Operational resilience: How banks can shift from survival to success

BY Deep Narayan Mukherjee & Abhinav Bansal

As a result of RBI’s dedicated focus on financial risks, particularly credit risk, Indian banks’ balance sheets have improved to the best in over a decade. System-wide gross non-performing assets (GNPA) ratio has improved to a decadal low of 2.8%. While some worries have emerged in unsecured lending, its limited overall exposure is unlikely to present an immediate systemic risk. Appreciably, the banking regulator has started focusing on strengthening Non-Financial Risk (NFR) management.

RBI has resorted to more stringent penalties for NFR violations than before. For institutions that had exhibited issues of technological lapses, high disruptions in customer services or non-compliance to operational guidelines, the regulator severely penalised them by suspending specific operations or barring them from onboarding new customers. These penalties not only reduced the profits of the FIs but also impacted their reputation and market capitalisation. The era of petty regulatory fines is history!

In this regard the guidance note on operational risk and operational resilience by RBI issued on 30th April, 2024 could go down as a watershed moment in India’s banking regulations  As such, RBI is predominantly a ‘rule-based’ regulator, offering specific directions and rules for banks to follow. However, the current guidance note explicitly mentions the principle-based approach of this regulation. In other words, instead of specifying the ‘how’, RBI has chosen to set a desired end outcome. Banks will have to prove how they have reached the outcome, in case of operational resilience low disruption of customer service or how they plan to reach that outcome. Principle-based regulation requires a much higher maturity of risk and compliance capability, than rule-based regulations.

Operational Resilience (OpRes) evolved from operations risk management and Business Continuity Plan (BCP) that banks have been following. Operations risk management focuses on minimising the likelihood of an operational failure and also assesses the regulatory capital for operations risk. BCP focuses on response to recover the system after a disruption event. While BCP processes are more robust, operational risk management processes can do with more data and analytics.

Disruption of critical banking services continues to affect bank’s customers. Given the interconnected nature of banking, in severe but plausible scenarios, such disruptions may affect the market integrity of the system. Banking regulators in other major countries have also focused on OpRes to persuade financial institutions to develop the capacity to prevent, adapt, respond to, and recover from shocks so that critical economic functions are not materially disrupted.

A principle-based regulatory approach may be more optimal for tackling issues with disruptions in important banking services. Such banking services are possible due to complex interlinkages between various systems and processes with the back as well as its 3rd party vendors. Monitoring, prevention, mitigation, root cause analysis and reporting for this kind of process is particularly complex given the emergent way these systems behave during a crisis. Additionally, diverse ownership among business heads and CXOs adds to the uncertainty.

Successful OpRes implementation requires banks to focus on at least these four aspects:

• Identifying Important Business Services (IBS): IBS)has to be defined from the customer’s point of view. It goes beyond the uptime of a server or a system. It focuses of the cumulative interplay between multiple technology platforms, processes and people. Thus, while individual components have an uptime of 99% but the customer may see an uptime of only 95%.

• Setting tolerance level: This calls for extensive mapping of the various components which drive undisrupted customer service. Since disruption cannot be zero. The bank would have to set the tolerance level ie; what is the level of service disruption it will tolerate given the reputation, regulatory and business risk of such disruptions. 

• Real-time tracking & early warning: Detailed data on systems and their interaction will help banks to develop predictive models on the nature of early warning systems for service disruptions. Here real-time tracking and monitoring ability of IBS by creating Digital Twin is a desirable end-state. 

• Scenario Analysis and simulations: There are systems where data may be limited or may not have a history for disruption but there are distinct physical and logical reasons why the system may fail. Scenario analysis estimates the potential sequence of failures and how bad the impact can be. 

Comprehensive OpRes implementation is a top priority of the board of leading global banks. The reason is that this can differentiate a bank in terms of customer service and help win in the marketplace. However, OpRes implementation would require banks to bolster their risk capability. Apart from benchmarking global best practices on the four critical aspects of OpRes implementation banks need to enhance their capability to manage technology risk, vendor risk and operational complexity.  

The road ahead is Challenging but Viksit Bharat requires a resilient banking system in India.

Mukherjee is Partner (Risk Management & Data Science) at BCG and Bansal is MD and Partner (Risk & Compliance Head, APAC) at BCG.

Disclaimer: Views expressed are personal and do not reflect the official position or policy of FinancialExpress.com. Reproducing this content without permission is prohibited.