers of staff to work from home. This introduces a range of heightened security concerns, including the capacity of virtual private networks to support remote working, the security of information accessed in the home environment, and the dependency on home rather than enterprise-grade connectivity. New cyber-attack vectors have opened up. 
   
• That brings me to the fourth issue – the impact of change freezes and deferrals on longer-term system hygiene. A common response by banks to the onset of the crisis was to maximise the short-term stability of their technology through change freezes and delays to implementation of new products and features. Undoubtedly, that worked. But as the disruption persists, it’s a less viable strategy. It’s introducing a backlog of work that still needs to be done, and if the deferrals include less critical security patches, information security vulnerabilities can be building over time.
   
• My fifth issue is the reliance on third party service providers. COVID 19 has highlighted vulnerabilities created by key service providers, especially those located offshore. It’s also put a spotlight on potential concentration risks and interconnectedness from an ostensibly diverse range of banks relying on a few key critical service providers.
   
• Sixth is the ability to test some contingency arrangements. While COVID-19 has provided an invaluable real world test of some aspects of contingency planning, other aspects have suffered. The pandemic’s impacts have not only delayed some testing, but have also created challenges for banks’ ability to enact disaster recovery plans that involve, for example, accessing physical alternative sites (albeit they may be less critical in future with more robust remote working). While there’s a natural focus on the lessons from COVID-19, other risks such as wholesale data centre loss, major cyber-attack and data corruption haven’t gone away.
   
• And last, but definitely not least, is the human toll of an extreme environment. COVID-19 has brought to the fore the impact of a prolonged period of remote working and lockdowns on staff wellbeing, with an increased prevalence of mental health issues from stress, anxiety and isolation. Contingency planning in the future will therefore not just be about systems and processes, but will inevitably have a much stronger ‘human’ element to it. 

They are a few early lessons I thought worth highlighting. I’m sure participants will offer up others. 

What’s important is not the length of the list, but that the lessons are not lost. The Committee’s draft principles on operational resilience will hopefully help ensure that’s not the case.