Risk Management Strategies for Financial Sector Protection
A family of strategies now defends against risk in today’s densely inter-connected and inter-dependent society, with enterprise resilience heading the strategies list in the best-run entities.
The strategies are not simply ‘nice to have’. They are essential to being ready against inevitable threats: ‘part and parcel’ of good management. Resilience is not achievable without them.
Terrorism is often the driver to thinking about this now, and does offer starkly compelling scenarios. Threats in fact are innumerable. They are created as equally by nature as by human behaviours, and pandemics and climate change are as topical as terrorism and the war against it.
Former US President and World War II military leader, Dwight Eisenhower made this famous remark: “plans are nothing, planning is everything.” No plan can address all risks and threats. However, planning with appropriate strategies can enable recovery from almost anything and deliver tangible, additional benefits along the way.
Although not uniquely so, this is especially important to the financial sector. The business of finance is also the business of risk.
Risk does come at a cost
Risk does come at a cost, and that has to be managed closely and cleverly. Finance and insurance are Australia’s third largest industry sector. Australia is one of the largest and most highly-developed market places for financial services in the Asia Pacific region, with a global reputation for sophisticated and innovative financial services and products.
Evolution in the global economy makes the reliance on the international financial system increasingly vital. The need to have constantly functioning international payment and settlement systems cannot be underestimated.
Organisations typically are good at managing day-to-day risks that are tangible and occur regularly. However, managing the unthinkable, unpredictable and unlikely risks can prove more challenging. When something does happen, it is these risks that are likely to have the more severe consequences.
An operational risk framework outlines ANZ’s approach to managing this. It starts within the business, but stretches out strategically.
Within the company, business continuity management is a whole-of-business process. It provides the framework to ensure critical business functions can be maintained or restored in a timely manner in the event of material disruptions arising from internal or external events.
Business continuity management aims to minimise the potential and level of any material consequences, to ensure the operational continuity of the business. It is just one of the key components of sound, risk management practice.
ANZ places a strong emphasis on planning, prevention and preparedness to be more confident and better equipped to deal with real incidents. We have established a strategically-driven international program which includes security risk analyses and security audits, specialised retail security management systems and a strategic business continuity capability.
Business continuity planning
Appropriate business continuity planning and testing are essential to organisational resilience, and business units participate in a revolving cycle to keep their business continuity programs and capabilities current.
ANZ’s business continuity process is complemented and supported by comprehensive IT disaster risk planning and executive crisis management processes and capabilities.
More broadly, ANZ recognises that business continuity planning cannot be done in isolation. We work closely within the national critical infrastructure program in support of sectoral resilience and recovery. Critical infrastructure is the fabric of society, supplying and supporting the services and everyday things (including banking and finance) essential to our society’s functioning.
Government has recognised that some 90 per cent of Australia’s critical infrastructure is owned or operated commercially. This has been revolutionising relationships at the national level. It has enabled recognition, analysis and discussion of inter-dependencies within and across sectors.
Government too has benefited. It has a better sense of how the critical infrastructure really works, and how national interests need to be managed against risks and threats.
Beyond that, enterprise resilience currently is the ultimate goal and strategy for managing risks and threats, even the extraordinary. A need for enterprise resilience was defined by 11 September 2001, and the recognition of the long term societal and economic impacts terrorist incidents can cause. That need goes well beyond terrorism.
Resilience is essential to our increasingly complex society, and our increasingly inter-connected global community. It is cultural, and requires thinking outside traditional boundaries, but increases adaptive capacity and broad business capabilities. It also shows that integrated security and continuity management are part of the bottom line, and a vital one, offering competitive advantage.
Colleagues across a number of industry sectors and government are developing a framework for Australian enterprise resilience concepts and capabilities, drawing upon generous support from pioneers and practitioners internationally. Conversations are underway in several government-facilitated infrastructure assurance advisory groups, including that for banking and finance. The work is essential, exciting and commendable.
About the author: Damian McMeekin is the global head of security with the Australia and New Zealand Banking Group Limited. ANZ is one of the largest companies in Australia and New Zealand and a major international banking and financial services group, which is among the top 50 banks in the world.