Alba Partners

Menu

Category Archives: Uncategorized

TAIL EVENTS ARE HAPPENING MORE OFTEN – WHITEPAPER BY ACTIVEVIAM & ALBA PARTNERS

June 3, 2025 by
TAIL EVENTS ARE HAPPENING MORE OFTEN

MASTERING UNCERTAINTY IN AN UNPREDICTABLE WORLD

Abstract


Alba Partners and ActiveViam were proud to host an exclusive CRO breakfast roundtable at the start of May 2025 on the topic of “Mastering Uncertainty in an Unpredictable World”. The conversation flowed from the outset with perhaps one of the key quotes being:


“It seems that tail events are happening more frequently…


This was a very telling statement and one that was explored in more detail throughout the event. There were a large number of subjects touched upon. Of particular interest was that around the deterioration of the US ecosystem as a stable and safe haven. That this was happening was not the discussion point, the focus was more on the first and second order impacts and what were the possible alternatives.


Operational resilience was also touched upon, but not in the traditional context, the discussion centering around the link between resilience and the current global events (financial and geo-political). Questions such as how financial and physical supply chains could be assessed and evaluated were raised and discussed. All agreed that the principal challenge was around how well the organisation know their customers: their sensitivities to their own supply chains and how this affects their credit standing and default probabilities.


What quickly became evident was the need to be able to access more data quickly and in a flexible way.


While the frequency of tail events may feel unpredictable, organisations are not powerless in their response. The challenge is not merely one of foresight, but of preparedness. Ensuring that the right questions are being asked, the right data is accessible, and decision-making structures are agile enough to respond to disruption in real time. Strengthening operational resilience is no longer about compliance; it is about survival in a world where interdependence is both an asset and a liability. Organisations that invest in better visibility, more dynamic scenario planning, and deeper understanding of their clients’ vulnerabilities will be better positioned not just to endure the next dislocation, but to emerge stronger because of it.


This whitepaper explores these themes in more detail.

THE CHANGING RELATIONSHIP WITH USA

DETERIORATION OF THE US ECOSYSTEM

When President Trump was elected in November 2024 markets reacted positively in the expectation of renewed economic growth and financial stability emanating from the USA. Since January, however, as the reality of the new administration’s policies started to be understood, that early confidence has vanished and markets are now (May 2025) around 5% off their peak of mid December.

 

The tariff announcement was not the first sign of trouble though. The change in policy regarding foreign aid, the impatience to impose a settlement to conflicts in Europe and the Middle East, and the drive to reduce federal spending were creating nervousness even before the start of April. For the time being we have some respite but there is a feeling that the markets have not yet adjusted sufficiently. Perhaps companies are running down inventory and taking other tactical measures and that explains the modest 5% correction we currently see. The lack of visibility and resilience in supply chains is discussed later, but we should be ready for a further correction as the new arrangements start to bite.

 

The response to the tariffs has been uneven and we can draw attention to a variety of responses. Apple announced a plan to reduce manufacturing in China, but rather than bringing that back to the USA, they are transferring, instead, to India. They cite the need for large numbers of qualified scientific and engineering staff needed to support high-tech, high-volume manufacturing and point to the plentiful supply of these skills in China and India. Low-cost, it seems, is not the main driver. This indicates a structural challenge which applies not only for the USA but many other European economies too. The recent trade agreement between the UK and USA makes it possible for American motorists to buy Range Rovers and Jaguars at reasonable prices; the prospect of tariffs does not seem to have reinvigorated their support for domestic brands. On the other hand there appears to be a constructive dialog with China about future trading relationships which was, after all, the President’s primary objective.

 

The Dollar is still the world’s reference currency and will continue to be for the foreseeable future but alternatives are emerging in Europe and from China. While there are arguments in favour of using a blend of currencies, the challenges are many and varied.

 

  • The US Treasury market is huge both in terms of volumes and liquidity making it easy to buy and sell large volumes without significant price impacts. Establishing comparable markets for EUR, RMB and others would take time.
  • The challenges of co-ordinating multiple central banks, regulators and timezones would be complex and time consuming.
  • And the legal and technical networks are set up to use the Dollar; dislodging it would be comparable to shifting the world’s business language from English.

 

A significant development is the serious discussion around a potential move away from the Dollar’s dominance, marking a change from the past 80 years.

OPERATIONAL RESILIENCE IN THE 'NEW' WORLD

REDIFINING OPERATIONAL RESILIENCE

As we follow the general theme of this white paper we can almost follow the development and evolution of Operational Resilience through the financial and geopolitical events of the past decade.

 

Let’s take a moment out to reflect on the “good old days” when interest rates and inflation were low, we lived in (for the most part) peaceful times and apart from some issues which may have impacts in the future (AI and Climate for example) there was little to sway us from a carefree path. In this most perfect of worlds, resilience (and the need for it) had not been invented, our infrastructures were protected by robust disaster recovery processes and tail events were those rare ructions that risk managers built stress tests around to demonstrate preparedness. To put this into context it was only 18 years ago that Nassim Taleb invented the term “Black Swan” (1st edition published 2007).

 

We now live in a very different world, effectively the past decade has seen a financial and geopolitical regime change, it is as if the world has been turned upside down. The subject of this section therefore is how do financial and geopolitical changes impact Operational Resilience and why is it that “tail events seem to be happening more often”? This is hardly surprising when we think of the three main contributors to the current suite of these Black Swans, namely geopolitical, AI and climate. As all three are now experiencing increased volatility, given their interconnectedness, we would expect to see an increased frequency in Black Swan events. But why does this seem to impact Operational Resilience?

 

Let’s first explore the significantly increased complexity in our financial framework. The geopolitical environment has become a lot more uncertain, and as a consequence significantly more volatile. Strategies need to be fluid and flexible, responses to events more timely and reactive and staff all performing at the top of their game.

 

There has been a surge, or more accurately an explosion in demand from consumers for tailored products/services, all to be delivered almost instantly. In order to satisfy this demand, physical and financial supply chains have had to become more efficient, with just in time delivery tolerances being shaved to razor thinness. All of this has been predicated on a flexible global supply chain (for physical goods) and IT systems and products which can ensure that this supply is done in the most flexible and efficient manner possible. Banking and financial services are no different with there being more bespoke products and increased demands from clients.

 

Such complexity carries increased risk. Disruption throughout this physical/financial supply chain has knock-on effects which (to steal the phrase from the financial regulator) cause “intolerable harm to the consumer”.

Let’s now explore the areas where there is the most complexity, and the risks that this entails.

 

The first is of course the increasing concentration of services and products onto a small number of suppliers. The most obvious here is that around the “Tech Titans”, namely Alphabet, Amazon, Apple, Meta and Microsoft. Financial services have, for the large part, developed infrastructures which are almost wholly reliant on these technologies. The concentration risk here is evident, and of course significant. We now go on to state the obvious, where we have a highly regulated financial services sector highly concentrated into a (largely) unregulated third party systems provider. Now, if we overlay this with the evolving political situation in the US (of which regulations these companies are subject to) we can start to see how political divergence can lead to financial framework instability and hence risk. The concentration risk, and consequences of a failure in any of these “Tech Titans”, would be significant. This concentration again is not just limited to the IT sector. One such example is that of rare earth magnets, 90% of which are supplied by China. A temporary ban on the export from China of these magnets in April 2025 caused significant downstream production delays in dependent industries across the globe. These are used by high-tech industries, from automotive and semiconductor to defense, aerospace and robotics.

 

The second is that of consumer demand and the “supply chain” needed to support it. The obvious category here is of course IT systems. They have now become increasingly sophisticated with AI being used across many sectors to augment the customer experience. With increased complexity comes increased risk. The failure of any component (either through accident or malicious intent) can have significant impacts further on the services sector (of which there are many documented examples).

 

We have seen cases where well known UK retailers have suffered major outages due to cyber attacks (and as we write this paper are still trying to recover weeks after the attack) as well as a leading automotive company being unable to sell its products over the course of a weekend because of issues with its order/inventory systems. Outside the IT environment we also have real risks to concentrated and complex supply chains. Who can forget the impact on the global supply chain when a single ship became lodged in the Suez canal or the disruption caused when a bridge in Baltimore was suddenly rendered unusable?

 

The increased use of AI has of course not been limited to those “honest brokers” in the various products of which it is employed. We now have Cyber attack “franchises” where aggressive DDOS tools can be rented. Malicious agents are not bound by policies or procedures, UAT, release schedules and production release windows. Their time to market is a fraction of the time that those on the other side of this arms race face. The genie is out of the bottle, and even a slow down by honest brokers in the use of AI will not slow those with malicious intent down. Now throw into the mix geo-political objectives and the result is a dangerous cocktail of a well funded and capable attack force.

So how can organisations go about protecting themselves? Well in a strange twist of fate, it could be that the Financial Services Regulatory regime may drive best practice with regards to Operational Resilience especially as we see an increasing number of failures with non financial services companies. The concept of “resilience” as distinct from “recovery” starts to have more weight when we apply the objective of the regulations which is to “weather the storm” rather than “don’t let the storm occur”. Now organisations need to accept that Black Swan events WILL occur, and then on that assumption how can they ensure minimum disruption to the client base, and the resumption to normal service.

DATA ACCESSIBILITY AND ANALYSIS

NEED FOR MORE DATA AND FLEXIBLE DATA

As we face an ever increasing incidence of tail events, our ability to assess and respond becomes a greater focus. The response to these tail events can not be constructed until we are confident we know where our weaknesses lie. This leads us to the question (which almost all risk managers have asked, or been asked in their careers)

 

“how much exposure do we have to…”

 

or

 

“what would the impact be if…..”

 

In the previous section we discussed the triple factors driving most current tail events, namely Geopolitical, Climate and AI. All of these would almost certainly manifest themselves as impacts to the credit portfolio of financial institutions. We say this because market shocks (including liquidity) are largely portfolio based and well catered for in general risk management practices. In times of crisis, credit becomes very idiosyncratic with portfolio effects all but disappearing.

As an example, when Russia invaded Ukraine for the second time in 2022 there was a double impact on credit portfolios. Firstly we had the sanction regime being significantly enhanced, so that direct and indirect relationships with Russian organisations fell under the restrictions. Secondly we had the direct counter threat by Russia to cut off the gas flows into western Europe.

 

Risk managers were then asked two questions:

 

  1. What non-Russian organisations were indirectly connected with Russian ones?
  2. What was the sensitivity of our clients to a western Europe gas shortage?

In an ideal world, the addition of a couple of filters into your comprehensive credit risk database would yield almost instantly the answer to these two questions. Unfortunately the reality is far from that, even in the most sophisticated organisations. At the core here is how well do the relationship managers really know their customers; there is nothing like a good crisis to really test the quality of your KYC framework.

 

Obviously once management has the answers, responses can be formulated and enacted, valuations made and writedowns performed as appropriate.

We now have a new class of client, our third party suppliers. How well do we really know them? Do we follow the same rigour in our Third Party Risk Management “TPRM” framework as we do for our KYC one?. The regulators expect the answer to be “yes” of course but as for KYC, there is nothing like a good crisis to test your supply chain. How sensitive are your critical suppliers (continuing the Russian gas example) to gas shortages; are they or their upstream suppliers connected with Russian organisations?

 

How well then do we really know our suppliers and the supply chain that supports them?

 

If we are now applying a full KYC ethos to our suppliers, then by extension the consideration of ascribing valuation via risk management should also be included. We have started to see the inclusion of TPRM into our ICAAP framework. Will we start to see a day where regular “valuations” of our third party exposure is somehow factored into our P&L? Recall that a concept such as CVA has only been with us (formally) since the 2007/08 crisis and now it is a mainstay of our traded credit valuation framework; will we see the day when we have a TPRM equivalent?

The inclusion of TPRM into risk frameworks, apart from questions about methodology and algorithm, raises questions about the availability of high quality, usable and performant data sets. The increasing sophistication of cloud-based data warehouses is reducing the cost of entry for new providers of data. This is, of course, a double edged sword. The technology encourages innovation, making it easier and cheaper than ever before to create and deliver datasets. However, that is no guarantee of quality. Datasets must have a known lineage and be conformant with industry-wide conventions for taxonomy; those attributes are essential if the dataset is to be usable. Finally we need to be confident that the data is up to date and accurate; either timestamped so that we know when it was created or with supplied validity period (required for back testing and retrospective analysis). These temporal characteristics are essential if the dataset is to be performant.

 

New datasets pose a number of challenges to the analytics and reporting infrastructure. Answering the question posed earlier about transitive data relationships puts the following demands on the analytics layer. It needs to be simple to merge a new dataset into an existing data model and for the taxonomy to be easily mapped (for example does a rating of A in the new dataset mean the same thing as an A in my current dataset?).

 

The analytics layer needs to be able to slice, dice and filter by attributes in the new dataset in any combination with existing attributes.

Perhaps the most difficult is to accurately reflect the new filtering into the subtotals and totals in the calculations.

 

This becomes extremely complex when the aggregation functions are non-linear (such as netted exposures, or value at risk).

About ActiveViam

ActiveViam is a fast-growing financial data analytics solution provider. Built for and trusted by leading financial institutions, ActiveViam delivers active intelligence for complex financial analytics. It combines unrivalled technology, continuous innovation and exceptional people to unlock the power of real-time and granular data at scale. Designed as a high-performance semantic layer, ActiveViam’s flagship product Atoti, allows clients to implement built-in front office and risk business solutions while accessing customizable technology.

 

ActiveViam is present in the world’s leading financial marketplaces with presence in London, New York, Singapore, Sydney, Hong Kong, Paris and Frankfurt.

 

For more visit activeviam.com or follow on LinkedIn

About Alba Partners

Founded in 2020, Alba Partners is a specialist consultancy combining the agility and personal service of a boutique with top-tier delivery expertise. Our Financial Services practice supports leading institutions across regulatory change, risk, and transformation initiatives, including IBOR, Basel III, and Operational Resilience. We have also led complex mergers, acquisitions, exits, and divestments. With deep capabilities in Programme Delivery, Business Change and Data & AI, we help clients respond to fast-moving market demands. Headquartered in Edinburgh, with offices in London, Riyadh, Dubai, and Abu Dhabi, Alba Partners delivers across Europe, the Middle East and beyond.

 

For more visit albapartners.co.uk and follow on LinkedIn

The CxO Guide to Solving Third to Nth-Party Risk Management  for Operational Resilience

February 2, 2025 by

Cascading Compliance Concerns

As financial institutions have strived to boost efficiency and reduce costs in recent times there has been an upsurge in reliance on third-party service providers. Gains in cost efficiency, scalability, customer experience, expertise and innovation have been undeniable. However, this reliance on third parties is now exposing these same financial institutions to heightened operational risks that will be the focus of regulatory scrutiny across the globe, in 2025 and beyond. 

Regulations and frameworks including the European Union’s Digital Operational Resilience Act (DORA), the Basel Committee’s Principles for Operational Resilience, UK PRA Operational Resilience, Australia’s CPS 230, and NIST2 have operational resilience at their core. They demand robust systems and processes to ensure operational continuity, safeguard data, and mitigate risks arising from third-party relationships. They also require both regulated financial institutions and their ICT service providers to evidence operational resilience to regulators in a complete and defensible form.

This white paper examines some of the third-party risk management (TPRM) challenges facing financial institutions. It highlights the questions accountable senior managers should be asking their Risk and Resilience teams and proposes actionable strategies to guide C-level executives in their quest to address them. It also explores the often-overlooked complexities of managing fourth to nth-party risks, offering insights into identifying and mitigating risks in these extended ecosystems.

Why Extend TPRM Across the Entire Supply Chain?

And Why Now?

The use of third-party service providers is nothing new. As society evolved over centuries, and specialisms developed, the use of dedicated third-party outsourcers escalated. Look no further than the local flour or sawmill, shipping companies and merchants, and now financial services providers – as industries, societies and consumer expectations have become more complex, so too have the frameworks for outsourcing and third-party management. 

The incidence of fourth to nth level suppliers is also not new and not limited to the financial services sector. You may recall the total collapse of supply chains when a single container ship became lodged in the Suez Canal in 2021, blocking the waterway that enables the flow of 12% of global trade for six days. News reports estimated damage costs of around US$1 billion and delays in almost US$60 billion worth of trade. But how many third parties had outsourced their transportation to the other 422 ships impacted by the resultant “traffic jam”? What was the concentration risk and how much visibility did organisations have with respect to this risk? Probably little to none.

 Financial Institutions have travelled the same journey of needing to manage increasingly complex outsourcing and third-party relationships. In their pursuit of reduced costs and enhanced efficiency, alongside an increasingly digital and interconnected operating environment, reliance on external third parties including cloud service operators, IT support vendors, and payment processors has become the norm. In many cases the advantages of bringing these significant operational efficiencies are countered by the introduction of new vulnerabilities. Cybersecurity threats, data breaches, service interruptions, and compliance failures in third-party ecosystems can have cascading impacts on financial institutions and their customers.

To address these risks, regulatory bodies worldwide are introducing frameworks like DORA, UK PRA Operational Resilience guidelines, APRA CPS 230 and NIST2, which place stringent requirements on financial institutions to manage third-party dependencies. These include:

  • Enhanced due diligence
  • Continuous monitoring of third-party performance
  • Incident reporting and testing of resilience capabilities

For the regulators, and most financial institutions, the focus is firmly on addressing the implications surrounding Important Business Services (IBS) and the critical third parties (CTPs) that support them. TPRM frameworks already exist and, when asked, most institutions are likely to consider themselves “largely” compliant with the incoming regulations.

However, the regulatory focus is now expanding to encompass fourth to nth-party risks, complicating compliance even further. Managing these layers effectively is critical for maintaining operational resilience. On the face of it, risk management of a fourth (or fifth or nth) provider is conceptually the same as that of a third party. However, the risk management challenges of the third party are inevitably inherited by those further down the supply chain – and new challenges emerge at each subsequent level. How to address these and other complications introduced by fourth to nth-party risk management is discussed in Section 4 of this paper. 

Examples of Operational Resilience Breaches in the Supply Chain

Numerous real-world incidents demonstrate why a robust TPRM framework is so important in maintaining operational resilience. Regulators have been right to call this out as a systematic risk. Some of the operational resilience breaches involving ICT suppliers to financial institutions, which highlight the risks posed by vulnerabilities in third-party services, include:

  1. Accellion: Their legacy File Transfer Appliance (FTA) faced zero-day vulnerabilities, allowing hackers to access sensitive data from multiple organisations, including financial institutions. The breach caused severe reputational damage due to delayed alerts and insufficient patching efforts.
  2. Blackbaud: A ransomware attack exposed customer data stored on Blackbaud’s cloud platform, affecting financial entities and other organisations globally. The breach highlighted risks associated with cloud-based ICT providers.
  3. SolarWinds: Hackers infiltrated the SolarWinds Orion platform in a high-profile supply chain attack, impacting government and private sector clients, including financial firms. The breach demonstrated how supplier vulnerabilities can have cascading effects.
  4. Okta: The identity management provider suffered a breach after attackers gained access through a third-party contractor. This raised concerns about vendor management, as compromised authentication services can directly affect operational resilience for financial institutions reliant on Okta’s services.
  5. CrowdStrike: In July 2024, CrowdStrike experienced a significant global IT outage caused by an update to its Falcon sensor configuration file. This update triggered a logic error that caused widespread disruption across systems using the software, particularly Windows devices. The issue caused operational failures in critical sectors, including airports, public safety systems, and financial institutions, with an estimated 8.5 million devices impacted globally. 

These incidents underscore the need for rigorous risk management across the entire supply chain, including regular audits, real-time monitoring, and robust incident response strategies. They highlight the interconnected nature of modern financial operations and the critical importance of operational resilience frameworks.

New Challenges in Third-Party Risk Management

Although most financial institutions already have TPRM frameworks in place, new threats continually emerge which, combined with a step change in operational resilience related regulations for 2025, are making day-to-day monitoring and management of critical third parties more challenging. 

  1. Expanding vendor ecosystem

Financial institutions are increasingly outsourcing critical functions, including IBS, leading to an extensive network of third-party providers. Managing risks across this growing ecosystem while maintaining visibility and control is a significant challenge.

  1. Regulatory compliance

Incoming frameworks emphasise stringent oversight of third-party relationships, including governance, risk management, and operational resilience testing. Institutions looking to unify their compliance efforts often face challenges aligning their TPRM frameworks with overlapping regulatory requirements, within and across jurisdictions.

  1. Cybersecurity threats

Third-party ICT service providers often become targets for cyberattacks due to their integration with financial institutions’ systems. Compromises in a vendor’s environment can cascade into the institution’s operations, exposing sensitive data and disrupting services.

  1. Dynamic risk landscape

The risk profiles of vendors can change rapidly due to factors like financial instability, mergers, or geopolitical influences. Keeping pace with these changes requires dynamic monitoring capabilities and access to live third-party data.

  1. Limited resources

Smaller financial institutions often lack the resources to invest in advanced tools and expert teams to manage the complexities of TPRM. They are less likely to have deployed TPRM systems in the past so the 2025 regulatory onslaught relating to third to nth-party risk management requires new investments in both technology and time to refine or create new TPRM frameworks. 

 

Key Strategies for Effective Third-Party Risk Management

In line with the shared challenges, we see financial institutions adopting similar strategies in addressing and mitigating these challenges. The key focus has largely been aimed at ensuring the framework is “robust”. The emphasis on the word “robust” is deliberate as it has different meanings as we navigate through the various organisational levels of an institution. 

For the C-Suite, the governance and information framework is key. Do they (for example) have access to the right information to make informed decisions? Can they have confidence in the controls surrounding critical third parties? Have they set an appropriate risk appetite for recovery time objectives (RTO) and Business Impact Assessment (BIA)?

As we travel down the organisation “robust” becomes more operational. Does the framework support due diligence? Does it allow for continuous monitoring? Does it generate appropriate management information for consumption by the C-suite?

In determining whether your TPRM framework is adequate from a regulatory and due diligence perspective accountable senior managers should be asking the following questions, and those responsible for operational resilience and TPRM should have answers:

  1. Have we established robust governance?
    • Board oversight: The board of directors or a dedicated risk committee should oversee third-party risk management.
    • Policy development: Comprehensive TPRM policies aligned with DORA and other regulatory frameworks must be established.
    • Risk ownership: Roles and responsibilities for managing third-party risks should be clearly defined.
  1. Is our due diligence comprehensive?
    • Register of information: Regulators expect financial institutions to maintain a comprehensive ‘Register of Information’ (ROI) containing detailed records of their third parties. This register is crucial for ensuring transparency, facilitating effective oversight, and enabling quick access to critical information to support compliance and risk management efforts.
    • Third party intelligence: Complete information on financial stability, security measures, data protection capabilities, and compliance with regulatory requirements should be recorded.
    • Thorough onboarding checks: Standardised questionnaires and audits should be incorporated into the onboarding process.
    • Ongoing due diligence: Leveraging tools to assess vendors’ risk profiles dynamically ensures early identification of compliance status compromises.

Offboarding plan: A comprehensive offboarding plan should be developed during the onboarding process of a third party, including identified risks and corresponding mitigation strategies. The specifics of the offboarding plan will vary depending on the type of service provided.

  3. Are we capable of continuous monitoring?

    • Real-time intelligence: Monitoring platforms that offer real-time insights into vendor performance, cybersecurity risks, and compliance status should be implemented.
    • Key risk indicators: KRIs should be established to ensure early detection and response to emerging risks.
    • Concentration risk: Financial institutions can assess and monitor concentration risks associated with common fourth parties by leveraging information provided by their third parties about their respective providers.
    • Sentiment analysis: By utilising sentiment analysis technology, financial institutions can scan online content to detect positive or negative news about a third party, enabling them to take proactive measures as needed.
  1. Are we taking steps to enhance cybersecurity resilience?
    • Third-party cybersecurity: Vendors within the supply chain should be required to adopt – and be able to evidence – robust cybersecurity measures such as encryption, multifactor authentication, and secure access controls.
    • Periodic testing: Periodic penetration tests and vulnerability assessments on third-party systems should be conducted to expose weaknesses.
    • Incident response testing: Vendors should be included in incident response drills to improve coordination and ensure regulatory deadlines can be met.
  1. Does the technology we have today enable effective and defensible TPRM?
    • TPRM technology adoption: TPRM software should be utilised for gap analysis, incident management and centralised management of vendor risks, contracts, and compliance metrics.
    • Artificial intelligence: AI and machine learning are uniquely suited to identifying potential risks and predicting failures. TPRM is also an ideal use case for Generative AI, which can be utilised to analyse large numbers of lengthy contracts for compliance in a fraction of the time possible by humans.
    • TPRM managed services: TPRM-as-a-Service can be a viable option that reduces cost and time-to-value for firms with limited resources or expertise to develop and maintain an in-house system.

The answers to these questions will go a long way towards helping to assess how robust your TPRM framework is, how well it would stand up to scrutiny by auditors and regulators, and what changes are required.

 

New Challenges of Fourth to Nth-Party Risk Management

Never before have financial institutions had explicit regulatory obligations to monitor or report on fourth to nth-party risk management. Most firms have managed to get their head above water on risk management around third parties, but the prospect of needing to monitor risks at all levels in the supply chain is proving daunting for many.

The first consideration is that the risk management of fourth to nth parties needs to “fit in” to the framework designed for third parties because, as discussed previously, they inherit the same challenges. Worrying for many, however, are the added challenges associated with managing and monitoring fourth to nth party relationships, which also need to be addressed. 

These include:

  1. Limited visibility on who these nth-party suppliers are: Financial institutions often lack direct access to information about their vendors’ subcontractors.
  2. Limited visibility on the relationship between third and nth-party suppliers: Even if financial institutions know who the nth suppliers are, they cannot know what contractual arrangements exists between them.
  3. Increased vulnerabilities: Each additional layer of vendors increases the attack surface, making the ecosystem more susceptible to breaches.
  4. Regulatory expectations: Regulatory frameworks require institutions to ensure that their third parties manage subcontractors effectively, including conducting checks on data localisation and cross border transfers, which adds to the complexity.
  5. Complex incident management: Coordinating incident responses across multiple layers of vendors can delay recovery efforts and exacerbate disruptions.
  6. Concentration: Identifying and managing deep set concentrations among nth-party suppliers increases external events and drivers.

Key Strategies for Effective Nth-Party Risk Management in the context of TPRM

Financial institutions are increasingly turning their attention to fourth to nth-party risk management. However, with the requirement to scrutinise and monitor nth parties so rigorously being relatively new, the strategies formulated to manage nth-party risk are embryonic and largely unproven. 

To be effective these strategies must enable financial institutions to:

  1. Identify fourth to nth parties: To mitigate risks effectively, institutions must first identify their extended vendor ecosystems.
  2. Map relationships: Use tools to map the entire supply chain, including subcontractors and downstream providers. Develop visual dependency maps to understand interconnections.
  3. Get vendor disclosures: Require third parties to disclose their subcontractors and any changes in their supply chain as part of contractual obligations.
  4. Categorise risks: Classify fourth to nth parties based on their criticality to operations, the sensitivity of data they handle, and the potential impact of a disruption.

Framework Changes Required to Facilitate Fourth to Nth-Party Risk Management

Rather than beginning from nothing, the TPRM framework used to monitor third parties should be your start point. This framework will address the risk management challenges inherent in all layers of the supply chain, leaving more time and resources to focus on framework updates required to overcome the added challenges of fourth to nth-party risk management. 

TPRM framework changes may include: 

 

   1. Flow-down contractual obligations

    • Require third-party contracts to include provisions mandating that their subcontractors comply with the institution’s security, operational, and regulatory requirements.
    • Include penalties for non-compliance and require timely notification of subcontractor changes. 
   2. Extended due diligence 
    • Conduct due diligence on third parties’ subcontractor management processes.
    • Assess the robustness of their supply chain risk management practices and request evidence of compliance audits.

  3. Continuous monitoring

    • Leverage monitoring platforms that provide indirect visibility into the performance and risks associated with fourth to nth parties.
    • Implement automated alerts for changes in subcontractors’ risk profiles.

  4. Collaborative testing

    • Include fourth to nth parties in business continuity planning and testing exercises.
    • Engage critical subcontractors in cybersecurity and operational resilience drills.

  5. Collaborative training

    • Provide shared training programmes for all parties on regulatory updates and compliance practices.

  6. RegTech solutions

    • Use the kind of regulatory technology and artificial intelligence outlined in Section 3 to monitor compliance across extended ecosystems, ensuring alignment with regulatory frameworks.

While pre-existing TPRM frameworks will go some way towards helping firms to navigate fourth to nth-party risk management, new practices and specific measures will be required to account for nuances arising at various levels of the supply chain.

Metrics for Measuring TPRM Effectiveness

All TPRM Frameworks, including those that incorporate nth-party risk management, have the same goals and hence the same requirements to make them effective. 

It is important for financial institutions to put measures and reporting in place. In doing so they will be able to evidence to both accountable senior managers and regulatory authorities that their frameworks are delivering adequate protection and resilience to safeguard key stakeholders. These measures are also necessary to monitor progress over time. 

Metrics may include:

  1. Risk reduction
    Measure the percentage reduction in identified third to nth-party risks.
  2. Compliance rate
    Track the percentage of third parties and their subcontractors meeting contractual and regulatory requirements.
  3. Incident response time:
    Assess the average time to detect, respond to, communicate and resolve incidents involving third to nth parties, and ensure these satisfy regulators’ expectations.
  4. Vendor stability
    Monitor the financial health and performance consistency of vendors and their subcontractors.
  5. Resilience testing results
    Evaluate improvements in recovery times and coordination during simulated disruptions.

Ongoing monitoring and analysis against a set of well-defined metrics will ensure your TPRM framework achieves its objectives, is improved over time, and meets the expectations of key stakeholders. 

 

The Vital Role of Technology in Mitigating Supply Chain Risk

Reliance on decades-old technology and spreadsheets is ineffective in managing the complexities of TPRM and operational resilience, which require holistic oversight and dynamic (not linear) process management. Modern technologies play a key role in providing regulatory intelligence and helping financial institutions address TPRM by enabling efficient risk identification, monitoring, and mitigation strategies. Key contributions include:

  1. Automation and streamlined assessments
  • Risk assessment tools: Automation of due diligence and risk assessments. Technology platforms can standardise questionnaires and integrate live data sources to assess vendor risks comprehensively.
  • Artificial Intelligence (AI) and Machine Learning (ML): These technologies analyse large datasets to identify patterns or potential vulnerabilities in third-party relationships, such as historical breach data or financial instability. They can also be used to read supplier contracts at high speed and identify potential risk and compliance anomalies.
  1. Continuous monitoring
  • Real-time alerts: Continuous monitoring of vendor cybersecurity postures. They alert financial institutions to real-time threats such as compromised credentials or new vulnerabilities.
  • Performance metrics dashboards: Dashboards are used to monitor third-party KPIs (Key Performance Indicators) and SLAs (Service Level Agreements), ensuring vendors meet performance and security standards consistently.
  1. Enhanced regulatory compliance
  • Compliance automation: Technology ensures compliance with regulatory frameworks by tracking regulatory changes and aligning third-party practices.
  • Document management: Automated solutions manage contracts, certifications, and audit trails, reducing the risk of non-compliance.
  1. Incident response and resilience
  • Simulation and testing tools: Platforms simulate third-party failure scenarios to assess potential impacts and refine contingency plans.
  • Resilience monitoring: Technology measures operational resilience by testing third-party systems against disruptions, ensuring critical services remain uninterrupted.
  1. Integrated risk platforms
  • Third-party risk portals: Integrated platforms offer a centralised view of all third-party relationships, risk scores, and associated documentation, enabling better decision-making. Role-based dashboards provide individuals at all levels of the organisation with a view of actions that must to taken to preserve resilience and ensure compliance.
  • Cloud-based solutions: Cloud platforms offer scalable risk management tools that can adapt to changing vendor and regulatory landscapes, quickly and cost-effectively.
  1. Cybersecurity tools
  • Vulnerability scanning: Advanced tools find weak spots in third-party IT systems, reducing the likelihood of breaches impacting individual financial institution.
  • Access control systems: Technologies like identity and access management (IAM) limit vendor access to sensitive internal systems, reducing exposure.

By leveraging these technologies, financial institutions enhance their ability to proactively manage risks, comply with regulatory standards, and build resilience against potential disruptions in their supplier ecosystems. 

 

The Light at the End of the TPRM Tunnel

Operational resilience is imperative. Not only because regulatory authorities have put it front and centre of the 2025 regulatory agenda, but because it is the only way to provide maximum protection for customers, minimise risk for your firm, and protect the financial sector as a whole. 

With global regulators set to hold financial institutions truly accountable for operational resilience in 2025, it is essential that firms act fast to evolve their TPRM frameworks to address both direct vendor risks and the complexities of extended ecosystems. 

By asking the questions posed in this paper and having TPRM teams that can provide adequate and defensible responses, accountable senior managers can gain assurance that risk within the supply chain is being managed appropriately. 

By leveraging technology, enhancing supply chain visibility, fostering a culture of risk awareness, and aligning with regulatory expectations, institutions can build robust systems to manage third and fourth to nth-party risks effectively.

Proactively addressing these challenges will not only ensure compliance, earn customer trust, and mitigate reputational risk, but also enhance operational resilience, which safeguards institutions against disruptions in an increasingly interconnected financial landscape.

 

Authors

Jeff Simmons - Alba-Partners-Senior-Advisor

Jeff Simmons

Risk Management & Compliance Lead, Alba Partners

Jeff is an accomplished leader with over 25 years’ experience in industry driving strategic risk management, regulatory compliance and governance initiatives. He provides expertise in developing and implementing effective financial strategies aligned with corporate goals, coupled with a track record of driving process improvements. 

Nicola Cowburn

RegTech Advisor, Gieom

A FinTech and RegTech marketing leader for more than two decades, Nicola works with technology providers and their financial services clients to build and deliver effective solutions for regulatory compliance and risk management. In addition to providing product development expertise and formulating successful go-to-marketing strategies for RegTech firms, Nicola is an Ambassador for The RegTech Association.

About Alba Partners

Alba Partners is a boutique consultancy specialising in change and transformation. With expertise spanning Financial Services and beyond, our proven track record in delivering high-impact projects for leading institutions sets us apart.

Founded in 2020, Alba Partners blends the agility and personalised service of a boutique team with the expertise and experience of top-tier consultancy. Our Financial Services practice has supported clients in navigation some of the industry’s most complex challenges across the trade lifecycle, including Dodd-Frank, MiFID II, Brexit, IBOR Transition, Operational Resilience, and Basel III. Additionally, we have successfully managed numerous mergers, acquisitions, exits and divestments. 

Headquartered in Edinburgh with key offices in London, Riyadh, Dubai, and Abu Dhabi, Alba Partners serves clients across Europe, the Middle East, and beyond. Our collaborative and flexible approach ensures that we deliver tailored solutions, aligning with each client’s unique requirements and goals.

 

About Gieom

Gieom is a leading provider of Generative AI-powered RegTech solutions, focused on enhancing operational resilience for financial institutions. We provide software that streamlines the management of policies, simplifies digital identity verification, mitigates risks, and implements operational resilience frameworks. Gieom has built custom templates to ensure compliance with regulations including the UK’s Operational Resilience Guidelines, the European Union’s Digital Operational Resilience Act (DORA), Australia’s CPS 230 and NIST2. 

With operations across Europe, the Middle East, and Asia Pacific, Gieom serves over 100 customers globally and is certified for ISO 27001 and ISO 9001.

A Good Crisis – Analytics, Regulation and Resilience – Alba x Quantifi Whitepaper

November 28, 2024 by
A good crisis - analytics, regulation, and resilience Alba x Quantifi Whitepaper

Authors

  • Jack Goss, Director, Professional Services

Jack is responsible for Professional Services and oversees all client related activity including implementations, product customizations and pre and post sales support. After graduating from economics at Cambridge, Jack started work for Henderson Global Investors as an Investment Analyst after which he moved to Rail-Pen as an Investment Manager. Jack then transitioned to Imagine Software where he was Head of Consulting (EMEA) and specialized in quantitative implementations. Jack holds numerous financial qualifications including a master’s degree in quantitative finance from CASS business school.

  • Jeff Simmons, Senior Advisor, Alba Partners

Jeff is an accomplished leader with over 25 years of expertise in managing crisis situations and mitigating organisational risks, having held pivotal roles such Chief Risk Officer at MUFG and Head of Risk Capital Management at the Royal Bank of Scotland. He excels in designing and implementing comprehensive risk management frameworks that safeguard assets and reputation during critical times. With a strong track record of navigating complex regulatory landscapes, Jeff has developed and executed strategies that ensure business continuity and resilience. His proven ability to lead through uncertainty, coupled with a focus on aligning risk strategies with corporate objectives, has enabled him to successfully drive organisational stability and long-term success.

Introduction: Characteristics of Crisis

A crisis, by definition, is never “good.” However, in Financial Services, we often prefer crises where we can retain a significant degree of control. We say “significant” because crises, by their very nature, inherently involve elements of unpredictability and require a degree of flexibility in our responses.

While no two crises are identical, there are recurring patterns and characteristics that provide valuable insights. These similarities, both in the nature of the crises themselves and in the ways we respond to them, merit discussion. This whitepaper aims to first outline the principal characteristics of a crisis and then examine typical responses. We will explore how these responses might be refined to address crises in a more structured and effective manner.

Crises demand quick decisions, which require smart people across teams to operate on information they trust. This information is often a blend of raw data and analytics, both of which must be accurate, timely, and actionable. The role of analytics, in particular, is crucial. It transforms disparate data points into insights, enabling decision-makers to navigate uncertainty with greater confidence and agility. Without reliable analytics, the margin for error increases significantly, amplifying the potential impact of the crisis.

To fully understand how crises—and the corresponding responses—have evolved, we must first identify the key characteristics that define them. These characteristics serve as the foundation for our analysis.

It is important to note that a “crisis event” is not always easily quantifiable. What constitutes a crisis in one area may be viewed as an opportunity elsewhere. From a complexity perspective, crises do not always result in zero- sum outcomes. This nuanced nature requires careful consideration, beginning with a clear definition.

A crisis is commonly defined as “a time of great danger, difficulty, or doubt when problems must be solved, or important decisions must be made.” In this whitepaper, we will unpack this definition from a Financial Services perspective, delving into its core elements to better understand the challenges and opportunities inherent in managing crises.

Time

The first characteristic is that of time. In a crisis, time has three very important influences on the severity and outcome of a crisis.

1.     The speed at which it happens or is identified

Some crises are “slow burn,” others may happen in an instant. It may be that the signals of the impending crisis have been well telegraphed (a Gray Rhino event), but appropriate action was not taken. The invasion of Ukraine by Russian forces can be thought of as well telegraphed, but it still took the world by surprise. COVID, however, impacted the globe over the course of just a few weeks.

2.     The duration of the event

How long, for example, does the crisis last, if in fact, it has an end at all? How long does it take for the aftermath of the crisis and the actions taken as a consequence to become part of “normal”? The Global Financial Crisis (GFC) took some months to play out as new and complex information came to light and multiple decisions were required. COVID, in contrast, though it lasted almost two years, had limited impact once operations and living patterns adjusted within the first few weeks of its emergence.

3.      The time frame in which decisions are required

In some cases, there is a requirement for almost instant decision-making (the flash crash, 9/11, Enron, etc.), while in other cases, there is in fact the “luxury” of time where analysis and collective decision-making can be performed (UBS/Credit Suisse, for example).

How long, for example, does the crisis last, if in fact, it has an end at all? How long does it take for the aftermath of the crisis and the actions taken as a consequence to become part of “normal”?

Threat

The second element is that of danger; we read this as impact in Financial Services. At the core are, again, three different characteristics of “a threat” to a Financial Services company. Please note that these are NOT in priority order, but we will let the reader make their own conclusions as to the order organisations will tackle a crisis as it arises.

The threat to the organisation or its shareholders

Here we have an event that may or may not be specific to the organisation but can, through its impact, have significant consequences on that organisation. Archegos is a good example, where, though several Financial Services entities were involved, some were impacted more than others depending on the scale of their exposure. Others are indeed very specific to an organisation: BNP Paribas and Barings had localised Front Office “issues” which impacted them significantly, both from a financial and reputational perspective (let’s leave Regulatory sanctions out of this for the minute). Essentially, this is where the organisation’s “survival mode” really needs to kick into action.

The threat to its customers

Again, if we put aside any Regulatory protection that a consumer may or may not have, it is the responsibility of the organisation to ensure that its clients/customers receive the appropriate level of service. Recent IT outages are good examples where, though not directly the fault of the Financial Services organisation, it is their responsibility to ensure that mortgages settle as appropriate, salaries are paid on time, and cash is available through ATM machines.

The threat to the wider ecosystem, be that financial, geopolitical, or environmental

Here, we also have Regulatory oversight, given the Regulators’ role in financial and consumer protection. Regulatory sanctions play a large part in the “danger” element regarding this aspect of a crisis. The Ukraine invasion, the Greece EURO Crisis, etc., may have little impact on an organisation or the bulk of its customers, but the sanction dimension has to be rapidly incorporated into an organisation’s compliance framework. Climate risk is another good example where an organisation and its customers may elect to take action to mitigate a “crisis,” with the Regulator also playing a part.

Decision-making Process

The third element is that of the decision-making process and the framework that is required to support those decisions. We have spoken above about the time aspects of a crisis as well as the impacted parties; here, both elements come together to influence the magnitude of the decisions required. What is clear though, is that the key components of any decision are:

  • There is always a common theme when it comes to decision-making in a crisis, and that is time constraints. Invariably, decisions must be taken within short time frames and could have large and significant impacts.
  • Decisions taken in short time scales need good accurate and reliable analytics to support them. It is imperative that the analytics comes to the decision-makers in an appropriately summarised and “information- based” form. All resources, both system and human, are focused on this output, and decision-makers must be in a position where they can trust both the analytics and the underlying data used to create them. These decision-makers cannot, nor should they be, put in a position where they are receiving different or conflicting information. The most common cause of which is differing methodologies across disparate systems.
  • The Response team is typically planned out in great detail; however, in the evolving world of crisis development, the war room composition changes. The events surrounding the UBS/Credit Suisse situation are a good example. What started off as a liquidity crisis in Credit Suisse quickly developed into a fast- moving merger/integration “crisis.” The response team had to change to reflect the fast pace of required decision-making, and its composition had to lie somewhere between a crisis management team and a team developed for mergers and acquisitions. There were, of course, numerous examples of this during the GFC and the Japanese Banking crisis.

Obviously, crises differ in the detail, with each one having its specific drivers, risks, impacts, and speed, but by simplifying them down into what are standard characteristics, it may enable organisations to be better prepared at the foundational level rather than at the reactive dimension.

Obviously, crises differ in the detail, with each one having its specific drivers, risks, impacts, and speed, but by simplifying them down into what are standard characteristics, it may enable organisations to be better prepared at the foundational level rather than at the reactive dimension. We will discuss the Regulatory perspective later in this paper; however, we know that in recent publications by the Global Regulators, there has been a particular focus on Operational Resilience and the ability for organisations to not only react to incidents but also ensure that they can withstand incidents. Resilience-related incidents are obviously significant given their potential impacts, but crises are not limited to just IBS-impacted ones.

Trusted analytics

Crisis resolution is distinct from most aspects of risk management in finance, where the focus is on risk appetite setting, risk detection, risk mitigation, and satisfying regulatory requirements. Typically, financial institutions emphasise proactive measures to manage and mitigate risks within acceptable levels and ensure compliance with regulations.

However, during a crisis, the approach shifts dramatically from prevention and regulation to immediate resolution and damage control. At the onset of a crisis, operations move into a ‘war room’ setting, which, in modern times, might be virtual. In this critical phase, the structured three-line defence model often collapses into a more dynamic and flexible huddle of key personnel tasked with crisis resolution.

Within the war room, the need for analytics undergoes a pronounced transformation compared to normal periods. During stable times, analytics often focuses on long-term trends, detailed forecasts, and comprehensive risk assessments, facilitating thorough and deliberate decision-making. The complexity of models and depth of analysis are prioritised to optimise performance and anticipate future opportunities.

In contrast, during a financial crisis, the urgency for immediate, reliable data increases dramatically. Decision- makers require rapid access to accurate information to navigate volatile markets and make quick, informed decisions. The emphasis shifts from extensive, detailed analysis to more straightforward, high-frequency data points that provide real-time insights. Trust in the data becomes crucial, as flawed or delayed information can lead to significant losses or missed opportunities. Consequently, the complexity of analytics is often reduced in favour of clarity and speed, enabling leaders to respond swiftly and effectively to the rapidly changing financial landscape.

This simplicity is often surprisingly difficult to achieve. To illustrate this, consider the following examples:

  • In a credit crisis, it is vital to have a clear understanding of current exposure to a troubled counterparty. While this understanding should have no ambiguity since there are no estimated parameters, it requires the ability to aggregate exposures from a wide variety of sources, including direct investments such as bonds, indirect investments via indices, and counterparty derivative contracts.
  • In a liquidity crisis, it is essential to have a short-term projection of cash flow, which necessitates a real-time, multi-currency understanding of cash projections and the trade life cycle.

To build trust in any methodology or analytic takes time which is not available in a crisis. Financial institutions routinely employ advanced analytics, such as Monte Carlo simulations, scenario analysis, stress testing, and “what-if” analysis as part of their business-as-usual processes. These tools are essential for ongoing risk management, enabling organisations to assess potential vulnerabilities and make informed decisions under normal conditions. The continuous use of these methodologies in everyday operations helps institutions build a deep familiarity and trust in their analytic frameworks.

This trust can only be built through both a broad and detailed understanding. Broad, in the sense that everyone included in the war room, needs to grasp the fundamentals of the analytics being used. Detailed, in the sense that it is crucial to know exactly how the analytics react under stressed conditions and having a plan for if those conditions were breached. This detailed analysis needs creativity in imagining the possible as it is often more extreme than was previously imagined – negative oil future prices being a good example.

In essence, the seamless transition from routine risk management to crisis response is enabled by the prior integration of these advanced analytics into the organisation’s daily operations, ensuring that leaders can act decisively when a crisis hits.

How will AI change the preparation of crisis?

It is intriguing to consider whether the introduction of Artificial Intelligence (AI) will alter the situation described above. We believe this is unlikely. In the case of systemically important institutions, decision-making is likely to remain in human hands for the foreseeable future. Consequently, it is essential that humans trust the analytics used in these decisions. For a human to trust these analytics, they must have confidence that, given the time, they could independently reconstruct the analytical processes involved.

Ultimately, while AI may not replace human decision-makers, it can significantly support and enhance the quality of the data and analytics on which those decisions are based.

Nevertheless, AI can play a significant role in other areas. Specifically, AI can be utilised for pre-emptive data cleansing, ensuring that the data used for analytics is accurate and reliable before any crisis occurs. Additionally, AI can assist in identifying and mitigating potential data biases, thereby enhancing the overall integrity of the decision-making process. Ultimately, while AI may not replace human decision-makers, it can significantly support and enhance the quality of the data and analytics on which those decisions are based.

Where are the regulators on all of this?

Now, let us consider where the Regulators have been during these crises because what we do know is that they have not been taking a back seat, rather the opposite.

The Regulators (globally) have identified some of the key aspects of crisis management and have increased their regulatory demands and expectations in those areas.

The key area where they have identified weaknesses is that of data. Largely stemming from the relative chaos that was GFC, they started an initiative to ensure that data used to mitigate the impact of crises was of a good enough quality to make the right decisions. They required organisations to ensure that their data satisfied three main criteria:

  • There was a robust governance framework around the architecture and infrastructure implemented to capture and store the data, including defined roles and responsibilities at the departmental and committee levels.
  • There should be a documentation framework surrounding the data, including data dictionaries, process descriptions, and data lineage.
  • All of the data should be controlled by a data quality management framework that includes Data Quality Indicators, Data control plans, and appropriate MI to support the analysis of data and data quality.

The resultant regulation, BCBS 239, attempted to encapsulate all of these characteristics in 11 principles to be adopted in January 2016. As of 2024, many banks in the UK are still facing difficulties in fully implementing the BCBS 239 principles. Common challenges include outdated IT systems, insufficient prioritisation by senior management, and limited resources allocated to improving risk data aggregation and reporting capabilities. Despite ongoing efforts, these issues have slowed progress, making full compliance difficult for most institutions.

The Regulators also saw the value in ensuring that organisations were prepared for the next crisis. We saw a wave of stress tests descend upon the financial services sector, starting with the CCAR and quickly spreading around the globe with the ECB, BOE, HKMA, etc. They were all designed to highlight potential vulnerabilities in capital structures and capital resilience when subjected to shocks. Stress testing spawned a whole industry within the sector, with significant investment being made in technology, data, and modelling capabilities. The main change, though, that stress testing brought to the sector was awareness by senior management of their vulnerabilities and, therefore, the proactive development of mitigation strategies. There was also, of course, the main driver of fear that they would be highlighted on the front pages of the financial press as having “failed” the stress.

The theme of stress testing continued, making its way into the insurance sector and recently through the Operational Resilience lens. The key objective is the same though in principle, and that is to ensure that organisations are prepared for a range of plausible scenarios that can stretch their weaknesses.

Adherence to the stress testing requirements for those impacted organisations has been strict and complete, with the reality being that the regulators have requested them to run the scenarios. The scenarios are largely prescriptive, so differing interpretations across the sector are limited. Notable among the prescriptive nature is that of the constant versus evolving balance sheet. No matter what your opinion, the regulator sets the rules, and they must be followed. Debates over the impacts of drawdowns, revolving credit facilities, and credit migration tended to be simplified in the published methodologies.

We must ask ourselves, though, what of those institutions that were not required to perform the stress tests? In 2023, for example, a total of 57 Euro area banks under direct ECB supervision were included in the EBA sample. Some may have been excluded due to participation in other exercises, but this still left a large number who would either run the stresses voluntarily or, most likely, not at all given the technical and organisational costs.

Another positive aspect of the stress testing frameworks required by the regulators is that of “war room” style testing, especially around Liquidity and Operational Resilience. This has enabled organisations to fine-tune their plans, create their governance, and run them through “real-world” situations.

This leads us to the next steps in regulatory preparation regarding crisis management, and that is the impacts on the Second/Third tier organisations and the Non-Banking Financial Institutions (NBFI). From a systematic basis, they may not play a material part in the overall financial stability of a regime, but they would, of course, have their own crises or be swept up in other more widespread crises. The onus on them is obviously not as stringent as for some of the G-SIFIs, but they still have shareholders, staff, and customers to protect. The regulators are now starting to turn their attention to this next category of organisation. They have an advantage here in that they can leverage the work done by those organisations before them, perhaps relying on systems, methodologies, and data which are now available. A number of the issues experienced in the “early days” of stress testing and scenario analysis have now been resolved by vendors and data providers. SME assistance is readily available through change and transformation specialists; these same SMEs now have significant experience in Operating Models and Stress Testing frameworks. It is possible now for organisations to go from “not a lot” to “we are prepared” very quickly using this wealth of knowledge and systems capability. The disadvantage, though, is that there is a cost. It may be less expensive than 10 years ago, but it is a cost, nonetheless.

Conclusion

As regulators continue to raise the bar, organisations must focus not just on compliance but on developing operational resilience that goes beyond regulatory demands. Stress testing and scenario analysis are crucial tools that enable institutions to anticipate crises and respond effectively.

Ultimately, while crises will continue to evolve in nature and scope, institutions that invest in resilient systems, trusted analytics, and tried and testing decision-making processes will be better positioned to weather future disruptions. Effective crisis management is not just about reacting to events but about building the capacity to withstand and emerge stronger from them. Building trust in analytics and ensuring that decision-makers have reliable, real-time information are essential steps in crisis resolution.

Effective crisis management is not just about reacting to events but about building the capacity to withstand and emerge stronger from them. Building trust in analytics and ensuring that decision-makers have reliable, real-time information are essential steps in crisis resolution.

About Alba Partners

Alba Partners is a boutique consultancy specialising in change and transformation. With expertise spanning Financial Services and beyond, our proven track record in delivering high-impact projects for leading institutions sets us apart.

Founded in 2020, Alba Partners blends the agility and personalised service of a boutique team with the expertise and experience of top-tier consultancy. Our Financial Services practice has supported clients in navigating some of the industry’s most complex challenges across the trade lifecycle, including Dodd-Frank, MiFID II, Brexit, IBOR Transition, Operational Resilience, and Basel III. Additionally, we have successfully managed numerous mergers, acquisitions, exits, and divestments.

Headquartered in Edinburgh with key offices in London, Riyadh, Dubai, and Abu Dhabi, Alba Partners serves clients across Europe, the Middle East, and beyond. Our collaborative and flexible approach ensures that we deliver tailored solutions, aligning with each client’s unique requirements and goals.

albapartners.co.uk

About Quantifi

Quantifi is a provider of risk, analytics and trading solutions. Our award-winning suite of integrated pre and post-trade solutions allow market participants to better value, trade and risk manage their exposures and respond more effectively to changing market conditions.

Founded in 2002, Quantifi is trusted by the world’s most sophisticated financial institutions including five of the six largest global banks, two of the three largest asset managers, leading hedge funds, insurance companies, pension funds and other institutions across 40 countries.

London +44 (0) 20 7248 3593

New York +1 (212) 784-6815

New Jersey +1 (908) 273-9455

Sydney +61 (02) 9221 0133

[email protected]

www.quantifisolutions.com