Key Operational Risks
PEOPLE RISK People risk relates to an inability to attract and retain an appropriate staff complement, which would adversely affect our ability to achieve our strategic objectives. We intend to continually attract and retain qualified team members to successfully execute against our vision to become the best full-service bank for business owners in Canada. We do this by proactively investing in our practices and programs to build a positive, rewarding and collaborative work environment, where teams are empowered to deliver exceptional client experiences. Human Resource guidelines and processes are in place to ensure team members are adequately trained to perform the tasks for which they are responsible and to enable retention and recruitment. Our values include a people first approach to planning and execution, a focus to drive inclusion and diversity as key business advantages, and specific strategies to increase our brand awareness in the markets where we operate. We complement this with a specialized and knowledgeable approach to talent acquisition, a competitive total rewards offering with differentiated benefits, flexible work arrangements, comprehensive learning and development opportunities and a proactive focus on succession planning.
TECHNOLOGY AND CYBERSECURITY RISK Technology Risk
Technology risk is the risk of loss or harm related to the operational performance, confidentiality, integrity and availability of our information, systems and infrastructure. As with all organizations, we are highly dependent upon technology and supporting infrastructure, such as voice, data, systems and network access. In addition to internal resources, various third parties provide key components of our infrastructure and applications. Disruptions in information technology and infrastructure, whether attributed to internal or external factors, and including potential disruptions in the services provided by various third parties, could adversely affect our ability to conduct regular business and/or deliver products and services to clients. We have a number of projects underway focused to increase our digital capabilities which may potentially increase risk exposure related to information systems and technology. Ongoing diligence is required to ensure systems are secure from threats. We continuously identify and assess key services to ensure potential failure points are highlighted and related risk is mitigated in the best possible way (i.e. upgrades, enhancements, new products). We rely on technology that incorporates automated systems with built- in controls and active management of configuration and change management along with information security management programs. With a significant number of our team members working remotely due to the COVID-19 pandemic, our dependence on remote access to information technology and supporting infrastructure remains elevated. We regularly monitor, assess and revise our business continuity approach and response to ensure our ability to maintain critical operations through periods of business disruption. Our Information Services team has worked diligently to ensure our teams have uninterrupted remote access to required technology and infrastructure through our secure platforms. Our Information Services team also continues to partner with ERM to apply further rigour and enhanced governance of the identification and evaluation of potential risks in the technology environment. Cybersecurity Risk Cybersecurity risk is the risk of loss or harm due to compromise of our information assets (i.e., the unauthorized use, loss, damage, disclosure, or modification of company information and information systems) caused by a failure to protect our information assets. Our Cyber Risk Management standard provides a consistent enterprise-wide approach to efficiently and effectively manage cyber risk while enabling CWB to successfully achieve our strategic objectives. We manage information security risk by ensuring appropriate technologies, processes and tools are effectively designed and implemented to help prevent, detect and respond to threats as they emerge and evolve. Our Information Security Office continues to enhance our comprehensive suite of controls to protect CWB’s operations and our customer and corporate data from attack and have partnered with leading third-party service providers to provide counsel and support should the need arise. We regularly test the completeness and effectiveness of our information and cybersecurity program through penetration testing and control evaluation exercises conducted by independent third parties, the continuous monitoring of our environment for indications of control weakness by a team of dedicated resources, and mandatory training sessions for all team members. As we continue to enhance our digital capabilities, a focus to advance our cybersecurity enables our growth trajectory. By implementing and benchmarking the effectiveness of our industry- proven cybersecurity risk and control frameworks, we ensure our ability to safely deliver services to our clients through digital channels. OUTSOURCING AND THIRD-PARTY RISK Outsourcing and third-party risk is the risk of loss or harm due to a third-party service provider failing to deliver functionality and performance required to effectively support underlying business objectives, caused by inadequate selection, retention, oversight and/or monitoring of the relationship, or by inadequate contractual terms and conditions. To manage this risk, we rely on our Third-party Risk Management framework, which reflects a risk-based approach to centrally identify, assess, manage and monitor third-party risk and leverages the three lines of defence model. During fiscal 2021, we continued to mature our third-party risk management processes and tools, particularly in relation to the assessment of the internal control environment of potential service providers prior to entering into an engagement, with a focus on technology providers. Third-party Risk M anagement will continue to be a focus in fiscal 2022 as an important part of CWB’s overall operational resilience strategy to ensure continued delivery of critical operations during times of disruption. DATA RISK Data risk is the risk, whether direct or indirect, that arises from reliance on data to support our ability to make informed decisions and develop accurate reporting and analytics for senior management, our Board of Directors, regulators, or customer facing and/or marketing purposes. Potential risks can relate to data management, data taxonomy, metadata, governance, access, or data that is incomplete, inaccurate, untimely and/or inaccessible. Data is considered a key strategic asset and the volume, value and type of data we rely on has increased in recent years. As data is produced and consumed by different business lines and geographies across CWB, an effective, collaborative and holistic approach to data risk management has been implemented to minimize reputation, regulatory and financial risk. Our Data Governance framework and supporting protocols reflect a risk-based approach to support oversight and management of critical data elements to enable greater coordination and consistency of our data. We continue to enhance and mature our data remediation processes and data quality monitoring tools. Our ongoing programs related to data protection and access management also ensure that data is only accessible when directly relevant to the team member’s role.
58 | CWB Financial Group 2021 Annual Report
Powered by FlippingBook