Blogpost

Resilience eats away at efficiency – and thus competitive advantage?

In times of increasing regulatory requirements, growing cyber attacks and growing dependencies on IT services and service providers, banks must protect their processes from disruptions through robust, agile and efficient measures. This increasing resilience is a step forward, but often comes at the expense of efficiency. Institutions are becoming more resilient to attacks, but are losing speed – and thus competitive advantages. The solution: intelligent management of resilience and efficiency – for each process.

Thorsten Tewes
Khalid Zoufal
10
5 minutes reading time
Header Blogartikel: Resilienz frisst Effizienz
Ralf Barsch, Advanced Audit Solutions

Co-author | Ralf Barsch

is the owner of Advanced Audit Solutions and supports credit institutions and companies in strengthening their management and auditing skills and making teams more resilient in the long term. Together with his network, he develops practical solutions for increasing organisational resilience.

Why more security stabilises processes – and gradually paralyses them

The requirements for the resilience (Article in German) of processes are becoming more stringent. The trigger is clear: regulatory requirements are increasing, cyber attacks are on the rise, and dependencies on IT services and service providers are growing.

As a result, banks and other regulated companies are currently building a second skin around their processes: more controls, more evidence, more tests, higher audit security.

That sounds like progress. And in some respects, it is. But what happens in everyday life is rarely spoken about openly: resilience is built additively. Every new weak point gets an additional layer. The process remains auditable – but becomes more cumbersome.

Our thesis is provocative, but it can be observed in practice: the more we maximise resilience, the more efficiency suffers. Institutions become more resistant to attacks, but lose speed – and thus competitive advantages.

The solution is not to move away from increasing resilience. The solution is intelligent control between resilience and efficiency – for each process.

Why resilience dominates everything right now

The starting point is understandable. Today, processes depend on interfaces, clouds, data flows and third parties. A single failure can bring entire value chains to a halt. At the same time, expectations regarding incident handling, testing, controls and auditability are rising.

Those who ignore resilience risk business interruptions, reputational damage, sanctions and, in extreme cases, existential damage. This is not an academic debate. It is about the ability to control under stress.

The creeping effect: resilience as a means of establishing control

In practice, resilience is often treated like a volume control. When things get tough, we turn it up. And because security never feels ‘complete,’ we turn it up even further. Identified risks are followed by additional controls, further approvals, more extensive documentation, and more frequent testing.

This approach is based on linear logic: more control should automatically lead to better, safer processes and a satisfied audit.

But reality is not linear. The first measures close real gaps. After that, the marginal benefit decreases, while complexity, coordination effort and throughput times continue to increase.

This is precisely where the tipping point occurs: increased resilience and control stabilise exceptional cases, but sabotage normal operations. Resilience then becomes a brake rather than a protective shield.

tipping point between resilience and process efficiency

Figure 1: The tipping point between resilience and process efficiency

Competition is decided in everyday life – not in crisis manuals

But customers don’t buy control chains. They buy speed, simplicity and reliability. If opening an account, making a credit decision, approving a payment or handling a complaint takes two days longer because additional internal approvals and evidence are required, this is not a ‘regulatory reason’ from the customer’s point of view. It is simply a bad experience.

And this is where things quickly become unpleasant. While we secure processes against extreme events, we lose out in daily competition to providers who manage risk smarter – not harder.

Resilience can thus become a competitive disadvantage. The institution is secure, but slow. And in many business models, ‘slow’ means ‘deadly’.

The economic truth: resilience is not maximisation, but optimisation

Increasing resilience ties up resources. Budget, skilled workers and management attention are then lacking in automation, process streamlining and product development. The trade-off is real.

Economically speaking, the benefits of additional resilience measures decrease with each additional layer, but the costs continue to rise. Institutions pay twice – through higher ongoing process costs and poorer market performance. ‘Maximum resilience’ is therefore not automatically ‘maximum sense’.

The crucial question is not how resilient a process can become, but how resilient it should be.

Resilience has diminishing marginal utility

Figure 2: Resilience has diminishing marginal utility – and can tip over into bureaucracy

The solution: intelligent control for each process

Anyone who takes this tension seriously needs a control logic that makes both resilience and efficiency visible. This cannot be achieved with a blanket approach of ‘more control’. It works with differentiation, measurability and design.

  • Firstly: segment processes instead of treating everything the same. Not every process is equally critical. Core processes with a high impact on customers, stability or regulatory obligations require different safeguards than supporting activities. Applying measures across the board increases complexity without providing any additional benefits.
  • Secondly, establish time as a common currency. Lead times, downtimes, number of handovers and rework rates belong in the same cockpit as restart targets and response times. Those who measure time can prioritise. Those who prioritise can use resilience effectively.
  • Thirdly: automate controls instead of using people as a ‘firewall’. Control by design is more effective: automated checks, clear decision-making logic, graduated protection mechanisms and clean data flows. This creates resilience without disrupting the process flow.
    Fourthly: reduce resilience debt. Resilience debt is like technical debt: outdated controls, duplicate approvals, reports without recipients, tests without insights. Those who do not consistently reduce these artefacts pay for efficiency in the long term – without additional protection.

 

Effectiveness comes from stability and speed – not from contro

Figure 3: Effectiveness comes from stability and speed – not from control at any cost

Which processes have you overinsured?

Many institutions are not lacking in resilience. They are overly insured in the wrong areas – and therefore less effective overall. Resilience then becomes not a gain in security, but a gain in complexity.

The strongest organisations are not the most resilient ones. Rather, they are the ones that manage resilience in such a way that their processes remain efficient.

Concrete impulse:

  • Take three of your core processes.
  • Be brutally honest in assessing which measures increase restart and response capabilities – and which ones only prolong everyday operations.

That is precisely where your competitive advantage lies.

Share: LinkedIn Xing X Facebook
Thorsten Tewes

Thorsten Tewes

has many years of professional experience in auditing and control functions at banks and savings banks. At msg for banking, he is responsible for control functions and audit support. Together with his colleagues in Business Consulting, he develops comprehensive solutions for the efficient performance of control functions, such as outsourcing management and business continuity management, within banks and savings banks. In the context of co-sourcing, he supports control functions and internal audits in the performance of audit procedures.

linkedin xing
Write a comment

You must login to post a comment.

Related articles

Discover even more interesting articles on this topic.

Blogpost
3 minutes reading time

AI governance and risk management from the perspective of banking and financial supervision

Blogpost
2 minutes reading time

FRTB Implementation: Market Fragmentation and the Critical Role of Data Quality

Björn Bhatia
Blogpost
5 minutes reading time

BRUBEG: The new draft law for less bureaucracy for banks

Sebastian Bader