Banking, The Art of War, and Operational Resilience: Lessons and Reflections From a Panel at IBA 2024

By Rajashekara Maiya

Earlier this month, I had the opportunity to be at The IBA 2024—a premier banking event hosted by the Indian Banks’ Association (IBA). The occasion? A panel discussion moderated by Milan Mitra, Partner, McKinsey & Company on “building tech-resilient banks.”

While I contributed to the conversation around the intriguing topic, I had time to reflect more on this hot-button issue.

 The new world of banking: Soaring consumer expectations

What’s been clear to us in banking tech, and the context of this discussion, was that the tectonic plates of technology are shifting beneath the financial industry. Gone are the days of clunky interfaces and siloed operations; today’s digital-native fintechs and similar players set a new bar for user experience, raising consumer expectations with instant gratification and seamless, always-on experiences.

While the domino effect of past outages was confined to physical branches, in the digital realm, disruptions reverberate instantly, magnified by the megaphone of social media. The reputations of banks, painstakingly built over decades, can take a hit in a viral tweet (or now, an “X”). The stakes are higher, and the consequences amplified.

Now, incumbent banks risk having their foundations tested at previously unheard-of scales if they fail to adapt.

Lessons from Europe: World taking cue

In a post-pandemic era, reliance has been of significant focus in the banking world, to an extent where executive pay has been linked to the bank’s resiliency efforts and impact.

The world also witnessed geopolitical disruptions with the war between Russia and Ukraine. But the boundaries of the conflict were not limited to the physical world: the European Union’s (EU’s) financial and other critical infrastructure was the subject of intense cyberattacks—a precursor to the actual on-ground invasion of Ukraine.

The EU now wants to be prepared and has the necessary regulation in place: the Digital Operational Resilience Act or DORA.

DORA is a significant move away from regular business continuity or disaster recovery plan testing to comprehensive digital operations resiliency testing. EU banks need to have end-to-end plans for events where none of their servers, databases, or applications are available; banks would need to remain functional and resilient and provide services to consumers with disruptions. Not only would banks need to focus on their own infrastructure, but they would also need to identify and manage third-party risks in their ICT.

Operational resiliency regulations are also in the works in several countries: the UK, US, Canada, Australia, Singapore, China, UAE, and South Africa have all announced similar measures, a vast majority based on the standards and guidelines established by the Bank for International Settlements (BIS).

A practical three-pronged strategy for building truly resilient banks

For banks, I recommend a three-pronged approach to anticipating and mitigating disruptive events:

First, consider customer expectations, both retail and corporate—without taking them for granted—and have service level agreements (SLAs) in place, in line with any regulatory guidelines.

This will go a long way in building trust with customers. Banks can also leverage their customer advocacy boards to consider inputs into their plans as well as drive awareness of these plans, turning customers into brand ambassadors in the process.

Second, be transparent with the media and make your banks’ policies public; it helps a great deal. Publish in your annual reports your downtimes, broken down at a monthly level and your plans and strategies to match or beat the best in the industry. Continuous monitoring, benchmarking, and reporting service levels while making strides in improving them will make sure you, as a bank, are not caught off guard.

Third, build a technology stack based on anti-fragile architecture—architecture that is not just scalable, but performant and supports resilience.

As banks, you will need to implement a polyglot design which is plug-and-play, interoperable, adaptable, and cloud build-agnostic. Make sure your technology stack is inherently following some standards. For example, consider cloud—your cloud architecture must conform to cloud-native computing foundation (CNCF) principles and standards.

Being prepared, while it is easy to prepare

The reality is, as banks, you have no control over macroeconomic or geopolitical situations. But your strategy to be tech-resilient, digitally resilient, or operationally resilient should be agnostic of them.

I am reminded of Sun Tzu, in The Art of War, where he succinctly says: “Plan for what it is difficult while it is easy, do what is great while it is small.”

Who knows? One day, God forbid, you may encounter both those perilous situations together in your country.

(The author is Rajashekara Maiya, Global Head – Business Consulting, Infosys Finacle, and the views expressed in this article are his own)