Strengthening technology resilience and risk controls against multidomain disruption

Financial institutions are not shielded from multidomain disruption – a greater risk and reality today than before. In a Risk.net panel session, convened at Risk Live North America in collaboration with ServiceNow, experts delved into the consequences of such disruption and best practice strategies to enhance digital resilience, including third-party risk mapping and scenario planning

Multidomain disruption, or widespread IT impacts across various domains, was highlighted by the CrowdStrike incident in July 2024, which exposed critical gaps in cyber security and operational resilience.

This multilayered threat environment underscores the need for banks to adapt their risk management frameworks to address traditional financial risks and emerging challenges such as cyber security, data privacy and operational continuity. The CrowdStrike outage served as a reminder of how interconnected systems can amplify the impact of a cyber attack.

As these disruptions become more frequent and multifaceted, the need to strengthen risk controls, map interdependencies and reinforce cross-domain incident response protocols is imperative.

This Risk.net panel delved into emerging risks, including multidomain disruption, the consequences of such disruption and strategies to enhance digital resilience, including third-party risk mapping and scenario planning.

This article explores the key themes from the session.

New vulnerabilities

Multidomain disruption has emerged as both a significant threat and a substantial opportunity for strategic risk discussions. Given the increasing likelihood of these disruptions, there is a clear opportunity to integrate them into the emerging risk framework, allowing for a more comprehensive and proactive approach to managing potential impacts.

The vice-president for risk controls at a US bank said the CrowdStrike event in particular exposed heavy reliance on the use of a single technology leading to operational risk impacts from a resilience standpoint: “Customers were impacted. They could no longer do the business they were expected to do.”

The panel noted several key aspects going forward, not least the potential for similar disruptions from a technology point of view, whether they were impacted and how the impact manifested itself. Tracking all incidents is essential to ensure everything is in order.

Additionally, it is crucial to assess whether these incidents were used to update and strengthen technology risk frameworks and identify any gaps from an op risk perspective. From a resilience perspective, internal reflections at financial institutions must include whether customers were affected and how the business can prevent a similar scenario in the future.

It is fundamental for firms now – from an emerging risk standpoint – to strengthen op risk events and risk controls, and identify technology risk failures to expose new vulnerabilities.

Decoupling technology and reducing dependence on a single platform or provider are also pivotal to maintaining balance and avoiding cyber mishaps. “Don’t put all your eggs in one basket,” said the ALM and treasury functions lead at large European bank.

“This situation often arises, sometimes knowingly and sometimes unknowingly, when an organisation signs a contract with a provider offering an attractive platform. Over time, this platform becomes more integral to the business, expanding its role beyond the initial purpose. Six months or a year later, the platform becomes so essential the business cannot operate without it,” he added.

Robust governance for third-party risk

Taking stock of third-party risk and identifying technology interdependencies are paramount. Third-party risk requires understanding dependencies and managing the risks introduced. Organisations must ensure strong compensating controls – or at least understand the risk magnitude – and align it with their risk appetite.

“Ensuring we have robust governance across the overall data supply chain is paramount, and it becomes increasingly important when you talk about emerging technology solutions such as robotics automation or artificial intelligence,” said the global compliance lead at a leading financial institution.

The combination of legacy and new technology deployment also drives elevated levels of risk. And the panel emphasised that impact assessment must precede all phases of software development – planning, building, testing, application and operation.

“When you bring in a change, understand all the impacts that change is going to drive, all the risks of that change and make sure you have strong compensating controls up to the point you deploy that change to production,” the global compliance lead said.

On cyber risk, the global compliance lead said that identity, access management, model management and cryptography were a few of the emerging risks that impact global financial institutions. “Mapping exactly what data is being captured and how it is traversing banking systems – all the way to the point of provisioning for a critical regulatory report or high-risk model – is increasingly essential,” he added.

Concentration risk and scenario planning

Another risk than can amplify multidomain disruption threats is concentration risk, which arises when an organisation depends on a limited number of vendors, making its operations vulnerable to disruptions if one provider experiences a failure, breach, outage or other significant issues.

Banks can mitigate concentration risk through internal control frameworks and strategies such as multi-cloud or hybrid-cloud approaches to ensure resilience and reduce dependence on any single provider.

“We would usually think through a multi-cloud or hybrid-cloud strategy, which must take into consideration that what may work for consumer banking technology may not work for institutional banking technology,” the global compliance lead said.

Concentration risk highlights the need for scenario planning, where firms map out concentration, emerging and residual risks. While scenario analysis is complex, it revolves around estimating probability and severity, the panel said. However, the fundamental point is to have an active list of scenarios that are meaningful and based on risks and risk inventory.

Financial and technological innovation is a necessity and not an option. While cloud migration is becoming more essential than ever to maintain, sustain and grow business and to maintain robust data sources and application workloads, firms must be mindful about how they onboard a new cloud vendor and the type of workloads that are migrated to the cloud. Risk and resilience management must also be closely monitored when a specific cloud provider goes down.

In summary

There is no doubt that heavy reliance on a single technology is a multidomain disruption risk, which, in turn, introduces op risks, including potential impacts on business continuity and losses. These vulnerabilities can undermine resilience, exposing organisations to new threats. It is crucial to connect the dots between these risks, and prepare for and mitigate potential disruptions to avoid significant impacts in the future.

While cloud adoption is inevitable and beneficial, scenario planning and strengthening regulatory frameworks in mitigating risks that may arise from cloud migration are critical. 

Sponsored content