Two years ago, Russia launched a full-scale invasion of Ukraine from the ground to the skies. As millions fled for safety, the country’s banks — the anchor of the nation’s financial system — hunkered down.
Remarkably, today nearly all Ukrainian banks are adequately capitalised, profitability has been at record levels and the banking sector has shown “considerable resilience”, according to Fitch Ratings.
How have they kept it together? Banking Risk & Regulation, a sister publication of The Banker, spoke to Oleksandr Pysaruk, CEO of Raiffeisen Bank in Ukraine, the country’s fourth-largest lender by assets, to get the inside view.
A risk manager at heart, the former central banker joined Raiffeisen Bank in 2019 from the IMF. In under three years, he went from drafting policy in Washington DC to steering a bank during the bloodiest conflict in Europe since the second world war.
Q: How did the bank prepare itself for the threat of invasion?
A: Many did not believe the war would start. I didn’t believe it either but we still prepared for this event.
In November 2021, we took our old business continuity plan from 2014/15, when a smaller-scale war started in Donbas and in Crimea. We realised that the BCP was grossly outdated so we started refreshing everything, not as a “tick the box” exercise but a proper review and we tested it several times.
That plan actually was the backbone of what we did later. It covered all the areas of critical functions and activities of the bank, but the particular focus was on cyber security. It was also on infrastructure — telecoms, fuel generators, stuff like that — to keep operations going under different circumstances.
In particular, we looked at things like so-called back-up metrics which dealt with concentration risk, location-wise, across the country to make sure that staff were not too concentrated in one single location. Those were the most key and we really did test them, including back-up functions.
We tried to give the call centre this feeling of what it could be like when questions start popping up, so the staff could get some sense of what they could expect. When the war started [in February 2022], the call centre was overloaded so that type of mental preparation and physical testing was important.
Q: Ukraine war: how detailed was the business continuity plan?
A: It was a fairly concise plan, but it was more about practical execution and training. We condensed the documents to its bare essence because paper doesn’t cut the trick. It’s the real people who do the job. Maybe me coming from the IMF which is a “writing institution”, I insisted that we didn’t produce hundreds of pages.
Q: Were there any learnings from the previous 2014 conflict in Ukraine?
A: The critical lesson from that conflict was “operational agility”. In one of the first meetings [in 2022], we made an important decision to decentralise cash-in-transit operations and branch management.
We let management of our operational branch network decentralise the management. We let two people decide — the branch manager and their direct boss — either to open the branch or not and what type of operations to do, which was critical in the combat zones.
So when bombs were coming down, two people made those decisions, not the board. We had a report every day on how many branches were open or closed but the decisions themselves were done on a very decentralised basis.
That was clearly a learning from 2014. The bigger the scale of the war, the more you cannot centralise it. Armies cannot fight the war from the top, the field commanders make decisions. That learning came from 10 years ago.
A third lesson was that if you have too much cash in certain vaults, you may lose them. This bank had some in Crimea and in Donetsk. So before the [2022] Ukraine war, we repositioned our cash vaults closer to central and western parts of Ukraine, so not really having much left in the south and eastern parts.
Read more
Q: Ukraine war: how closely have you stuck to the BCP?
A: It was not like what Mike Tyson said: “Everybody has a plan until you get punched in the face.” What we learned was that our plan was good but clearly it did not take into account the magnitude and scale of the war.
The war triggered a large migration of people in Ukraine, from the south, east and west to abroad. We facilitated the evacuation of 5000 people, which included 1000 staff and 4000 of their family members.
The assumption in the BCP was nowhere near the scale of 1000 staff, which was basically almost 20 per cent of our workforce.
It meant some of them having to do critical functions on the road, from bomb shelters. We luckily had shelters, connectivity, and computers. But you can’t model this, it comes to you when it comes to you.
Q: How well did the BCP work in 2022 when the Ukraine war began?
A: You could say that 80 per cent of it worked, [like the] Pareto Principle. We had to modify the plan to accommodate for new circumstances, which was the key challenge in the first months of the war.
Six months down the road, the destruction of critical infrastructure — preparing for the blackouts. That was the theme of the fall of 2022 and that was totally new. We did prepare in the original BCP for some communication breakdowns, but not for the full blackout of the country. That was totally new.
We started moving our critical function stuff abroad to different locations in Vienna, Austria, and a few other countries.
Another plan we did was for the Zaporizhzhia nuclear plant, when there was a threat of nuclear explosion. We had to create a separate mini plan for that, how we’re going to evacuate staff, which branches we’re going to close, what else we need to do to neutralise the impact [of a possible nuclear fallout].
Q: Ukraine’s banking system is very technology dependent. How did Raiffeisen Bank maintain its dependence on technology?
A: Destruction of the data centre is the most critical and most dangerous operational risk. When your data centre is destroyed is when the bank stops. Then you need to recover the data — it may take you days, weeks or months, depending on the size of the damage.
It was not a part of our original BCP. But when the war started we quickly prepared a cloud migration.
That’s one of our remarkable achievements during the war; it took us three months to plan and execute the transfer of the most critical systems to Amazon Web Services. We decided on this really in mid-March 2022, when we saw the intensity. We said: “Guys, we need to mitigate that risk because it’s a going concern risk.”
We mobilised at least 160 staff who did nothing but cloud migration. We had let go all external vendors developers on day one [of the war] for cost-cutting purposes and refocused virtually. At least 35–40 per cent of our IT staff [were on this].
We continued afterwards [even] after the Russians were out of Kyiv and we realised the risk was more remote. Now most of our infrastructure is in the cloud. One of the best decisions I made was two years before the war: investing in IT security.
Banks should avoid the concentration of critical functions in locations. In the modern world — and with the risk of war — you should not have this concentration.
We got used to concentration risk in credit portfolios and market risk but suddenly, this “locational concentration” of physical staff [and data] became a big issue.
Q: How did the bank mitigate these non-financial risks translating into financial risks?
A: The quality of the client base is critically important to mitigate the downside of the credit portfolio. We had really filtered our base to make sure we only have clients who we know for a long time.
We spoke to them every day in the beginning. This intensity of communication helped us to reduce the potential losses and impairment of credit.
We also did customer surveys, monthly from the beginning of the war, and clients responded. They wanted us not to panic, and they gave us data. We used this data to manage our portfolios.
Amazingly, we did not tighten our credit policy too much — definitely not to legal entities. We did on the private individual side where the most vulnerability was in the first few months, we cut the credit limits on credit cards too. But on the legal entity side, we actually kept going.
Yes, we concentrated our lending activities in the critical sectors for the country. Most of our lending happened there, but we did not really pull the plug on clients.
Non-performing loans went up, but then they quickly flattened. And what we see now is they gradually decrease. We worked out the problem loans — there are a couple of large files — but we successfully worked them out. So the actual losses from the credit portfolio are actually not that big.
Q: What were the biggest compliance challenges for the bank?
A: The presence of Raiffeisen Bank International in Russia was one of our main problems during this war. Ukrainians wanted us to exit but exiting the country for a large bank is difficult. I dealt with bank resolution frameworks at the IMF. I know how technically difficult it is. Then you need approval from the country we want to exit, which is not easy.
It’s difficult to explain this to the population, who hated this. We tried our best. I think to an extent we mitigated this a little bit, but you cannot fully mitigate it. The interesting thing, though, is that it did not have a major impact on our clients, we actually maintained a flat base of active clients at around two-and-a-half million.
I think the reason was because Raiffeisen Bank did a lot to support the country and the economy during the Ukraine war. People knew it. And I think everybody kind of liked us. They didn’t like our parent company, but they didn’t leave us either en masse.
Beyond the presence in Russia, the big thing was — and is — sanctions. We had sanctions from [the US, the EU and Ukraine] coming en masse; many of the sanctions needed to be operationalised and put in the systems.
You think you can execute sanctions from day one. No you can’t. Many of them require automation and IT development. So it was a challenge, and I think still is. Now the sanctions influence has somewhat subsided, but that original wave of sanctions — we and all Ukrainian banks sweated to implement them, operationally. And then you have to monitor them, get the filters and procedures right. So operationalisation of sanctions is a huge thing, a key lesson.
Maybe the lesson for other countries, particularly emerging countries where capital controls will be introduced in war: compliance functions and financial monitoring will be [paramount]. Because of all the human work, sanctions need to be operationalised, you have to get more compliance staff and then actually monitor them.
You have to have a period of manual work until you get this automated. So there’s always the workload on operational staff and compliance staff once the sanctions get rolled [out]. You gradually digitise that but it takes time.
Be prepared. Have strong IT staff, have agile flexible systems and modern architecture to be able to accommodate fast for the new sanctions requirements. Sanctions were not in the BCP — that probably falls into the 20 per cent that I mentioned. You cannot model sanctions, that’s the problem.
The Ukraine war provides so many lessons for banks. If I will do my BCP again, I would include the sanctions and destruction of physical infrastructure including, God forbid, nuclear plants.
Q: What could the central bank — the National Bank of Ukraine — have done differently?
A: They largely did things right in terms of monetary policy, exchange rate policy, capital controls and prudential regulations. I think what they could have done better, knowing they rolled out so many of the new regulations on sanctions and financial monitoring and currency controls, was to be more receptive to the difficulties to operationalise and implement these [requests]. They were totally unreceptive. They were kind of pretending that the people hiding in the bomb shelters should have done it yesterday or the next hour after they issued the regulation.
Q: Ukraine war: looking ahead, what challenges do you envisage?
A: At the moment, it more or less looks like a bloody stalemate. We actually are in a relatively stable position from the perspective of risk management, compliance, financial monitoring, capital controls, currency controls.
If there are any drastic developments in the military [situation], that will bring more risk. We would have to go back and redeploy the BCP playbook, but doing this the second time is way easier than the first time. The first time it took us four to six weeks to stabilise.
But for now, risk management and compliance is a “business as usual” — a lot of work but nothing really dramatic. Strange, huh?
The key thing now is people. People are tired after two years of war. We need to support our staff through wellbeing programmes, motivational programmes, talking to them. To get people’s mood up and hold it up and persevere in extreme fatigue is the biggest challenge.
This article first appeared in Banking Risk & Regulation, a publication by the Financial Times Group
