by Anita D. Millar, Associate Partner
- Resilience is a board level issue for financial services (FS) and non-FS firms.
- Resilience must be balanced (and potentially shaped) by a board’s responsibilities to its workforce and shareholders, and its relationships with customers, suppliers and other stakeholders.
- Do not confuse minimising risk with maximising resilience.
- Digital resilience is a business issue, not just an IT or cyber-security issue, and can bring untapped productivity gains.
- Success in managing and meeting operational resilience and sustainable finance obligations will be determined, in part, by board engagement along with digital capabilities (particularly in relation data consumption and reporting).
1. The first principle of the UK’s Corporate Governance code1 is: A successful company is led by an effective and entrepreneurial board, whose role is to promote the long-term sustainable success of the company, generating value for shareholders and contributing to wider society.
2. But does this principle reflect our times?
3. As economies, companies and the workforce emerge for the shadows of Covid19, the theme of resilience is everywhere; so the case for reframing board principles and priorities in terms of resilience (rather than sustainability) is already becoming apparent.
4. Long-term business resilience serves the interests of shareholders but must be balanced with the board’s responsibilities to its workforce, as well as its relationships with all internal and external stakeholders. In this light, reframing board priorities in terms of the three Rs – resilience, responsibilities, and relationships – has resonance.
5. While the UK’s Corporate Governance Code recognises wider board responsibilities to its workforce and other stakeholders,2 the three Rs are not a simple repackaging exercise. In the post-Covid19 environment (where climate change concerns will re-emerge) it will be essential for boards to strengthen the connections between (potentially radical) changes to business and operational models, and measures to support the health and wellbeing of their workforce, financially or logistically challenged suppliers, delivery of government programmes (to staff and/or clients), and society at large.3
6. So, what is resilience? The Stockholm Resilience Centre suggests that: Resilience is the capacity of a system, be it an individual, a forest, a city or an economy, to deal with change and continue to develop. It is about how humans and nature can use shocks and disturbances like a financial crisis or climate change to spur renewal and innovative thinking.4
7. This is a broad definition. However, if viewed from the perspective of a company’s business model, it has the benefit of conveying a sense of dynamism. It also avoids equating maximising resilience with minimising risk; thereby recognising that without risk, a firm may miss opportunities to build resilience. This provides scope for financial and non-financial institutions to set resilience tolerances (and risk appetites) at levels that are appropriate to their business.5
8. In this light, perhaps it is not surprising that resilience is now used to frame any number of vulnerabilities or challenges arising from:
- Chokepoints in supply chains6
- Company balance sheets now exposed as having relied on debt rather than equity7
- Operating a business in a digital environment8
- Important business services provided by financial firms9
- The financial impact of climate change on the business models of the largest UK
banks and Insurers10
9. The list of potential case studies are already fairly long, and could be longer, so our further exploration of this concept focuses on three cases: digital resilience, operational resilience of key business services, and building resilience in the context of climate change. Consideration is also given to the other two Rs – responsibility and relationships. The extent to which these might be overlooked, or are already shaping how resilience is being instilled in financial and non-financial firms.
10. Digital technologies have become core to many businesses seeking to offer their customers a reliable and efficient delivery service. Firms such as Domino’s Pizza11 or Ocado, both early movers in this sector, are so data and digital intensive, some might even call them technology firms that respectively sell pizza and groceries.12
11. In contrast, the legal sector has been relatively slow to adopt digital solutions, but is now relying on digital technologies to streamline administrative functions and access client files (via cloud services)
24/7.13 The shift to digital solutions is set to accelerate with adoption of software solutions, such as DocuSign,14 and the emergence of leaders looking for opportunities to redefine corporate legal departments.15
12. In financial services (FS), Fintech firms are now pervasive and the payment services directive (PSD2) has boosted innovation and competition. While digital payments have been growing, it is estimated Covid19 has accelerated this shift by two years.16
13. Further changes in the payments sector are on the horizon with the possibility that central banks will develop Central Bank Digital Currencies (CBDC) and offer them to the public as a complement to physical banknotes. Such proposals17 would help to promote further competition and innovation in this sector.
14. Digital resilience should be a priority for all boards, whether firms are seeking to develop digital businesses or digital capabilities. It should not be treated as a technology or cyber-security issue that is the sole responsibility of the chief technology or information officer. Instead, it needs to be viewed as a wider business issue and embedded in how the board and senior management view the risks and opportunities facing the firm.
15. Moreover, the involvement of the wider board and senior management should help to ensure that opportunities to address the other two Rs are not missed. In particular, the possibility of using digital technologies to support and empower employees (from all demographics) have yet to be fully explored, although the productivity gains could be significant.
16. For instance, few inroads have been on replacing spreadsheets (like Excel) with sophisticated tools that allow data to be understood, manipulated and analysed without resorting to programming. With training, such advances in front-end tools would move the ownership of data and analytics from a few, to potentially everyone employed in a firm. This could, in turn, promote further collaboration, problem solving and innovation. The key challenge for firms, apart from training, is to ensure that the data being delivered to new front-end tools are useful and reliable. With advances made in artificial intelligence, this may be in the grasp of many firms, but not on their radar as they grapple with the technology to collect and collate raw data and/or meet new reporting and disclosure requirements. Nonetheless, the possibilities for creating such capability should not be overlooked, particularly for the FS firms in the scope of the emerging operational resilience regime or sustainable finance initiatives.
17. With many business leaders now thinking about digital resilience, it is perhaps unsurprising that the Bank of England (BOE) is spearheading a new regulatory regime aimed at ensuring that the UK’s financial sector will remain operationally resilience in the face of disruptions to important business services undertaken by regulated entities within the scope of the regime.
18. Work on this new regulatory approach began before the onset of Covid19,18 but the challenges and changes that come with Covid19 will undoubtedly inform the framework’s development and implementation.
19. Each regulated FS firm, in the scope of the regime, will be individually responsible for setting clear impact tolerances for important business services. Unlike risk appetite levels set for credit, market risk, or operational risk, impact tolerance levels are not to be breached.
20. Tolerances will be set in relation to the potential impact of a business service disruption to: financial stability and safety and soundness (banks and deposit-taking institutions); degree of policy-holder protection (insurers); transfer or efficiency of payments (recognised payment system providers and specified service providers); or the operation of a financial market infrastructure (e.g., Central Counterparty Clearing House (CCP), Central Securities Depository (CSD)).
21. FS firms will be required to undertake an extensive mapping process to identify and document how each important service is delivered, anticipate how it could be disrupted and take steps to prevent, adapt, recover and learn from them.
22. A key feature of this regime includes the requirement to use scenario analysis to identify vulnerabilities (that could translate into risk tolerances being exceeded) as well as possible responses. To ensure this assessment remains meaningful, the scenarios (deployed by each firm) are expected to evolve with changes in the environment.
23. So, for example, if a retail bank assesses that telephone consumer authentication is an important business service, scenario testing may identify challenges associated with remaining within an impact tolerance of a 12-hour disruption. The mapping exercise may also identify several key supporting resources (e.g., a voice recognition programme) and two interdependent business services (e.g., telephone and online authentication) that use the same customer account database. Further scenario testing may reveal that these two services could fail at the same time, which would then prompt more investigation and investment by the FS firm.19
24. The stewardship responsibilities of the board under this framework are significant.
25. Board responsibilities go beyond merely approving those business services deemed as important and their impact tolerances. The board must also be satisfied that the entity has met all the underlying requirements concerning the strategies, processes and systems used to identify important business services, set tolerances and perform mapping and testing. Overall responsibility for implementing operational resilience policies and reporting to the board, falls to the Chief Operations Senior Management Function (SMF) 24 (under the UK’s SMCR regime).
26. Returning to the other two Rs, it could be argued that operational resilience considers both an FS firm’s responsibilities to its workforce as well as its relationships with consumers, regulators and wider society.
27. For instance, with the focus on important business services, FS firms should be able to identify when staff might be put in an untenable situation or where customers and the wider society are put at economic risk. In regard to the latter, this could take the form of a disruption in the bank’s controls that escalates and negatively affects the confidence in the wider payments system.20 Furthermore the requirement that FS firms self-assess, document and communicate their approach to UK regulators, will reinforce their responsibilities and relationship with their FS supervisors.
Sustainable finance and building resilience in the context of climate change
28. Building digital and operational resilience should also help FS firms in the area of sustainable finance (which covers a range of risks). Data is key in sustainable finance as well as understanding your business and your clients.
29. However, if resilience is about tackling and overcoming change (in the context of sustainable finance) is it any different from sustainability?
30. In sustainable finance, these concepts are sometimes used interchangeably, but confusing them could be dangerous for boards trying to come to grips with the specific implications of climate change – for their balances sheets and their suppliers, customers, clients, and investors.
31. Assessing the implications of climate change for an FS or non-FS business requires tools and data as well as an understanding of the myriad of frameworks (TCFD),21 reporting standards (SASB, CDSB),22 and incoming regulation (EU regulatory regime)23 which, to varying degrees, include related environmental, social and governance (ESG) concerns.
32. The resources and time required to create an institutional understanding of how these various frameworks/ standards/ rules relate to each other, should not be underestimated. Let alone the resources and knowledge required to build systems that can deliver reliable data on the profiles of reporting firms.
33. Moreover, much of the data is a product of classification systems (or taxonomies) that are insufficiently granular. Even the EU taxonomy,24 which maps economic activities to sectors, reflects trade-offs between granularity and flexibility as well as complexity and clarity.
34. Notwithstanding these trade-offs being remedied, reporting and manipulating ESG data directly (or indirectly) linked to the 17 Sustainable Development Goals (SDGs) developed by the UN25, does not translate into building a resilient balance sheet or business model.
35. Although laudable, the SDGs focus on avoiding an outcome. In particular, SDG13 is concerned with, in this century, avoiding an increase in global temperature that is 2 degrees Celsius above pre-industrial levels rather than tackling and overcoming the climate challenge without becoming overwhelmed by it. So, for example, even if SDG13 anticipates direct air carbon capture (DAC) technologies, it does not explicitly anticipate solutions such as the creation of net zero carbon synthetic fuels and the speed that they might be implemented and work alongside other technologies.26
36. So while assessing sustainability is essential, shifting the focus to resilience adds a further dimension and puts resilience to climate change within a board’s remit.
37. For many FS firms, the question of business model resilience to climate change will be brought into sharp focus by the BOE’s plans to stress test the resilience of business models – of the largest banks, insurers and the financial system – to the physical and transition risks from climate change. In fact, one of the desired outcomes of the exercise is to encourage FS firm boards to take a strategic, long-term approach to managing climate change risks.27
38. Known formally as the 2021 biennial exploratory scenario (BES) on the financial risks from climate change, the stress test includes a few key features that help to highlight the scale and objectives of the exercise. These include:
- The deployment of three different scenarios, with timelines that go out 2080, and include macro-economic variables. The three scenarios are: early policy intervention on climate change (as signposted by government policies); late policy action (involving a 10-year delay); and no (additional) policy action beyond what has already been announced.
- Counterparty-level modelling. For example, exposures to corporates would be analysed at the level of the individual company. This would include modelling cash flows and collateral values and reflect judgements about how companies would be positioned (so includes an assessment of current corporate mitigation and adaptation plans).
- Fixed BES participant balance sheets. In Part I of the exercise, it is assumed that the nominal size and composition of balance sheets (of 30 June 2020) do not change for the time horizon of the scenario and there is no management action. Thus, the resilience of a fixed balance sheet can be investigated at different points in each scenario.
- In Part II of the exercise the fixed balance sheet constraint is relaxed and BES participants may change their business models in response to the scenarios.
39. At first glance, the BES is solely aimed at assessing the financial resilience of FS firms. Nonetheless, this does not mean that board responsibilities and relationships (i.e., the other two Rs) are completely overlooked. For example, each scenario includes assumptions regarding consumer behaviour and appetites, and Part II of the exercise potentially provides scope for participants to consider the wider implications of stepping back from key services and rebalancing their balance sheet.
40. No doubt, some observers might suggest that the BES should go further. Arguably, a strategic response to climate change, must actively consider the welfare of the FS firm’s workforce and issues that might have previously come under the heading of corporate social responsibility (CSR).
41. Even if the UK Corporate Governance Code is not amended to explicitly refer to the concept of resilience, this concept of resilience is here to stay. However, the degree to which it is informed and balanced by other board responsibilities and relationships, remains an open question. It may be that the final answer depends on the culture of each firm and how the experience of Covid19 informs how firms approach their responsibilities to the workforce, and their relationships with stakeholders and the wider community.
About The Author
Anita D. Millar is an Associate Partner of Illuminet and Director of ADM Risk, Regulation & Strategy. Anita is a risk and public policy professional with over 25-years of experience of working in the financial services sector. Her career spans frontline risk management, audit, and consulting in the regulatory sector.
As a consultant, Anita has worked on an interim basis for highly regarded trade associations and sell- and buy-side firms and been responsible for several high profile projects where she has worked with clients to: help them understand new regulatory requirements; consider their response from a risk management and business perspective; and, communicate their response to internal and external stakeholders.
- Financial Reporting Council. “The UK Corporate Governance Code”, July 2018
- Under the UK’s corporate governance code heading “Board leadership and company purpose”, the board must also satisfy itself that the company’s culture is aligned with the its purpose, values, and strategy. Sufficient resources to meet company objectives as well the establishment of risk and controls are outlined under the third principle. The board’s responsibilities for effective engagement with shareholders and stakeholders are set out in the fourth principle. The fifth (and final principle in this section of the code) concerns the board’s responsibilities to the workforce. It is as follows and could be read narrowly: The board should ensure that workforce policies and practices are consistent with the company’s values and support its long-term sustainable success. The workforce should be able to raise any matters of concern.
- As reported by Daniel Thomas of the FT (29 June 2020), the appetite to improve corporate governance is growing. See – “City executives lead push to improve corporate governance in the wake of the virus”
- Stockholm Resilience Centre. “What is social-ecological Resilience?”
- Institute for Strategy Resilience & Security (ISRS), University College London, in association with the Shearwater Group. “Digital Resilience: Understanding the Challenges of Resilience in Digital Environments”, July 2018, page 15
- Editorial Board, “Building resilience should not lead to trade barriers”, Financial Times, 12 June 2020
- Ford, Jonathan. “Lockdown is exposing the folly of reckless financial strategies”, Financial Times, 3 May 2020
- ISRS in association with the Shearwater Group, July 2018
- The UK authorities are consulting on an operational resilience framework. See the FCA CP19/32 and BOE/PRA CP29/19
- Bank of England (BOE). “Discussion paper: The 2021 biennial exploratory scenario on the financial risks from climate change”, December 2019
- Wong, Kyle. “How Domino’s Transformed Into An E-commerce Powerhouse Whose Product Is Pizza”, Forbes, 26 January 2018
- Retail Week. “Ocado set to become UK’s largest listed tech company”, December 2019
- Linklaters. “Lawyers: Agents of Change in a World of Digital Transformation”, 2018
- Ready, Frank. “E-Signature Tech Is Having a Moment. Can It Last?” Law.com, 24 June 2020
- SenGupta, Reena. “Legal teams discover their inner geek”, Financial Times, 26 June 2020
- Bloomberg. “Banks Get a Glimpse of the Post-Coronavirus Future”, 21 May 2020
- BOE. ”Discussion paper: Central Bank Digital Currency Opportunities: Opportunities, challenges and design”, March 2020
- The deadline to respond to the BOE, PRA and FCA BOE consultations on operational resilience have been extended to 1 Oct 2020
- FCA CP19/32.”Building operational resilience: impact tolerances for important business services and feedback to DP18/04”, pages 13, 18, 21 and 24
- BOE DP01/18, PRA (DP01/18), FCA (DP18/04). “Building the UK financial sector’s operational resilience”, page 24
- As set out in the publications produced by the Task Force on Climate Change Disclosures
- Sustainability Accounting Standards Board focuses on the disclosure of financially-material sustainability information, and the Climate Disclosures Standards Board has developed a framework for reporting environmental and climate change information in mainstream corporate reports. Together the SASB and CDSB have worked together to produce TCFD implementation guidance and good practice examples.
- For summaries see publications by FactSet and Carbon Intelligence
- EU Technical Expert Group (TEG) on sustainable finance. “Taxonomy: Final report of the Technical Expert Group on Sustainable Finance”, March 2020
- An overview of the UN’s 17 Sustainable Development Goals, including Goal 13 on climate change – https://www.un.org/sustainabledevelopment/sustainable-development-goals/
- As being, for example, developed by Carbon Engineering or Prometheus Fuels
- BOE. “Discussion paper: The 2021 biennial exploratory scenario on the financial risks from climate change”, December 2019, para 1.6