Operational resilience, a key ingredient for the financial industry

Operational resilience, a key ingredient for the financial industry
By EBRC 16/06/2021
Banking, Insurance & Fintech

On May 11th, 2021, EBRC, in partnership with ISACA, David Hagen Advisory and Finologee  organized a webinar entitled “Resilience, a key ingredient for the financial industry”, which featured several local experts who shared their knowledge and best practices, while discussing their winning recipes and lessons learned from the Covid-19 crisis.

Key topics:

The concept of resilience has become essential also for non-financial sector

David Hagen, Founder, Hagen Advisory
David Hagen, Founder, Hagen Advisory

The event was moderated by David Hagen (Founder, HAGEN Advisory), who introduced the topic. “The Covid-19 crisis that started in March 2020 still has a high impact on our lives, freedom and obviously on the economy. Over the last year, the concept of resilience has become essential as it aims at avoiding potential damage, when it used to be only a theoretical concept two years ago,” started the moderator. According to him, this concept was rarely established in the daily operations of companies but has now become a key strategic element for CEOs. David Hagen also explained that in Luxembourg, several companies already advocated the concept of resilience following the H1N1 flu or dealing with nuclear danger due to the proximity with the Cattenom plant. “These circumstances did not lead to a Covid-like situation, yet they included the Human element of continuity, the availability of people, and obviously the concept of resilience,” he highlighted.

Then, David Hagen briefly discussed the cybercrime threat and the growing number of sophisticated attacks: “In today’s digital world, data has an immense value for all businesses. Protection is essential as the loss of data can have huge consequences and can even lead to the death of the company. Therefore, we need to consider the risks to which companies are exposed”.

He concluded his introduction by stating that “the crisis has changed the view of regulators and legislators that now incorporate resilience in their doctrine. There have been specific laws adapted to the current crisis and several countries have already developed post-Covid crisis pieces of legislation that aim at anticipating potential future crises and at mitigating risk”.

Resilience of the whole ecosystem is needed in the financial sector.

Transparency to face risk

Alexandre Castaing, President, ISACA Luxembourg
Alexandre Castaing, President, ISACA Luxembourg

Alexandre Castaing (GRM, Head of Cyber, Tech and Fraud Risk – Europe and APAC at RBC, and President of ISACA Luxembourg) then took the stage and started by highlighting the significant change of the regulatory landscape over the past 10 years. “It all started with the change in the way incidents affect the financial services industry. Cyber threats have become much more complex and can have disastrous impacts on businesses: it transformed the way we had to respond to threats. We notably noticed the move from standard IT requirements to more transparency. Make sure you report on the incident, on the cyber and tech perspective, but also getting a bit more into the weeds with testing” explained Alexandre Castaing.

Flexible architecture supported by your partners.

When the pandemic hit, RBC was already prepared in terms of architecture and virtual environment, and therefore rapidly allowed its 75,000+ employees to telework efficiently. The teams focused on the management of demand and supply in a dynamic way as it was now impossible to plan over three months. “It needed to be done on a regular basis. Do we have enough storage space? Do we need more power supply? We were able to improve our monitoring capacities” he added. The bank also noticed a surge of cyberattacks, with an increase of about 50%, and the rise of the ransomware as an attack vector. Alexandre Castaing also insisted on the need to think “ecosystem” rather than just “company”, when it comes to digital: “we deal with clients and partners on a daily basis. What is their level of digital readiness? Do they accept digital signatures? How do you manage surveillance of trading activities? What happens if anything goes wrong? Do your suppliers have sufficient remote access capacities? Etc.”.

Employees engagement is crucial for resilience

The expert discussed the future of work, with the primary focus being on employees: what is the status of their mental health? Are they engaged and motivated? How do they deal with stress? RBC made sure it supported them from a financial point of view, obviously, but also by providing them with laptops, chairs, meditations apps as well as games for kids. “Employee engagement is crucial: with the nomination process our people promote others and we organized virtual lunches and drinks with teams from all over the world. Having everyone on board for the same event actually helped us increase the engagement. Currently, we are focusing on defining the future of work within RBC. Will it be hybrid? How can we support our employees in the long run?” he concluded.

Resilience in the financial sector requires a structured framework and new risk management approaches

Stéphane Chmielewski, CISO, Finologee
Stéphane Chmielewski, CISO, Finologee

“As a financial services provider, we have to meet a lot of expectations from our customers as we aim at delivery excellence. We offer them as many guarantees as possible and proofs of what we do in terms of resilience. We want to be recognized as a trusted partner,” started Stéphane Chmielewski (CISO, Finologee).

Resilient best practices : certification, automatisation tools and zero trust model

The expert insisted on the need to structure the company in order to leverage best practices, best in class frameworks, etc. Finologee notably opted for the ISO27001 certification – dealing with information security – which was actually deployed during the pandemic. On the other hand, companies need to be able to cope with the acceleration of cyber threats that are more advanced, sophisticated and automated than ever. “We need to be more advanced in the way we answer protection problems, and to be able to stop attacks right away. For instance, we adopted the zero trust model, using only trusted devices, identities and applications,” explained Stéphane Chmielewski. Automation tools are currently used to detect attacks as quickly as possible. The expert then focused on how to make sure his company can recover if attacked. “We have to be able to absorb shocks and keep going forward. It is what resilience is all about. Even before the lockdown, we planned a dry run… which was to take place the day the lockdown actually began,” highlights the CISO.

Agility to cope with the multiplication of regulation in the financial sector

“Moreover, we need to deal with the multiplication of regulations while still maintaining a robust risk management by being agile and quick in the way we operate. This is the equation we need to solve,” he underlined. The Finologee experts opted for a risk management framework that is sustainable and that creates a link between the teams, and policies. To do so, they invested in a GRC tool that is currently being developed. “We don’t want to be in panic mode after each new regulation. We now have a central board telling us where we are, where we fit, whether we are at risk or not, etc.” concluded Stéphane Chmielewski.

Covid-19: a wake-up call for companies to invest in resilience

Philippe Dann, Head of Risk and Business Advisory, EBRC
Philippe Dann, Head of Risk and Business Advisory, EBRC

Philippe Dann (Head of Risk and Business Advisory, EBRC) also took the stage during the webinar and started by explaining that EBRC is a recognized partner of trust and therefore needs to ensure the resilience of its clients. “Ever since the creation of the company, its mission statement has been to design and propose business secured and resilient services for its clients. We have to admit that Covid-19 did more for resilience than EBRC who has been promoting it in the last 20 years. We have clearly noticed an evolution in the perception and in the way organizations consider resilience in their overall strategy,” he commented.

Philippe Dann highlighted that the financial services industry was well prepared due to the growing number of laws that have passed over the last years, compared to other sectors. “In several other industries, information security and business continuity was mainly an IT topic, but it is now seen as a key priority for top management and business leaders. It protects the organization, ensures its survival, acts as a business enabler and even as a differentiator in the market. Actually, we moved from a mandatory regulation item to a key component of the company’s strategy, and therefore transformed a regulation constraint into a key strategic asset,” added the Head of Risk and Business Advisory.

According to him, resilience – and the ability to operate in a resilient way – is now a key success factor, and a key strategic point for all stakeholders, from the employees and the clients to the partners and other companies. He highlights: “nowadays, a company lives and works in an ecosystem. Companies need to take care of their own resilience but they also rely on partners who need to be as resilient. If they work with an organization that is not supporting their resilience, the resilience chain is actually stopped”. When discussing the client perspective, he advocates to take into account two key elements: preparation and the human aspect. Philippe Dann concludes: “organizations who prepared themselves, did tests, focused crisis management, defined roles and responsibilities, etc., survived the Covid-19 crisis. Also, collaborators need to be involved and trained otherwise you can easily create a crisis on top of the crisis. More than ever, HR has come up as one of the top strategic points for all organizations. At EBRC, we monitored the situation in February, did a stress test, and all employees were able to work from home thanks to this preparation. And we continued to serve the clients without any disruption”.

Our panel discussion

Following their insightful presentations, the experts who participated to EBRC’s webinar then gathered for a round-table discussion led by David Hagen (Founder, HAGEN Advisory). They notably focused on the advent of the concept of resilience, on the importance of suppliers, and obviously on the impact of Covid-19.

Risk management in the financial sector: a holistic approach to operational resilience

Alexandre Castaing (GRM, Head of Cyber, Tech and Fraud Risk – Europe and APAC at RBC, and President of ISACA Luxembourg) first discussed digitalization: “when the Covid-19 crisis began, many organizations had to rethink how they work and do business. How do they interact with other stakeholders? What are the breaking points? For instance, several tax authorities simply do not accept digital signatures. We therefore had to find a way for work around this issue”.

He then focused on the risk management and scenario-based approaches. “Big companies are already using such concepts, but it actually depends on the maturity of the organizations. Nowadays, players do not look at resilience only from an IT and tech perspective, but rather consider resilience in the end-to-end view of their processes. It ranges from their internal infrastructures, legacy, cloud, etc., to how their suppliers can actually support their processes. Transparency is the key word here,” underlined the expert.

When Covid hit, RBC had already addressed its internal digital transformation, even if this long journey has not been completely achieved yet. “The crisis enlightened more breaking points, notably when it comes to the relationships we have with third party providers and clients, who all use different tools and have different considerations,” he commented. Again, trust is a crucial element when dealing with partners and suppliers. According to Alexandre Castaing, the crisis also highlighted the “people risk”: “we used to live in a world where the focus was more on delivering the services, on processes, etc. and we realized that to do so, we actually need people. you need to make sure your employees stay healthy, motivated and engaged”.

Design, test and communication: key elements to operational resilience

As explained by Stéphane Chmielewski (CISO, Finologee), the startup did not have to manage legacy systems and therefore built flexibility from the start, notably by using several cloud native technologies, a modern architecture and micro services. “As a relatively young company, Finologee avoided the huge transition from a legacy environment to a more modern approach, as digital transformation is a key and important topic for many organizations. Obviously, security also needs to be built-in by design, with the most extreme scenarios being envisaged. Readiness is key: train and test regularly. It’s more than just compliance: the mindset needs to change as we move from compliance-based to risk-based,” highlighted the CISO.

According to him, the pandemic made it even clearer: digital transformation is accelerating and companies need to multiply their channels. “At Finologee, we aim at supporting our customers and helping them in the digital transformation of their business. It is inevitably linked to security and resilience,” explained Stéphane Chmielewski. To reassure its clients in a period of crisis the top management of Finologee led informal conversations with their customers and explained what their Business Continuity Plan was all about. “It gave them more transparency and showed them that we were doing the right thing in such delicate times. We shared documentations with our clients and sent communications regularly, by making sure we responded and reacted quickly to their requests. As we are part of our clients’ resilience chain, our role is to reassure them and prove to them that the setting is robust enough. We are all interlinked”.

As highlighted by the CISO of Finologee, Covid showed that “we need to build a crisis management approach, which will require intensive training, from senior managers to employees. Yet, it is not that easy to train them on the concept of resilience, especially if they are currently working from home. Thanks to their its high standards and regulation, and also depending on their risk appetite, financial institutions were more prepared than others”.

Operational resilience: other industries align onto the financial sector

According to Philippe Dann, “companies realized they are depending on an ecosystem and that they therefore rely on partners. It shows the importance of suppliers, who need to be resilient as well. How many companies, before the Covid crisis, actually challenged the security level and business continuity plans of their partners? Not many. Now, they all understand the importance of maintaining the robustness and resilience of the entire chain. The selection of trusted partners is therefore more important than ever”.

EBRC, thanks to its numerous certifications, was able to answer its clients’ requests, who were wondering how EBRC could support their business continuity, when they used to focus on the topic of compliance. “The players of the financial sector were clearly more prepared to face such a crisis, due/thanks to regulation. They were familiar with crisis management and performed several tests. This pandemic was just another scenario. In other industries, business continuity was more of an IT topic and they soon realized they had to work on it in order to survive,” added Philippe Dann.

To sum up, the expert shared EBRC’s pragmatic approach to resilience, which relies on five key pillars: (1) information security as the foundation to protect the assets, (2) business continuity which does not concern only IT anymore, (3) the need to identify risks and have appropriate treatment plans, (4) the need to be prepared and finally (5) the idea that resilience has become an actual corporate program lead by top management and with the participation of all employees and stakeholders.

Resilience: the ultimate mitigation to operational risks?

In his introductory speech, David Hagen explained that “resilience is the ultimate mitigation to operational risks”. Philippe Dann agreed and added: “resilience is a key factor for agility and for trust, within the company, in the market, and with partners. It will help companies face new situations and new request”. According to Stéphane Chmielewski, resilience needs to be embedded in a long-term strategy, “as conditions and the environment change rapidly”. Alexandre Castaing focused on the move to non-financial risks, making the concept of risk much broader: “therefore, resilience must not offset the other aspects we need to consider, such as data integrity, data ethics, AI, etc”.
“Data is the most precious asset of the company in our current digital world. Therefore, data integrity and security are crucial. Companies need to protect the information. It also needs to be encrypted, available, etc., along with robust backup capacities. We are coming back to the CIA concept: Confidentiality, Integrity and Availability. Then, companies should be able to answer to the needs of the business,” then explained the CISO of Finologee. Alexandre Castaing insisted on the need to test the backup as well as the rapid identification of what has been impacted in case of an attack. “Use forensics to check and contain the threat as soon as possible. When implementing a recovery strategy,  the primary objective should be to start over in an environment that is safe and threat-free,” added the expert.

Operational resilience: a recap

To conclude this discussion as well as the webinar around the topic of resilience in the financial sector, David Hagen listed some of the key points addressed during the day by the experts. He first reminded the audience that in a period of crisis, suppliers are key and must be as resilient as the companies themselves, in order to maintain a strong resilience value chain. He added: “in a global environment, supply chain needs global governance”. He also focused on the fact that “the human aspect is back in the center of business, with companies aware of the concerns of employees working from home. It is one of the most optimistic aspects of this Covid crisis. More generally, Covid made companies aware of the importance of anticipation. For those we were not prepared prior to the crisis, teleworking turned out to be difficult to implement. For instance, the immediate shortage of laptops was an issue”. Yet, the financial services industry was mature enough and avoided such problems. Also, companies who had bet on digital and technology had an advantage in surviving the crisis. “To build resilience, start with a good risk analysis based on the business and determine those risks based on vulnerabilities and threats. Also, companies now need to consider the horizon of risk: when will the crisis happen? For instance, the pandemic risk was real and experts knew it would hit… but no one assumed it would happen so soon,” commented the expert. According to him, the risk analysis that aims at creating resilience is a difficult exercise which calls for diverse assessments and heterogeneous judgement from the experts since risk assessment is a cultural element that varies over time. “It is therefore necessary to use methodologies that are quantitative in order to assess risk in an unbiased manner. This task requires the use of specialists and experts: has resilience become a specialized area of risk?” concluded David Hagen, leaving the door open for a future discussion…