Operational risk and digital innovation: two sides of the same coin?

Patrick Papsdorf, Head of Payments Oversight section, European Central Bank

Patrick Papsdorf, Head of Payments Oversight section, European Central Bank

Digitalisation is present in many facets of our daily activities, what was not thinkable decades ago has become a basic need today - living without is unthinkable. On the supply side, technology-enabled innovation has led existing market actors to digitalise their services and products. Moreover, new firms have entered the market aiming to offer new services to disrupt former set-ups, while a third category of firms is moving into new segments of the value chain possibly using their network effects. In addition, third-party service providers are increasingly important for all the aforementioned firms by providing specialised services. This article looks at operational resilience in light of digitalisation, also by referring to tools developed for financial market infrastructures.

Let me mention three examples of digital innovation in the area of payments: first, the introduction of instant payments which has allowed end-users to make payments in real-time on a 24 by 7 basis with immediate availability of the money for the beneficiary. Second, the international agenda of enhancing cross-border payments to make them faster, less expensive, and more accessible. Third, the use of data analytics possibly empowered by machine learning solutions (AI) for monitoring payments and identifying anomalous transactions (e.g., fraudulent payments). To provide these services and more general payment services, outsourcing to a third-party provider can be very useful. They can for instance allow the outsource to offer an (innovative) service that it may not have been able to develop itself in time or at all, because it may miss the expertise, skills and/or resources. Using a third-party provider can also help to build up and increase operational resilience in the digital environment, for instance, a third-party provider may be able to ensure a higher level of cyber resilience. 

For each organisation, it is essential that its services and products, whether provided by itself or a third party, are fully reliable and available also under adverse circumstances and scenarios. This is not new but operational risk has become even more pronounced in the digital world. Why? First, because digitalisation has increased interconnections and interdependencies across stakeholders and clients, by making them part of the organisation’s digital universe; as a result, an operational problem can propagate even faster across the network wherever it initiates. Second, the probability of operational issues, in particular, due to the enlarged surface for cyber-attacks, has grown. Third, the velocity of propagation of a potential operational event has become higher. For instance, the impact of a digital service disruption, especially if offered around the clock, is swiftly visible, can create knock-on effects and may be swiftly transmitted via social networks. And this is why we now look at operational resilience as an extension to operational risk, being the ability to not only manage operational risks but for an organisation to continue offering their services after an operational risk materialises.

“It is the responsibility of each firm, whether regulated or not, to pursue the ever-evolving goal of resilience. While digitalization and operational risks may still be coined in the same phrase, operational risk mitigation will support reaping the benefits of digitisation.”

Financial Market Infrastructures (FMIs), like payment systems, provide a good example of the need for operational resilience. A malfunctioning of a payment system can create contagion across its network. For wholesale payments that are typical of high amounts and urgency, it can create liquidity risks for the receiving bank or jeopardize the functioning of other connected FMIs. For retail payments, a disruption may render a customer not able to pay a merchant and not receive the purchased goods.

Operational resilience has been traditionally a key oversight requirement for FMIs. The basis for operational resilience is a sound ICT infrastructure, including systems and communication networks that use robust, mature, and tried-tested technology. But even if a sound ICT infrastructure is in place, a disruption may still occur, for instance, due to external events that an organization has no control over, like natural disasters, geopolitical events, power outages, strikes, pandemics – all events that we have unfortunately witnessed in the recent past years. For such events, business continuity- and contingency plans, accompanied by clear crisis management and communication plans come to the fore. All this also extends to any third-party provider that can be the source of operational risk. An organisation thus needs to pay attention to robust third-party risk management, including due diligence before contracting with the third party and closely managing the relation based on service level agreements, reporting requirements and the ability to obtain assurances such as audits. A specific aspect of third-party management that arose in the recent past is supply chain risks. Third parties themselves may outsource services to other parties as well (4th and 5th relations), in line with the saying that a chain is only as strong as its weakest link. To give an example, cyber-attackers may target third parties or providers in the supply chain, given that it could impact a multiplicity of other organizations or that the supply chain could be leveraged to attack the organisations that use them. 

Cyber-attacks are in many ways challenging: they can originate from anywhere, target anyone and have multiple motivations. They may aim for disruption of services, stealing data or financial gain – or a combination thereof. Attackers are becoming more advanced through learning and employing new tactics and techniques, new technologies and malicious ‘as a Service solution. One particular increasing threat is ransomware. During a ransomware attack, the attacker accesses a system, steals data, and makes data unavailable through encryption. In turn, the attacker offers to decrypt the data and not publish it if ransom is paid. The ransom is usually to be paid in crypto assets. 

Coming back to the example FMIs, specific cyber resilience standards and sector-wide initiatives were developed that can also serve as an inspiration beyond. Some main examples are: first, a European framework for threat intelligence-based ethical red-teaming (TIBER-EU). The aim is to test the cyber resilience of an organisation by running a controlled cyber-attack. The framework defines the interaction of the to-be-tested organisations, and authorizations as well as threat intelligence and red-team providers. The framework is also reflected as a main tool for cyber resilience in the EU’s Digital Operational Resilience Act (DORA). Second, the Cyber Information and Intelligence Sharing Initiative (CIISI-EU) enables sharing of information about cyber threats using collective expertise and experience to identify, assess and manage cyber threats. Third, and likely the starting point, an all-encompassing strategy was developed composed of tools at three levels to increase resilience: first, for the single FMI (like the TIBER tests or resilience expectations); second, for the sector of all FMIs (like CIISI or sector-wide exercises around an operational scenario); and, third, a forum to exchange and steer cyber resilience across public and private entities at C-level. While this strategy is initiated at the central bank level for a regulated sector, several tools are optional and agnostic by design, i.e., they can generally be considered by other firms and other sectors and serve as very concrete inspirations.

Looking forward, the trend of digitalisation will continue bringing manifold benefits and opportunities. Interconnections and reliance on third parties and new technologies will keep growing in parallel. Properly understanding and managing related risks, in particular third-party and cyber-risks, will be an essential activity. An operational event, whether a cyber-attack or another event, is a tail event. I.e., it has a low (though increasing) likelihood and high impacts – and they can occur at any time without warning. Even if no incident occurs – which one hopes for – an organization will need to withstand the idea to reduce resilience efforts and save costs. It is the responsibility of each firm, whether regulated or not, to pursue the ever-evolving goal of resilience. While digitalization and operational risks may still be coined in the same phrase, operational risk mitigation will support reaping the benefits of digitisation.

Financial

Supply Chain

Cyber Threats

Crisis Management

Risk Management

Retail

Machine Learning

Business Continuity