FIRM Fall Conference 2024

“Metzlering” in the historic manor house in Alt-Bonames

The FIRM Fall Conference has a long tradition. And yet many things are different this year. The members were invited to the historic manor house of the Metzler banking family in Alt-Bonames. The hospitality, exclusive location and glorious sunshine gave the conference a special setting, which we were able to fill with exciting presentations. Accordingly, the conference was fully booked to the last seat.

We are pleased to welcome FIRM and
its members to this
special place.
Stefanie Buchmann
Bankhaus Metzler

Stefanie Buchmann, whose responsibilities on the Metzler Bank Management Board include risk and compliance, began by explaining when and how the venerable building is used today: for events, by invitation only and only for selected meetings. “What is discussed here in a special atmosphere is called metzlering,” said Buchmann. A word that many participants are sure to remember.

On 18 September 2024, ESG, governance, cyber risks, DORA, organizational misconduct and geopolitical risks were discussed. Prof. Günter Franke and Dr. Wilfried Paus, who set the content framework for the event as Advisory Board Chairmen, focused on a broad range of topics in order to address all FIRM focal points in 2024.

Stefanie Buchmann from the Management Board of Bankhaus Metzler welcomes the guests and talks about the special features of the bank.

COMPETITION BEFORE CLIMATE PROTECTION

Joshua Jung from ING Germany kicked things off. His topic: “Why ESG Matters”. Jung pointed out that the tide is likely to turn in the coming legislative period. Then it will no longer be climate protection that is at the top of the agenda, but competitiveness. Although the “Green Deal” will remain in place, no significant extensions or optimizations of the existing climate regulations are expected. Despite the decreasing political pressure on companies to achieve strict decarbonization targets, decarbonization is nevertheless becoming an economic reality, as Jung emphasized. This is particularly evident in the areas of energy generation, mobility and construction, where renewable energies and new technologies are becoming increasingly competitive. Jung also addressed the opportunities offered by the financing of climate protection measures. One growth area, for example, is clean technologies, where the need for financing is expected to increase dramatically by 2025. Jung concluded by explaining how ING integrates climate risks into its lending processes and manages long-term transition risks in various sectors, such as the cement sector. To this end, ESG rating systems are used to categorize companies according to their contribution to climate neutrality.

GOVERNANCE FOR FEWER LIABILITY RISKS

Prof. Dr. Josef Scherer from the Deggendorf Institute of Technology dealt with the current requirements in the area of governance, risk and compliance management (GRC) in the context of ESG (environmental, social, governance). He sees the increasing importance of governance for companies as a key point here, particularly due to increased liability risks for managers. Scherer referred to the German Corporate Governance Code 2022 and emphasized that companies need effective risk management and compliance systems in order to meet legal requirements.

He also focused on the Whistleblower Protection Act, which strengthens the protection of whistleblowers and makes it easier to uncover breaches. Scherer also highlighted the extended reporting requirements under the EU Sustainability Reporting Directive (CSRD), which also affects smaller companies. Scherer used many examples to show why sustainable corporate governance is not only legally necessary, but also economically advantageous, as it strengthens resilience and company value in the long term.

PENETRATION TESTS FOR MORE DIGITAL RESILIENCE

Dr. Michael Riecker and Saed Alavi from Protiviti focused on the practical application of Open Source Intelligence (OSINT) in the context of the Digital Operational Resilience Act (DORA). DORA requires financial institutions to develop programs to strengthen digital resilience, including penetration testing and attack simulations. Various test approaches such as red teaming, purple teaming and vulnerability scans are used to identify security gaps in IT systems and improve the ability to respond to cyber threats.

Riecker and Alavi went into detail about threat-led penetration testing (TLPT), in which real attack scenarios are simulated in order to uncover weaknesses in a financial institution’s security measures. Alavi used various practical examples to show exactly how information is collected for such attacks. For example, various publicly accessible sources can be used to prepare attack scenarios, such as the analysis of employees, networks or leaks in the code. Techniques such as phishing, SMiShing and physical access (e.g. through fake badges) were presented as concrete attack methods to exploit security vulnerabilities.

FROM INDIVIDUAL MISCONDUCT TO CORPORATE CRISIS

Dr. Sebastian Fritz-Morgenthal from Advisense addressed the transition from organizational misconduct to organizational resilience. Using prominent examples such as the LIBOR manipulation, Wirecard, FTX (Sam Bankman-Fried) and the Springer-Julian Reichelt scandal, he showed how individual misconduct, group mechanisms and organizational weaknesses can lead to major scandals and corporate crises.

Organizational misbehavior (OMB) arises from a combination of poor structure, conflicting objectives, inadequate monitoring and a lack of risk management. These weaknesses lead to “practical drift”, where day-to-day practice increasingly moves away from the documented rules. This encourages rationalization and normalization of misconduct within the organization, often reinforced by group mechanisms such as groupthink.

In contrast, the concept of organizational resilience was presented in the second part of the presentation. This is based on robust risk management, clear structures and a culture that takes early warning signals seriously and acts proactively to avoid crises.

Geopolitical risks and the impact on credit ratings

Dr. Mark Rosenberg from GeoQuant and Hannah J.V. Dimpker from FITCH gave valuable insights into how rating agencies are dealing with the increasing geopolitical risks. Rosenberg is the founder of GeoQuant, a company that specializes in quantifying political risk.

It uses modern data analysis and machine learning technologies to measure and predict political risks in real time. By combining large amounts of data, machine learning and expert knowledge, GeoQuant creates detailed and continuously updated risk assessments for countries, markets and political events worldwide. Rosenberg used various models to explain how this works in practice. He showed that countries with higher GeoQuant risks have a greater probability of devaluations, rising CDS prices and other negative market movements.

The data suggests that rising geopolitical risks correlate with higher chances of sovereign defaults and rating downgrades. GeoQuant offers an early warning system that performs better than alternative inputs such as the World Governance Indicators (WGI). This data is particularly useful in predicting currency movements and fluctuations in emerging markets. Rosenberg is convinced that GeoQuant data offers financial market participants valuable insights into impending credit events and market volatility, providing crucial information for risk assessment and management.

Outsourcing in the financial sector: monitoring critical third party IT providers

BaFin was also a guest at the FIRM Autumn Conference, with a practical presentation on DORA and the supervision of ICT third party service providers in the financial sector. Dr. Sibel Kocatepe from IT Supervision focused on the financial market’s growing dependence on IT services and the associated risks, particularly with regard to cyber threats and systemically relevant operational disruptions.

Kocatepe emphasized that the financial sector is increasingly dependent on external IT services, especially cloud services. In general, financial companies’ dependence on certain services or service providers can pose a significant risk to the stability of the financial system if these services cannot be provided by the financial company itself and are also difficult to replace. Initial analyses show that financial companies assume that they will not be able to reintegrate around half of the outsourced services back into their own company.

This makes it all the more important to monitor outsourcing, as Kocatepe emphasized. Since 2022, financial institutions in Germany have had to report their significant outsourcing arrangements in order to provide a better overview of critical dependencies. BaFin, the Bundesbank and the European Central Bank (ECB) receive these notifications. Monitoring is intended to help identify risks at an early stage and manage them in a targeted manner.

Dr. Sibel Kocatepe points out that dependence on external IT service providers poses a risk to the stability of the financial system.

Kocatepe went into detail about the Digital Operational Resilience Act (DORA). The new European regulations, which are intended to make the financial sector more resilient to disruptions to digital systems, will apply from January 17, 2025. It regulates the cooperation of supervisory authorities with critical third party ICT service providers and is intended to ensure that the continuity of service provision is maintained even in the event of serious incidents. DORA creates a harmonized and coherent framework for the supervision of critical third party IT service providers and focuses in particular on providers of cloud computing services.

How European and national surveillance intertwine is another important topic that Kocatepe is working on.While DORA standardizes the supervision of critical third party ICT service providers at European level, national supervisory authorities such as BaFin continue to retain control over service providers that are considered important at national level. In order to have a precise overview of the interconnections on the financial market, BaFin uses outsourcing maps to analyze conspicuous concentrations in the interests of financial market stability.

Under DORA, only those ICT third party service providers that are classified as critical by the European supervisory authorities due to their systemic importance are monitored. The criteria for this include the dependency of the financial institutions and the limited possibility of replacing these service providers with alternatives. A failure of these providers could have significant consequences for the entire financial stability, as Kocatepe emphasized. This once again underlines the increasing importance of monitoring third party ICT service providers in the financial sector, in which DORA will play a key role. Critical ICT third party service providers must prepare themselves for strict requirements.

Presentation of the FIRM Yearbook Prize

The FIRM Yearbook Prize was also awarded at the research conference. Dr. Rainer Glaser from Oliver Wyman received the award for his contribution on the control and validation of Generative AI (GenAI).

Dr. Rainer Glaser from Oliver Wyman receives the FIRM Yearbook Prize 2024, sponsored by FIRM Honorary Member Wolfgang Hartmann.

The article highlights the central importance of the control and validation of generative artificial intelligence (GenAI). Since the release of tools such as ChatGPT, GenAI has become the focus of many companies that want to use the technology in various functional areas. The FIRM Yearbook Prize is sponsored by honorary FIRM member Wolfgang Hartmann and is awarded annually at the FIRM Autumn Conference.