Alba Partners

Menu

Category Archives: Uncategorized

The CxO Guide to Solving Third to Nth-Party Risk Management  for Operational Resilience

February 2, 2025 by

Cascading Compliance Concerns

As financial institutions have strived to boost efficiency and reduce costs in recent times there has been an upsurge in reliance on third-party service providers. Gains in cost efficiency, scalability, customer experience, expertise and innovation have been undeniable. However, this reliance on third parties is now exposing these same financial institutions to heightened operational risks that will be the focus of regulatory scrutiny across the globe, in 2025 and beyond. 

Regulations and frameworks including the European Union’s Digital Operational Resilience Act (DORA), the Basel Committee’s Principles for Operational Resilience, UK PRA Operational Resilience, Australia’s CPS 230, and NIST2 have operational resilience at their core. They demand robust systems and processes to ensure operational continuity, safeguard data, and mitigate risks arising from third-party relationships. They also require both regulated financial institutions and their ICT service providers to evidence operational resilience to regulators in a complete and defensible form.

This white paper examines some of the third-party risk management (TPRM) challenges facing financial institutions. It highlights the questions accountable senior managers should be asking their Risk and Resilience teams and proposes actionable strategies to guide C-level executives in their quest to address them. It also explores the often-overlooked complexities of managing fourth to nth-party risks, offering insights into identifying and mitigating risks in these extended ecosystems.

Why Extend TPRM Across the Entire Supply Chain?

And Why Now?

The use of third-party service providers is nothing new. As society evolved over centuries, and specialisms developed, the use of dedicated third-party outsourcers escalated. Look no further than the local flour or sawmill, shipping companies and merchants, and now financial services providers – as industries, societies and consumer expectations have become more complex, so too have the frameworks for outsourcing and third-party management. 

The incidence of fourth to nth level suppliers is also not new and not limited to the financial services sector. You may recall the total collapse of supply chains when a single container ship became lodged in the Suez Canal in 2021, blocking the waterway that enables the flow of 12% of global trade for six days. News reports estimated damage costs of around US$1 billion and delays in almost US$60 billion worth of trade. But how many third parties had outsourced their transportation to the other 422 ships impacted by the resultant “traffic jam”? What was the concentration risk and how much visibility did organisations have with respect to this risk? Probably little to none.

 Financial Institutions have travelled the same journey of needing to manage increasingly complex outsourcing and third-party relationships. In their pursuit of reduced costs and enhanced efficiency, alongside an increasingly digital and interconnected operating environment, reliance on external third parties including cloud service operators, IT support vendors, and payment processors has become the norm. In many cases the advantages of bringing these significant operational efficiencies are countered by the introduction of new vulnerabilities. Cybersecurity threats, data breaches, service interruptions, and compliance failures in third-party ecosystems can have cascading impacts on financial institutions and their customers.

To address these risks, regulatory bodies worldwide are introducing frameworks like DORA, UK PRA Operational Resilience guidelines, APRA CPS 230 and NIST2, which place stringent requirements on financial institutions to manage third-party dependencies. These include:

  • Enhanced due diligence
  • Continuous monitoring of third-party performance
  • Incident reporting and testing of resilience capabilities

For the regulators, and most financial institutions, the focus is firmly on addressing the implications surrounding Important Business Services (IBS) and the critical third parties (CTPs) that support them. TPRM frameworks already exist and, when asked, most institutions are likely to consider themselves “largely” compliant with the incoming regulations.

However, the regulatory focus is now expanding to encompass fourth to nth-party risks, complicating compliance even further. Managing these layers effectively is critical for maintaining operational resilience. On the face of it, risk management of a fourth (or fifth or nth) provider is conceptually the same as that of a third party. However, the risk management challenges of the third party are inevitably inherited by those further down the supply chain – and new challenges emerge at each subsequent level. How to address these and other complications introduced by fourth to nth-party risk management is discussed in Section 4 of this paper. 

Examples of Operational Resilience Breaches in the Supply Chain

Numerous real-world incidents demonstrate why a robust TPRM framework is so important in maintaining operational resilience. Regulators have been right to call this out as a systematic risk. Some of the operational resilience breaches involving ICT suppliers to financial institutions, which highlight the risks posed by vulnerabilities in third-party services, include:

  1. Accellion: Their legacy File Transfer Appliance (FTA) faced zero-day vulnerabilities, allowing hackers to access sensitive data from multiple organisations, including financial institutions. The breach caused severe reputational damage due to delayed alerts and insufficient patching efforts.
  2. Blackbaud: A ransomware attack exposed customer data stored on Blackbaud’s cloud platform, affecting financial entities and other organisations globally. The breach highlighted risks associated with cloud-based ICT providers.
  3. SolarWinds: Hackers infiltrated the SolarWinds Orion platform in a high-profile supply chain attack, impacting government and private sector clients, including financial firms. The breach demonstrated how supplier vulnerabilities can have cascading effects.
  4. Okta: The identity management provider suffered a breach after attackers gained access through a third-party contractor. This raised concerns about vendor management, as compromised authentication services can directly affect operational resilience for financial institutions reliant on Okta’s services.
  5. CrowdStrike: In July 2024, CrowdStrike experienced a significant global IT outage caused by an update to its Falcon sensor configuration file. This update triggered a logic error that caused widespread disruption across systems using the software, particularly Windows devices. The issue caused operational failures in critical sectors, including airports, public safety systems, and financial institutions, with an estimated 8.5 million devices impacted globally. 

These incidents underscore the need for rigorous risk management across the entire supply chain, including regular audits, real-time monitoring, and robust incident response strategies. They highlight the interconnected nature of modern financial operations and the critical importance of operational resilience frameworks.

New Challenges in Third-Party Risk Management

Although most financial institutions already have TPRM frameworks in place, new threats continually emerge which, combined with a step change in operational resilience related regulations for 2025, are making day-to-day monitoring and management of critical third parties more challenging. 

  1. Expanding vendor ecosystem

Financial institutions are increasingly outsourcing critical functions, including IBS, leading to an extensive network of third-party providers. Managing risks across this growing ecosystem while maintaining visibility and control is a significant challenge.

  1. Regulatory compliance

Incoming frameworks emphasise stringent oversight of third-party relationships, including governance, risk management, and operational resilience testing. Institutions looking to unify their compliance efforts often face challenges aligning their TPRM frameworks with overlapping regulatory requirements, within and across jurisdictions.

  1. Cybersecurity threats

Third-party ICT service providers often become targets for cyberattacks due to their integration with financial institutions’ systems. Compromises in a vendor’s environment can cascade into the institution’s operations, exposing sensitive data and disrupting services.

  1. Dynamic risk landscape

The risk profiles of vendors can change rapidly due to factors like financial instability, mergers, or geopolitical influences. Keeping pace with these changes requires dynamic monitoring capabilities and access to live third-party data.

  1. Limited resources

Smaller financial institutions often lack the resources to invest in advanced tools and expert teams to manage the complexities of TPRM. They are less likely to have deployed TPRM systems in the past so the 2025 regulatory onslaught relating to third to nth-party risk management requires new investments in both technology and time to refine or create new TPRM frameworks. 

 

Key Strategies for Effective Third-Party Risk Management

In line with the shared challenges, we see financial institutions adopting similar strategies in addressing and mitigating these challenges. The key focus has largely been aimed at ensuring the framework is “robust”. The emphasis on the word “robust” is deliberate as it has different meanings as we navigate through the various organisational levels of an institution. 

For the C-Suite, the governance and information framework is key. Do they (for example) have access to the right information to make informed decisions? Can they have confidence in the controls surrounding critical third parties? Have they set an appropriate risk appetite for recovery time objectives (RTO) and Business Impact Assessment (BIA)?

As we travel down the organisation “robust” becomes more operational. Does the framework support due diligence? Does it allow for continuous monitoring? Does it generate appropriate management information for consumption by the C-suite?

In determining whether your TPRM framework is adequate from a regulatory and due diligence perspective accountable senior managers should be asking the following questions, and those responsible for operational resilience and TPRM should have answers:

  1. Have we established robust governance?
    • Board oversight: The board of directors or a dedicated risk committee should oversee third-party risk management.
    • Policy development: Comprehensive TPRM policies aligned with DORA and other regulatory frameworks must be established.
    • Risk ownership: Roles and responsibilities for managing third-party risks should be clearly defined.
  1. Is our due diligence comprehensive?
    • Register of information: Regulators expect financial institutions to maintain a comprehensive ‘Register of Information’ (ROI) containing detailed records of their third parties. This register is crucial for ensuring transparency, facilitating effective oversight, and enabling quick access to critical information to support compliance and risk management efforts.
    • Third party intelligence: Complete information on financial stability, security measures, data protection capabilities, and compliance with regulatory requirements should be recorded.
    • Thorough onboarding checks: Standardised questionnaires and audits should be incorporated into the onboarding process.
    • Ongoing due diligence: Leveraging tools to assess vendors’ risk profiles dynamically ensures early identification of compliance status compromises.

Offboarding plan: A comprehensive offboarding plan should be developed during the onboarding process of a third party, including identified risks and corresponding mitigation strategies. The specifics of the offboarding plan will vary depending on the type of service provided.

  3. Are we capable of continuous monitoring?

    • Real-time intelligence: Monitoring platforms that offer real-time insights into vendor performance, cybersecurity risks, and compliance status should be implemented.
    • Key risk indicators: KRIs should be established to ensure early detection and response to emerging risks.
    • Concentration risk: Financial institutions can assess and monitor concentration risks associated with common fourth parties by leveraging information provided by their third parties about their respective providers.
    • Sentiment analysis: By utilising sentiment analysis technology, financial institutions can scan online content to detect positive or negative news about a third party, enabling them to take proactive measures as needed.
  1. Are we taking steps to enhance cybersecurity resilience?
    • Third-party cybersecurity: Vendors within the supply chain should be required to adopt – and be able to evidence – robust cybersecurity measures such as encryption, multifactor authentication, and secure access controls.
    • Periodic testing: Periodic penetration tests and vulnerability assessments on third-party systems should be conducted to expose weaknesses.
    • Incident response testing: Vendors should be included in incident response drills to improve coordination and ensure regulatory deadlines can be met.
  1. Does the technology we have today enable effective and defensible TPRM?
    • TPRM technology adoption: TPRM software should be utilised for gap analysis, incident management and centralised management of vendor risks, contracts, and compliance metrics.
    • Artificial intelligence: AI and machine learning are uniquely suited to identifying potential risks and predicting failures. TPRM is also an ideal use case for Generative AI, which can be utilised to analyse large numbers of lengthy contracts for compliance in a fraction of the time possible by humans.
    • TPRM managed services: TPRM-as-a-Service can be a viable option that reduces cost and time-to-value for firms with limited resources or expertise to develop and maintain an in-house system.

The answers to these questions will go a long way towards helping to assess how robust your TPRM framework is, how well it would stand up to scrutiny by auditors and regulators, and what changes are required.

 

New Challenges of Fourth to Nth-Party Risk Management

Never before have financial institutions had explicit regulatory obligations to monitor or report on fourth to nth-party risk management. Most firms have managed to get their head above water on risk management around third parties, but the prospect of needing to monitor risks at all levels in the supply chain is proving daunting for many.

The first consideration is that the risk management of fourth to nth parties needs to “fit in” to the framework designed for third parties because, as discussed previously, they inherit the same challenges. Worrying for many, however, are the added challenges associated with managing and monitoring fourth to nth party relationships, which also need to be addressed. 

These include:

  1. Limited visibility on who these nth-party suppliers are: Financial institutions often lack direct access to information about their vendors’ subcontractors.
  2. Limited visibility on the relationship between third and nth-party suppliers: Even if financial institutions know who the nth suppliers are, they cannot know what contractual arrangements exists between them.
  3. Increased vulnerabilities: Each additional layer of vendors increases the attack surface, making the ecosystem more susceptible to breaches.
  4. Regulatory expectations: Regulatory frameworks require institutions to ensure that their third parties manage subcontractors effectively, including conducting checks on data localisation and cross border transfers, which adds to the complexity.
  5. Complex incident management: Coordinating incident responses across multiple layers of vendors can delay recovery efforts and exacerbate disruptions.
  6. Concentration: Identifying and managing deep set concentrations among nth-party suppliers increases external events and drivers.

Key Strategies for Effective Nth-Party Risk Management in the context of TPRM

Financial institutions are increasingly turning their attention to fourth to nth-party risk management. However, with the requirement to scrutinise and monitor nth parties so rigorously being relatively new, the strategies formulated to manage nth-party risk are embryonic and largely unproven. 

To be effective these strategies must enable financial institutions to:

  1. Identify fourth to nth parties: To mitigate risks effectively, institutions must first identify their extended vendor ecosystems.
  2. Map relationships: Use tools to map the entire supply chain, including subcontractors and downstream providers. Develop visual dependency maps to understand interconnections.
  3. Get vendor disclosures: Require third parties to disclose their subcontractors and any changes in their supply chain as part of contractual obligations.
  4. Categorise risks: Classify fourth to nth parties based on their criticality to operations, the sensitivity of data they handle, and the potential impact of a disruption.

Framework Changes Required to Facilitate Fourth to Nth-Party Risk Management

Rather than beginning from nothing, the TPRM framework used to monitor third parties should be your start point. This framework will address the risk management challenges inherent in all layers of the supply chain, leaving more time and resources to focus on framework updates required to overcome the added challenges of fourth to nth-party risk management. 

TPRM framework changes may include: 

 

   1. Flow-down contractual obligations

    • Require third-party contracts to include provisions mandating that their subcontractors comply with the institution’s security, operational, and regulatory requirements.
    • Include penalties for non-compliance and require timely notification of subcontractor changes. 
   2. Extended due diligence 
    • Conduct due diligence on third parties’ subcontractor management processes.
    • Assess the robustness of their supply chain risk management practices and request evidence of compliance audits.

  3. Continuous monitoring

    • Leverage monitoring platforms that provide indirect visibility into the performance and risks associated with fourth to nth parties.
    • Implement automated alerts for changes in subcontractors’ risk profiles.

  4. Collaborative testing

    • Include fourth to nth parties in business continuity planning and testing exercises.
    • Engage critical subcontractors in cybersecurity and operational resilience drills.

  5. Collaborative training

    • Provide shared training programmes for all parties on regulatory updates and compliance practices.

  6. RegTech solutions

    • Use the kind of regulatory technology and artificial intelligence outlined in Section 3 to monitor compliance across extended ecosystems, ensuring alignment with regulatory frameworks.

While pre-existing TPRM frameworks will go some way towards helping firms to navigate fourth to nth-party risk management, new practices and specific measures will be required to account for nuances arising at various levels of the supply chain.

Metrics for Measuring TPRM Effectiveness

All TPRM Frameworks, including those that incorporate nth-party risk management, have the same goals and hence the same requirements to make them effective. 

It is important for financial institutions to put measures and reporting in place. In doing so they will be able to evidence to both accountable senior managers and regulatory authorities that their frameworks are delivering adequate protection and resilience to safeguard key stakeholders. These measures are also necessary to monitor progress over time. 

Metrics may include:

  1. Risk reduction
    Measure the percentage reduction in identified third to nth-party risks.
  2. Compliance rate
    Track the percentage of third parties and their subcontractors meeting contractual and regulatory requirements.
  3. Incident response time:
    Assess the average time to detect, respond to, communicate and resolve incidents involving third to nth parties, and ensure these satisfy regulators’ expectations.
  4. Vendor stability
    Monitor the financial health and performance consistency of vendors and their subcontractors.
  5. Resilience testing results
    Evaluate improvements in recovery times and coordination during simulated disruptions.

Ongoing monitoring and analysis against a set of well-defined metrics will ensure your TPRM framework achieves its objectives, is improved over time, and meets the expectations of key stakeholders. 

 

The Vital Role of Technology in Mitigating Supply Chain Risk

Reliance on decades-old technology and spreadsheets is ineffective in managing the complexities of TPRM and operational resilience, which require holistic oversight and dynamic (not linear) process management. Modern technologies play a key role in providing regulatory intelligence and helping financial institutions address TPRM by enabling efficient risk identification, monitoring, and mitigation strategies. Key contributions include:

  1. Automation and streamlined assessments
  • Risk assessment tools: Automation of due diligence and risk assessments. Technology platforms can standardise questionnaires and integrate live data sources to assess vendor risks comprehensively.
  • Artificial Intelligence (AI) and Machine Learning (ML): These technologies analyse large datasets to identify patterns or potential vulnerabilities in third-party relationships, such as historical breach data or financial instability. They can also be used to read supplier contracts at high speed and identify potential risk and compliance anomalies.
  1. Continuous monitoring
  • Real-time alerts: Continuous monitoring of vendor cybersecurity postures. They alert financial institutions to real-time threats such as compromised credentials or new vulnerabilities.
  • Performance metrics dashboards: Dashboards are used to monitor third-party KPIs (Key Performance Indicators) and SLAs (Service Level Agreements), ensuring vendors meet performance and security standards consistently.
  1. Enhanced regulatory compliance
  • Compliance automation: Technology ensures compliance with regulatory frameworks by tracking regulatory changes and aligning third-party practices.
  • Document management: Automated solutions manage contracts, certifications, and audit trails, reducing the risk of non-compliance.
  1. Incident response and resilience
  • Simulation and testing tools: Platforms simulate third-party failure scenarios to assess potential impacts and refine contingency plans.
  • Resilience monitoring: Technology measures operational resilience by testing third-party systems against disruptions, ensuring critical services remain uninterrupted.
  1. Integrated risk platforms
  • Third-party risk portals: Integrated platforms offer a centralised view of all third-party relationships, risk scores, and associated documentation, enabling better decision-making. Role-based dashboards provide individuals at all levels of the organisation with a view of actions that must to taken to preserve resilience and ensure compliance.
  • Cloud-based solutions: Cloud platforms offer scalable risk management tools that can adapt to changing vendor and regulatory landscapes, quickly and cost-effectively.
  1. Cybersecurity tools
  • Vulnerability scanning: Advanced tools find weak spots in third-party IT systems, reducing the likelihood of breaches impacting individual financial institution.
  • Access control systems: Technologies like identity and access management (IAM) limit vendor access to sensitive internal systems, reducing exposure.

By leveraging these technologies, financial institutions enhance their ability to proactively manage risks, comply with regulatory standards, and build resilience against potential disruptions in their supplier ecosystems. 

 

The Light at the End of the TPRM Tunnel

Operational resilience is imperative. Not only because regulatory authorities have put it front and centre of the 2025 regulatory agenda, but because it is the only way to provide maximum protection for customers, minimise risk for your firm, and protect the financial sector as a whole. 

With global regulators set to hold financial institutions truly accountable for operational resilience in 2025, it is essential that firms act fast to evolve their TPRM frameworks to address both direct vendor risks and the complexities of extended ecosystems. 

By asking the questions posed in this paper and having TPRM teams that can provide adequate and defensible responses, accountable senior managers can gain assurance that risk within the supply chain is being managed appropriately. 

By leveraging technology, enhancing supply chain visibility, fostering a culture of risk awareness, and aligning with regulatory expectations, institutions can build robust systems to manage third and fourth to nth-party risks effectively.

Proactively addressing these challenges will not only ensure compliance, earn customer trust, and mitigate reputational risk, but also enhance operational resilience, which safeguards institutions against disruptions in an increasingly interconnected financial landscape.

 

Authors

Jeff Simmons - Alba-Partners-Senior-Advisor

Jeff Simmons

Risk Management & Compliance Lead, Alba Partners

Jeff is an accomplished leader with over 25 years’ experience in industry driving strategic risk management, regulatory compliance and governance initiatives. He provides expertise in developing and implementing effective financial strategies aligned with corporate goals, coupled with a track record of driving process improvements. 

Nicola Cowburn

RegTech Advisor, Gieom

A FinTech and RegTech marketing leader for more than two decades, Nicola works with technology providers and their financial services clients to build and deliver effective solutions for regulatory compliance and risk management. In addition to providing product development expertise and formulating successful go-to-marketing strategies for RegTech firms, Nicola is an Ambassador for The RegTech Association.

About Alba Partners

Alba Partners is a boutique consultancy specialising in change and transformation. With expertise spanning Financial Services and beyond, our proven track record in delivering high-impact projects for leading institutions sets us apart.

Founded in 2020, Alba Partners blends the agility and personalised service of a boutique team with the expertise and experience of top-tier consultancy. Our Financial Services practice has supported clients in navigation some of the industry’s most complex challenges across the trade lifecycle, including Dodd-Frank, MiFID II, Brexit, IBOR Transition, Operational Resilience, and Basel III. Additionally, we have successfully managed numerous mergers, acquisitions, exits and divestments. 

Headquartered in Edinburgh with key offices in London, Riyadh, Dubai, and Abu Dhabi, Alba Partners serves clients across Europe, the Middle East, and beyond. Our collaborative and flexible approach ensures that we deliver tailored solutions, aligning with each client’s unique requirements and goals.

 

About Gieom

Gieom is a leading provider of Generative AI-powered RegTech solutions, focused on enhancing operational resilience for financial institutions. We provide software that streamlines the management of policies, simplifies digital identity verification, mitigates risks, and implements operational resilience frameworks. Gieom has built custom templates to ensure compliance with regulations including the UK’s Operational Resilience Guidelines, the European Union’s Digital Operational Resilience Act (DORA), Australia’s CPS 230 and NIST2. 

With operations across Europe, the Middle East, and Asia Pacific, Gieom serves over 100 customers globally and is certified for ISO 27001 and ISO 9001.

A Good Crisis – Analytics, Regulation and Resilience – Alba x Quantifi Whitepaper

November 28, 2024 by
A good crisis - analytics, regulation, and resilience Alba x Quantifi Whitepaper

Authors

  • Jack Goss, Director, Professional Services

Jack is responsible for Professional Services and oversees all client related activity including implementations, product customizations and pre and post sales support. After graduating from economics at Cambridge, Jack started work for Henderson Global Investors as an Investment Analyst after which he moved to Rail-Pen as an Investment Manager. Jack then transitioned to Imagine Software where he was Head of Consulting (EMEA) and specialized in quantitative implementations. Jack holds numerous financial qualifications including a master’s degree in quantitative finance from CASS business school.

  • Jeff Simmons, Senior Advisor, Alba Partners

Jeff is an accomplished leader with over 25 years of expertise in managing crisis situations and mitigating organisational risks, having held pivotal roles such Chief Risk Officer at MUFG and Head of Risk Capital Management at the Royal Bank of Scotland. He excels in designing and implementing comprehensive risk management frameworks that safeguard assets and reputation during critical times. With a strong track record of navigating complex regulatory landscapes, Jeff has developed and executed strategies that ensure business continuity and resilience. His proven ability to lead through uncertainty, coupled with a focus on aligning risk strategies with corporate objectives, has enabled him to successfully drive organisational stability and long-term success.

Introduction: Characteristics of Crisis

A crisis, by definition, is never “good.” However, in Financial Services, we often prefer crises where we can retain a significant degree of control. We say “significant” because crises, by their very nature, inherently involve elements of unpredictability and require a degree of flexibility in our responses.

While no two crises are identical, there are recurring patterns and characteristics that provide valuable insights. These similarities, both in the nature of the crises themselves and in the ways we respond to them, merit discussion. This whitepaper aims to first outline the principal characteristics of a crisis and then examine typical responses. We will explore how these responses might be refined to address crises in a more structured and effective manner.

Crises demand quick decisions, which require smart people across teams to operate on information they trust. This information is often a blend of raw data and analytics, both of which must be accurate, timely, and actionable. The role of analytics, in particular, is crucial. It transforms disparate data points into insights, enabling decision-makers to navigate uncertainty with greater confidence and agility. Without reliable analytics, the margin for error increases significantly, amplifying the potential impact of the crisis.

To fully understand how crises—and the corresponding responses—have evolved, we must first identify the key characteristics that define them. These characteristics serve as the foundation for our analysis.

It is important to note that a “crisis event” is not always easily quantifiable. What constitutes a crisis in one area may be viewed as an opportunity elsewhere. From a complexity perspective, crises do not always result in zero- sum outcomes. This nuanced nature requires careful consideration, beginning with a clear definition.

A crisis is commonly defined as “a time of great danger, difficulty, or doubt when problems must be solved, or important decisions must be made.” In this whitepaper, we will unpack this definition from a Financial Services perspective, delving into its core elements to better understand the challenges and opportunities inherent in managing crises.

Time

The first characteristic is that of time. In a crisis, time has three very important influences on the severity and outcome of a crisis.

1.     The speed at which it happens or is identified

Some crises are “slow burn,” others may happen in an instant. It may be that the signals of the impending crisis have been well telegraphed (a Gray Rhino event), but appropriate action was not taken. The invasion of Ukraine by Russian forces can be thought of as well telegraphed, but it still took the world by surprise. COVID, however, impacted the globe over the course of just a few weeks.

2.     The duration of the event

How long, for example, does the crisis last, if in fact, it has an end at all? How long does it take for the aftermath of the crisis and the actions taken as a consequence to become part of “normal”? The Global Financial Crisis (GFC) took some months to play out as new and complex information came to light and multiple decisions were required. COVID, in contrast, though it lasted almost two years, had limited impact once operations and living patterns adjusted within the first few weeks of its emergence.

3.      The time frame in which decisions are required

In some cases, there is a requirement for almost instant decision-making (the flash crash, 9/11, Enron, etc.), while in other cases, there is in fact the “luxury” of time where analysis and collective decision-making can be performed (UBS/Credit Suisse, for example).

How long, for example, does the crisis last, if in fact, it has an end at all? How long does it take for the aftermath of the crisis and the actions taken as a consequence to become part of “normal”?

Threat

The second element is that of danger; we read this as impact in Financial Services. At the core are, again, three different characteristics of “a threat” to a Financial Services company. Please note that these are NOT in priority order, but we will let the reader make their own conclusions as to the order organisations will tackle a crisis as it arises.

The threat to the organisation or its shareholders

Here we have an event that may or may not be specific to the organisation but can, through its impact, have significant consequences on that organisation. Archegos is a good example, where, though several Financial Services entities were involved, some were impacted more than others depending on the scale of their exposure. Others are indeed very specific to an organisation: BNP Paribas and Barings had localised Front Office “issues” which impacted them significantly, both from a financial and reputational perspective (let’s leave Regulatory sanctions out of this for the minute). Essentially, this is where the organisation’s “survival mode” really needs to kick into action.

The threat to its customers

Again, if we put aside any Regulatory protection that a consumer may or may not have, it is the responsibility of the organisation to ensure that its clients/customers receive the appropriate level of service. Recent IT outages are good examples where, though not directly the fault of the Financial Services organisation, it is their responsibility to ensure that mortgages settle as appropriate, salaries are paid on time, and cash is available through ATM machines.

The threat to the wider ecosystem, be that financial, geopolitical, or environmental

Here, we also have Regulatory oversight, given the Regulators’ role in financial and consumer protection. Regulatory sanctions play a large part in the “danger” element regarding this aspect of a crisis. The Ukraine invasion, the Greece EURO Crisis, etc., may have little impact on an organisation or the bulk of its customers, but the sanction dimension has to be rapidly incorporated into an organisation’s compliance framework. Climate risk is another good example where an organisation and its customers may elect to take action to mitigate a “crisis,” with the Regulator also playing a part.

Decision-making Process

The third element is that of the decision-making process and the framework that is required to support those decisions. We have spoken above about the time aspects of a crisis as well as the impacted parties; here, both elements come together to influence the magnitude of the decisions required. What is clear though, is that the key components of any decision are:

  • There is always a common theme when it comes to decision-making in a crisis, and that is time constraints. Invariably, decisions must be taken within short time frames and could have large and significant impacts.
  • Decisions taken in short time scales need good accurate and reliable analytics to support them. It is imperative that the analytics comes to the decision-makers in an appropriately summarised and “information- based” form. All resources, both system and human, are focused on this output, and decision-makers must be in a position where they can trust both the analytics and the underlying data used to create them. These decision-makers cannot, nor should they be, put in a position where they are receiving different or conflicting information. The most common cause of which is differing methodologies across disparate systems.
  • The Response team is typically planned out in great detail; however, in the evolving world of crisis development, the war room composition changes. The events surrounding the UBS/Credit Suisse situation are a good example. What started off as a liquidity crisis in Credit Suisse quickly developed into a fast- moving merger/integration “crisis.” The response team had to change to reflect the fast pace of required decision-making, and its composition had to lie somewhere between a crisis management team and a team developed for mergers and acquisitions. There were, of course, numerous examples of this during the GFC and the Japanese Banking crisis.

Obviously, crises differ in the detail, with each one having its specific drivers, risks, impacts, and speed, but by simplifying them down into what are standard characteristics, it may enable organisations to be better prepared at the foundational level rather than at the reactive dimension.

Obviously, crises differ in the detail, with each one having its specific drivers, risks, impacts, and speed, but by simplifying them down into what are standard characteristics, it may enable organisations to be better prepared at the foundational level rather than at the reactive dimension. We will discuss the Regulatory perspective later in this paper; however, we know that in recent publications by the Global Regulators, there has been a particular focus on Operational Resilience and the ability for organisations to not only react to incidents but also ensure that they can withstand incidents. Resilience-related incidents are obviously significant given their potential impacts, but crises are not limited to just IBS-impacted ones.

Trusted analytics

Crisis resolution is distinct from most aspects of risk management in finance, where the focus is on risk appetite setting, risk detection, risk mitigation, and satisfying regulatory requirements. Typically, financial institutions emphasise proactive measures to manage and mitigate risks within acceptable levels and ensure compliance with regulations.

However, during a crisis, the approach shifts dramatically from prevention and regulation to immediate resolution and damage control. At the onset of a crisis, operations move into a ‘war room’ setting, which, in modern times, might be virtual. In this critical phase, the structured three-line defence model often collapses into a more dynamic and flexible huddle of key personnel tasked with crisis resolution.

Within the war room, the need for analytics undergoes a pronounced transformation compared to normal periods. During stable times, analytics often focuses on long-term trends, detailed forecasts, and comprehensive risk assessments, facilitating thorough and deliberate decision-making. The complexity of models and depth of analysis are prioritised to optimise performance and anticipate future opportunities.

In contrast, during a financial crisis, the urgency for immediate, reliable data increases dramatically. Decision- makers require rapid access to accurate information to navigate volatile markets and make quick, informed decisions. The emphasis shifts from extensive, detailed analysis to more straightforward, high-frequency data points that provide real-time insights. Trust in the data becomes crucial, as flawed or delayed information can lead to significant losses or missed opportunities. Consequently, the complexity of analytics is often reduced in favour of clarity and speed, enabling leaders to respond swiftly and effectively to the rapidly changing financial landscape.

This simplicity is often surprisingly difficult to achieve. To illustrate this, consider the following examples:

  • In a credit crisis, it is vital to have a clear understanding of current exposure to a troubled counterparty. While this understanding should have no ambiguity since there are no estimated parameters, it requires the ability to aggregate exposures from a wide variety of sources, including direct investments such as bonds, indirect investments via indices, and counterparty derivative contracts.
  • In a liquidity crisis, it is essential to have a short-term projection of cash flow, which necessitates a real-time, multi-currency understanding of cash projections and the trade life cycle.

To build trust in any methodology or analytic takes time which is not available in a crisis. Financial institutions routinely employ advanced analytics, such as Monte Carlo simulations, scenario analysis, stress testing, and “what-if” analysis as part of their business-as-usual processes. These tools are essential for ongoing risk management, enabling organisations to assess potential vulnerabilities and make informed decisions under normal conditions. The continuous use of these methodologies in everyday operations helps institutions build a deep familiarity and trust in their analytic frameworks.

This trust can only be built through both a broad and detailed understanding. Broad, in the sense that everyone included in the war room, needs to grasp the fundamentals of the analytics being used. Detailed, in the sense that it is crucial to know exactly how the analytics react under stressed conditions and having a plan for if those conditions were breached. This detailed analysis needs creativity in imagining the possible as it is often more extreme than was previously imagined – negative oil future prices being a good example.

In essence, the seamless transition from routine risk management to crisis response is enabled by the prior integration of these advanced analytics into the organisation’s daily operations, ensuring that leaders can act decisively when a crisis hits.

How will AI change the preparation of crisis?

It is intriguing to consider whether the introduction of Artificial Intelligence (AI) will alter the situation described above. We believe this is unlikely. In the case of systemically important institutions, decision-making is likely to remain in human hands for the foreseeable future. Consequently, it is essential that humans trust the analytics used in these decisions. For a human to trust these analytics, they must have confidence that, given the time, they could independently reconstruct the analytical processes involved.

Ultimately, while AI may not replace human decision-makers, it can significantly support and enhance the quality of the data and analytics on which those decisions are based.

Nevertheless, AI can play a significant role in other areas. Specifically, AI can be utilised for pre-emptive data cleansing, ensuring that the data used for analytics is accurate and reliable before any crisis occurs. Additionally, AI can assist in identifying and mitigating potential data biases, thereby enhancing the overall integrity of the decision-making process. Ultimately, while AI may not replace human decision-makers, it can significantly support and enhance the quality of the data and analytics on which those decisions are based.

Where are the regulators on all of this?

Now, let us consider where the Regulators have been during these crises because what we do know is that they have not been taking a back seat, rather the opposite.

The Regulators (globally) have identified some of the key aspects of crisis management and have increased their regulatory demands and expectations in those areas.

The key area where they have identified weaknesses is that of data. Largely stemming from the relative chaos that was GFC, they started an initiative to ensure that data used to mitigate the impact of crises was of a good enough quality to make the right decisions. They required organisations to ensure that their data satisfied three main criteria:

  • There was a robust governance framework around the architecture and infrastructure implemented to capture and store the data, including defined roles and responsibilities at the departmental and committee levels.
  • There should be a documentation framework surrounding the data, including data dictionaries, process descriptions, and data lineage.
  • All of the data should be controlled by a data quality management framework that includes Data Quality Indicators, Data control plans, and appropriate MI to support the analysis of data and data quality.

The resultant regulation, BCBS 239, attempted to encapsulate all of these characteristics in 11 principles to be adopted in January 2016. As of 2024, many banks in the UK are still facing difficulties in fully implementing the BCBS 239 principles. Common challenges include outdated IT systems, insufficient prioritisation by senior management, and limited resources allocated to improving risk data aggregation and reporting capabilities. Despite ongoing efforts, these issues have slowed progress, making full compliance difficult for most institutions.

The Regulators also saw the value in ensuring that organisations were prepared for the next crisis. We saw a wave of stress tests descend upon the financial services sector, starting with the CCAR and quickly spreading around the globe with the ECB, BOE, HKMA, etc. They were all designed to highlight potential vulnerabilities in capital structures and capital resilience when subjected to shocks. Stress testing spawned a whole industry within the sector, with significant investment being made in technology, data, and modelling capabilities. The main change, though, that stress testing brought to the sector was awareness by senior management of their vulnerabilities and, therefore, the proactive development of mitigation strategies. There was also, of course, the main driver of fear that they would be highlighted on the front pages of the financial press as having “failed” the stress.

The theme of stress testing continued, making its way into the insurance sector and recently through the Operational Resilience lens. The key objective is the same though in principle, and that is to ensure that organisations are prepared for a range of plausible scenarios that can stretch their weaknesses.

Adherence to the stress testing requirements for those impacted organisations has been strict and complete, with the reality being that the regulators have requested them to run the scenarios. The scenarios are largely prescriptive, so differing interpretations across the sector are limited. Notable among the prescriptive nature is that of the constant versus evolving balance sheet. No matter what your opinion, the regulator sets the rules, and they must be followed. Debates over the impacts of drawdowns, revolving credit facilities, and credit migration tended to be simplified in the published methodologies.

We must ask ourselves, though, what of those institutions that were not required to perform the stress tests? In 2023, for example, a total of 57 Euro area banks under direct ECB supervision were included in the EBA sample. Some may have been excluded due to participation in other exercises, but this still left a large number who would either run the stresses voluntarily or, most likely, not at all given the technical and organisational costs.

Another positive aspect of the stress testing frameworks required by the regulators is that of “war room” style testing, especially around Liquidity and Operational Resilience. This has enabled organisations to fine-tune their plans, create their governance, and run them through “real-world” situations.

This leads us to the next steps in regulatory preparation regarding crisis management, and that is the impacts on the Second/Third tier organisations and the Non-Banking Financial Institutions (NBFI). From a systematic basis, they may not play a material part in the overall financial stability of a regime, but they would, of course, have their own crises or be swept up in other more widespread crises. The onus on them is obviously not as stringent as for some of the G-SIFIs, but they still have shareholders, staff, and customers to protect. The regulators are now starting to turn their attention to this next category of organisation. They have an advantage here in that they can leverage the work done by those organisations before them, perhaps relying on systems, methodologies, and data which are now available. A number of the issues experienced in the “early days” of stress testing and scenario analysis have now been resolved by vendors and data providers. SME assistance is readily available through change and transformation specialists; these same SMEs now have significant experience in Operating Models and Stress Testing frameworks. It is possible now for organisations to go from “not a lot” to “we are prepared” very quickly using this wealth of knowledge and systems capability. The disadvantage, though, is that there is a cost. It may be less expensive than 10 years ago, but it is a cost, nonetheless.

Conclusion

As regulators continue to raise the bar, organisations must focus not just on compliance but on developing operational resilience that goes beyond regulatory demands. Stress testing and scenario analysis are crucial tools that enable institutions to anticipate crises and respond effectively.

Ultimately, while crises will continue to evolve in nature and scope, institutions that invest in resilient systems, trusted analytics, and tried and testing decision-making processes will be better positioned to weather future disruptions. Effective crisis management is not just about reacting to events but about building the capacity to withstand and emerge stronger from them. Building trust in analytics and ensuring that decision-makers have reliable, real-time information are essential steps in crisis resolution.

Effective crisis management is not just about reacting to events but about building the capacity to withstand and emerge stronger from them. Building trust in analytics and ensuring that decision-makers have reliable, real-time information are essential steps in crisis resolution.

About Alba Partners

Alba Partners is a boutique consultancy specialising in change and transformation. With expertise spanning Financial Services and beyond, our proven track record in delivering high-impact projects for leading institutions sets us apart.

Founded in 2020, Alba Partners blends the agility and personalised service of a boutique team with the expertise and experience of top-tier consultancy. Our Financial Services practice has supported clients in navigating some of the industry’s most complex challenges across the trade lifecycle, including Dodd-Frank, MiFID II, Brexit, IBOR Transition, Operational Resilience, and Basel III. Additionally, we have successfully managed numerous mergers, acquisitions, exits, and divestments.

Headquartered in Edinburgh with key offices in London, Riyadh, Dubai, and Abu Dhabi, Alba Partners serves clients across Europe, the Middle East, and beyond. Our collaborative and flexible approach ensures that we deliver tailored solutions, aligning with each client’s unique requirements and goals.

albapartners.co.uk

About Quantifi

Quantifi is a provider of risk, analytics and trading solutions. Our award-winning suite of integrated pre and post-trade solutions allow market participants to better value, trade and risk manage their exposures and respond more effectively to changing market conditions.

Founded in 2002, Quantifi is trusted by the world’s most sophisticated financial institutions including five of the six largest global banks, two of the three largest asset managers, leading hedge funds, insurance companies, pension funds and other institutions across 40 countries.

London +44 (0) 20 7248 3593

New York +1 (212) 784-6815

New Jersey +1 (908) 273-9455

Sydney +61 (02) 9221 0133

[email protected]

www.quantifisolutions.com