Australian Prudential Regulation Authority chairman Wayne Byres said COVID-19 had been a major test of the sector’s operational resilience, with restrictions on social mobility forcing a rapid adjustment to ways of doing business.

“While critical services have been maintained, key processes had to be changed — in some cases dramatically — to support customers, to address service provider failures, and to respond to local and overseas lockdown measures,” Mr Byres said in remarks to an outreach meeting of the Basel Committee on Banking Supervision.

“From my viewpoint, Australian banks have navigated the past six or so months quite well. Importantly, at a time of extreme community uncertainty and nervousness, there has been no significant degradation of services provided to customers.”

In August last year, the BCBS, the primary global standard-setter for banks, sought comment on proposed principles for operational resilience, which aimed to mitigate the impact of adverse events by enhancing the industry’s ability to withstand, adapt to and recover from them. The adverse events included pandemics, cyber attacks, technology failures and natural disasters.

Mr Byres nominated increased risks to information security as one of a range of lessons to learn from the impact of COVID-19 on operational resilience. He said the trend to working from home had opened up new “cyber-attack vectors”.

“This introduces a range of heightened security concerns, including the capacity of virtual private networks to support remote working, the security of information accessed in the home environment, and the dependency on home rather than enterprise-grade connectivity,” Mr Byres said.

Early in the crisis, as well, many banks had found themselves operating beyond their risk tolerance, and this had persisted for a while in some cases.

While there was inevitably a need for speed, and often little choice in actions taken, recovery plans to get back within risk limits had been facilitated by quickly identifying and specifying the expectations from board and executive ranks.

On the robustness of business continuity plans, Mr Byres said there were a few areas to emerge which had strengthened plans, despite the unprecedented nature of the pandemic. This included the repatriation of services previously conducted offshore.

“Banks will need to re-evaluate what scenarios they consider plausible, and what additional scenarios they need to cater for in business continuity planning and testing,” he said.

“A key dimension will be the longevity of the disruption.”

While COVID-19 had provided a valuable real-world test of some aspects of contingency planning, other aspects had suffered. The impact of the pandemic had not only delayed some testing, but it had also created challenges for banks’ ability to enact disaster-recovery plans that involved, for example, accessing physical alternative sites.

“While there’s a natural focus on the lessons from COVID-19, other risks such as wholesale data centre loss, major cyber-attack and data corruption haven’t gone away,” Mr Byres said.

“COVID-19 has also brought to the fore the impact of a prolonged period of remote working and lockdowns on staff wellbeing, with an increased prevalence of mental health issues from stress, anxiety and isolation.

“Contingency planning in the future will, therefore, not just be about systems and processes, but will inevitably have a much stronger ‘human’ element to it.”

More related stories

Business

Arrogant Big Super opts out of decency

Thousands of Rest Super members wrongly slugged for insurance have been told they need to get in contact if they don’t want to keep paying the fees turned on by ‘accident’ months ago.

Read more

Financial Services

ASIC to scrutinise super funds over mergers

As the industry battles member service failures, the corporate regulator is turning its attention to the rapid consolidation in the market.

Read more