• About us
  • Raising The Bar
  • Risk Committees
  • Team
  • Events
  • Blog
  • Contact
  • Menu

The Risk Coalition

  • About us
  • Raising The Bar
  • Risk Committees
  • Team
  • Events
  • Blog
  • Contact
pexels-miguel-%C3%83%C2%A1-padri%C3%83%C2%B1%C3%83%C2%A1n-1061141.jpg

A view from the Second Line: how risk governance needs to change after Covid-19

September 18, 2020

On 3 September, The London Institute of Banking and Finance hosted a webinar to discuss how risk governance needs to change after Covid-19. The panel comprised risk experts from the first, second and third lines. In today’s blog, Paul Howard, who has over 40 years financial services experience, mainly in senior risk roles, summarises his key points from the webinar where he discussed his view from the Second Line.

In the context of operational resilience, Covid-19 continues to be the single greatest threat.  But as steps are taken to ease the lockdown its appropriate to take a moment to think about how risk governance adapted and needs to evolve to face the future?

Everyone has heard of “Back to the Future” and I think it’s fair to say that some businesses have been “Shocked into the future.”  It is a brave person that makes predictions at the moment.  

Is there a new paradigm for the way of working?  Communities of office workers may never again congregate and collaborate physically in the way they have done in the past.  People and valuable company assets including information and data are dispersed in ways that they have never been before.  This itself creates a whole range of new risks.  

As Target Operating Models evolve and settle how does risk governance need to evolve and adjust to identify and keep up with these new and emerging risks?

Readers may be familiar with the regulatory direction of travel around the need to develop ‘operational resilience’ and will have read the papers published by the UK regulators on the topic in the last couple of years.  Covid-19 has brought this to life massively and illustrated it is not just about business continuity – it is about the identification of critical functions and services.

Operational resilience is not about how long an organisation can hold its breath.  Rather, it is about how the firm can sustain and substitute critical services and do things differently, and effectively, indefinitely in a crisis.  This is in addition to remaining in effective control. 

What were the issues?

  • Governing the business in ‘crisis-mode’ and trying to deliver on BAU, is a tough balance for boards

  • Identifying and managing new and emerging organisational risks in a rapidly evolving scenario

  • Inability to fully assess, understand, accept, or mitigate the risks emanating from implementing temporary or modified processes.

What have we learned?

  • It is vital to define and prioritise critical controls needed 

  • There is a need to confirm that these critical controls are in place, and implement and monitor them 

  • Regulatory engagement is critical keep regulators in the loop about issues, plans, and next steps.  

What are the challenges when looking at the return to work? 

  • A need to re-establish and adapt post-crisis governance models

  • Reviewing processes, controls, and systems to reflect the ‘new normal’ and lessons learnt during the crisis

  • It is important to identify temporary/agile governance arrangements which proved to be effective in the crisis and can be transitioned to business as usual.  Never waste the learnings of a good crisis – what did we stop doing that we learned added limited value, and how did we get things done more efficiently without incurring unacceptable increased risk?

  • Enterprise wide risk registers need to be updated in the light of the “new normal”.

Overall, a broader view of operational resilience will be required.  Reactivating business operations will not be easy with new working arrangements.

How did we did things, how we do them now and changes to both ways of working and the operating model will have important consequences for the management and oversight of risk.  Governance oversight will need to adjust.   

However risk management and risk oversight adjust, the principles of good governance and the risk function’s role articulated in the Risk Coalitio udure.  It is the execution of this oversight that may require adjustment in the new normal.

Paul Howard - Interim CRO at Bank ABC in London

Tags: Paul Howard
Prev / Next

Blog

Featured
Sep 4, 2024
Polly Williams, Mia Harris
Three key threats of phishing to be aware of
Sep 4, 2024
Polly Williams, Mia Harris
Sep 4, 2024
Polly Williams, Mia Harris
Aug 25, 2024
Felix Ritchie
Principles versus rules in data and corporate governance
Aug 25, 2024
Felix Ritchie
Aug 25, 2024
Felix Ritchie
Jul 16, 2024
Jane Hunter, Mia Harris
How can you maintain high standards in your business without suffering burnout?
Jul 16, 2024
Jane Hunter, Mia Harris
Jul 16, 2024
Jane Hunter, Mia Harris
Jun 2, 2024
Afshan Moeed
Enforcement of individual accountability in UK banking: a new boardroom recipe for change or continuity?
Jun 2, 2024
Afshan Moeed
Jun 2, 2024
Afshan Moeed
May 28, 2024
Craig Morris, Mia Harris
Three exciting new developments for AI in 2024 that you need to know about
May 28, 2024
Craig Morris, Mia Harris
May 28, 2024
Craig Morris, Mia Harris
May 24, 2024
Stefan Hunziker
The stuff of nightmares: risk management is shut down, and nobody notices
May 24, 2024
Stefan Hunziker
May 24, 2024
Stefan Hunziker
Mar 20, 2024
Neil Tinegate
What should boards know about digital technology?
Mar 20, 2024
Neil Tinegate
Mar 20, 2024
Neil Tinegate
Mar 15, 2024
Francis Kean
The insolvency risk for company directors - are you swimming naked?
Mar 15, 2024
Francis Kean
Mar 15, 2024
Francis Kean
Feb 29, 2024
Andy Watkins-Child
Are you sitting comfortably?  Cyber risk, board attestations and the implications for NEDs
Feb 29, 2024
Andy Watkins-Child
Feb 29, 2024
Andy Watkins-Child
Oct 24, 2023
Mamun Madaser
Risk management and internal audit should collaborate to navigate the poly-crisis of risk
Oct 24, 2023
Mamun Madaser
Oct 24, 2023
Mamun Madaser
Oct 18, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 2
Oct 18, 2023
Jim Watson
Oct 18, 2023
Jim Watson
Oct 13, 2023
Nisha Sanghani
Risk management and internal controls: much (needed) work to do as a result of the proposed changes to the UK Corporate Governance Code
Oct 13, 2023
Nisha Sanghani
Oct 13, 2023
Nisha Sanghani
Oct 9, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 1
Oct 9, 2023
Jim Watson
Oct 9, 2023
Jim Watson
Sep 25, 2023
Chris Burt
The implications of the revised UK Corporate Governance Code
Sep 25, 2023
Chris Burt
Sep 25, 2023
Chris Burt
Sep 13, 2023
Andrew Cunningham
Financial regulators take aim at crypto-finance
Sep 13, 2023
Andrew Cunningham
Sep 13, 2023
Andrew Cunningham