ORR's top 10 operational risk concerns in 2012

To read OpRisk's top 10 operational risks for 2013, click here

In 2010, managers could be forgiven for thinking they would experience a lull after the financial meltdown and world recession of 2008–2009. But 2011 provided ample evidence that the crisis isn’t over yet, with the eurozone debt crisis spreading and intensifying. Next year will be far from easy.

Picking the top 10 operational risks for next year wasn’t simple – the challenge, in this climate, was limiting the list to 10. Given that, we haven’t tried to rank them, either by severity or likelihood. In no particular order, here are the main worries for the operational risk management industry in the 2012.

Pressure for operational efficiency
Economies in Europe and North America spent 2011 locked in stagnation or recovering only slowly – putting some financial-sector companies under pressure to reduce operational costs. And this pressure will continue: economic growth is predicted to be poor in many large economies – the US will see only 1.8% growth, the eurozone 1.1%, the UK 1.6% and Japan 2.3%, according to the International Monetary Fund.

“The economic crisis means companies are tightening their belts,” comments Matt Taylor, an associate director at London consultancy and auditor Protiviti. “They are concentrating on performance issues, trying to reduce downtime and failure rates – the aim is to save money by boosting efficiency.” But cost-cutting might have the opposite effect if it means cutting back on control functions – fraud, in particular, is believed to rise during economic downturns because non-revenue-generating functions such as internal controls are seen as easy targets for cuts, according to the latest fraud survey from accountancy firm Ernst & Young. “Cost-cutting is seen as a major challenge by 60% of our respondents. This will, inevitably, place pressure on non-revenue-generating functions such as internal audit and compliance that are so critical in managing the risks of fraud, bribery and corruption,” the survey’s authors wrote.

The other side of the coin is that financial institutions will also be under pressure to produce returns in an extremely unfavourable environment, and this increases the risk of misbehaviour. In particular, rogue traders might go unnoticed – or even be rewarded – as long as their trading appears to be bringing in superior returns; Société Générale rogue trader Jerome Kerviel was motivated by the lure of increased bonuses linked to the profits of his unauthorised trades.

“Senior executives have typically allowed such activities to go unchecked for one of two reasons: when times were good, the business generated significant profits; as the credit squeeze took effect and the economy turned, past excesses needed to be covered up,” wrote Richard Abbey, head of the London financial investigations practice at security specialist Kroll.

Disaster recovery and business continuity
A perennial concern for operational risk managers is the impact of disasters – natural and man-made – on their business. It is regrettably easy to predict that 2012, like 2011, will see business continuity still a live concern for operational managers. This year had been marked by major earthquakes, first in Christchurch, New Zealand and then – even more destructively – in east Japan. Weather-related disasters also attracted notice, with serious floods in Australia, Hurricane Irene in the Caribbean and on the US east coast, and an outbreak of tornadoes in the southwestern US among the costliest disasters. By the end of June, 2011 had already broken the record for damage done by natural events, according to a Munich Re report published on July 12.

Weather-related disasters will only grow more common and more serious over time, according to analysis from the US government’s National Climate Data Center. “The combination of more active hurricane seasons [due to climate change], coastal population increases and increasing per capita income along the US East and Gulf coasts” means the damage caused every year by hurricanes will increase, the centre predicts, and the same factors apply in other storm regions.

Greater wind speeds and rainfall will mean more physical damage done, and therefore a higher business continuity challenge to companies operating in the affected areas. Denser populations in vulnerable areas – a trend not limited to the US – mean offices and headquarters are more likely to cluster there as well, and will be more at risk, either directly or because they are deprived of important personnel in the aftermath of a storm.

New communications technology has had unexpected benefits in the aftermath of major disasters. With telephone landlines disrupted and mobile networks overloaded or without power, companies in earthquake-affected regions of Japan found social media services such as Twitter and Facebook were a more robust and reliable means of maintaining communications. Keeping in touch has emerged as a vital aspect of recovery after a widespread and complex natural disaster event such as the March earthquake – operational risk managers will need to examine business continuity plans with this in mind.

Mis-selling
Mis-selling of financial protection products – payment protection insurance (PPI) – has cost UK banks dearly in 2011, with £264 million in payouts to wronged customers in the first half of the year alone. Earlier this year, UK banks ring-fenced a total of £5 billion for future PPI-related compensation payments.

And the issue isn’t limited to the UK. Banks in Canada, the US, Italy, Hong Kong and elsewhere have all been charged with abusing their positions by selling unsuitable products – highly complex or highly risky – to retail and other unsophisticated investors such as local government bodies. The trial continues in Milan of four banks charged with mis-selling derivatives products to the city government in 2005.

Two factors mean mis-selling cases are likely to remain a prominent issue in 2012. Settling a few high-profile mis-selling cases will entice further complaints. “The publicity [over PPI] has meant more consumers are aware they might be able to complain about products they bought,” comments Sue Berwick, senior UK compliance analyst at Wolters Klouwer in London.

Secondly, continuing economic pressure is likely to make complaints more common; under financial pressure themselves, investors are much more likely to try to recoup any loss. Sales of complex structured products peaked in 2006–7, and deals closed in late 2006 are only now resulting in charges – implying the wave of prosecutions is far from over. Banks might also face much closer regulatory attention to ensure retail investors are not sold unsuitable products – and the extra approval process will bring with it more operational risk challenges.

Data management
One of the biggest shocks of 2008 was the discovery that regulators – and even banks themselves – were ignorant about the extent of institutions’ vulnerability to the developing crisis. Panic spread in large part because of ignorance about the true extent of interbank exposures to troubled firms such as Lehman Brothers. Reform efforts since have laid great emphasis on improved position-reporting – transaction data repositories are already on line, and regulators are pushing for them to be expanded, and for major banks and institutions to report more detailed position information on a regular basis.

But this reform does not come without costs. Ralph Baxter, chief executive of data management specialist Cluster Seven in New York, comments: “By demanding more and more reports, regulators are making changes to the underlying databases much more difficult. Long-term projects have been delayed and there have been casualties – that could be a sign of a lack of time and attention. We’re seeing a lot more tactical activity than strategic activity. And there are limited budgets for the back office, so this is really storing up problems.”

Pressure to prevent future rogue-trading events might also mean new data management challenges. Spotting a single rogue trader in an otherwise honest – or at least compliant – department means paying attention at the individual level, Baxter says. “The problem is that often supervisors are looking at the aggregated trade data, and that will look OK – if you have a rogue trader who is cancelling a lot of false trades [in order to avoid detection] you won’t pick that up as an anomaly at that level. You need to look at individual feeds, such as individual traders’ records.”

And operational risk managers also need to keep an eye on the growth in end-user developed applications (EUDA), says Paul Saunders, a director at financial technology company Sapient in London. “More and more people are developing their own applications for valuation or whatever, and these things can increase operational risk,” he warns. “Control of EUDAs is essential – you need to have an inventory and know which ones are business critical. The lack of control is a real risk.”

Regulatory compliance
Keeping in line with new regulations will be high on the list again in 2012. The US Dodd-Frank Act has been passed, but uncertainty still surrounds the details of how the Act’s requirements will be translated into regulation.

“So much of Dodd-Frank is still undefined,” comments James Gellert, chief executive of New York ratings agency Rapid Ratings. “That will be a big challenge for anyone in operations or compliance – 2012 could be a limbo year.”

Dodd-Frank isn’t the only challenge in this area: compliance with the UK Bribery Act will remain a concern into 2012, and other countries might well follow suit in tightening up their anti-corruption efforts, lawyers believe. Insurance companies will face new uncertainty around the Solvency II capital adequacy regulations since the announcement in late October that full implementation would be delayed until 2014, leaving them unsure about what regulations will apply during 2013.

The US Foreign Account Tax Compliance Act (Fatca) is also set to come into force at the end of 2012, but the cost and difficulty of implementing the Act’s requirements on reporting US citizens’ foreign bank accounts – and its sanctions on non-compliant foreign banks – mean the final shape and schedule of the rules are unclear. In any case, banks are preparing for massive compliance costs, and might also face problems with local data protection and privacy laws.

At the same time, governments will start to phase in the first parts of the Basel III capital adequacy rules for banks – another compliance challenge, with uncertainty over how different countries will implement the rules into national law raising the possibility of regulatory arbitrage.

“New regulations represent a big change-management requirement,” says Brett Aubin, co-head of risk assurance at Sapient in London. “That itself will place institutions in a state of operational risk, from five or six directions at once. Budgets are tight, and the question is whether it is possible to sustain this while carrying out these changes. There will have to be a lot of negotiation with regulators on the details of these rules.”

“We’re still only at the beginning of the direct impact these changes are having,” comments Rohan Douglas, chief executive of New Jersey-based financial technology specialist Quantifi. “Also, the technological and infrastructure changes resulting from them will be significant.”

Fraud and insider risk
Technology and procedures attract much of the spotlight in fraud prevention, but it’s vital to remember that fraud is ultimately a human failing – due to malice, greed, neglect or deliberate inattention.

Finance faces a particular risk here, says Peter Turecek, a New York-based investigations and due diligence specialist at Kroll. “The financial sector has the highest rate of loss [from fraud], the highest rate of attacks, the highest levels of internal fraud and money laundering,” he notes. Kroll’s 2011 Global fraud report found the financial services sector lost an average of 2.7% of revenue each year to fraud, with insider fraud and data theft a particular threat. “It’s insiders, because they are the ones with access to the data,” Turecek comments. And with job security distinctly uncertain in the financial sector – as elsewhere – the motivation for fraud can be revenge as well as gain. But, he adds, there is a bright side to this: “It’s on a par with 2010, but awareness of the issue has increased. The increase in insider fraud includes an increase in awareness and activity by survey respondents.”

Fraud is, the figures seem to suggest, a cyclical industry – in harsh economic climates, the motivation for fraud is stronger as individuals come under financial pressure. With the average fraud lasting between two and three years before discovery, many frauds initiated at the lowest point of the 2008–9 recession are still undetected. The wave may not have crested yet.

And there are other risks besides fraud under this heading. “An often-neglected risk is people. You have to consider how you are managing them. If you have people leaving, you need to consider whether the right people are staying, so you still have the right mix of skills. You have to consider the risk of fraud, their contractual arrangements and data security,” Taylor comments.
There’s also the issue of business continuity –ensuring cost-cutting doesn’t mean losing essential skills or knowledge. “If you have well-segregated responsibilities and you cut staff, how well can you continue to keep your processes up to date?” asks Mike MacDonagh, enterprise risk management content strategist at Wolters Kluwer Financial Services, in Redhill, UK.

Online security
In 2011, security industry experts say, the threat of online attack grew sharply. The sophistication of the threat has grown dramatically, with the wide availability of variants on the ZeuS and Spyeye trojan software programs – criminals can download kits containing the attack software and even sign up for online courses on how to use it. Dean Goodlett, assistant vice-president and fraud investigations manager in the financial intelligence unit at Rabobank in California, commented in October: “It’s a global information age for the criminal element. Information is being shared back and forth around the world. Starter kits are available for sale online, so you have people who are not even committing crimes themselves but selling the tools for others to be able to carry out the crimes.”

Customer information will continue to be the prime target in 2012, Turecek says. “Customer data has been the most widely stolen in 2011 and it will definitely be on the rise in 2012 as identity theft becomes more sophisticated.” A growing trend is for criminals to use illegally obtained customer information as a building block in a more complex fraud, rather than attempting to set up an unauthorised transfer from a compromised bank account directly, which would potentially trigger alarms set to respond to unusual customer activity.

And there is another reason operational risk managers should be paying attention to the online threat: governments are growing increasingly concerned about the risk to infrastructure from online attack. Last year saw the discovery of the Stuxnet program, a sophisticated piece of software designed to cause physical damage to computer-controlled manufacturing equipment.

The UK government and others are now intent on securing ‘national infrastructure’, which could include automatic teller machines and payment systems, against attack, with cyber-security identified as a national priority. And an online attack that damages other infrastructure such as electricity or transport systems could also pose business continuity challenges for banks and insurers.

Sanctions and money laundering
Economic sanctions are growing in popularity as a tool of foreign policy – the lists maintained by the European Union, the US Treasury Department and others of people and bodies subject to sanctions such as asset freezes are growing ever longer.

Sanctions evasion – and the broader problem of money-laundering – will be a key issue for banks in 2012.

The uprisings in the Middle East throughout this year have raised awareness of money-laundering issues, and although governments have now fallen in Tunisia, Egypt and Libya, the Syrian and Iranian regimes are still subject to multiple international sanctions. The collapse of sanctioned governments might also reveal unwelcome details of how former regime members were evading sanctions.

“Money laundering is a perennial issue,” Turecek comments, “but the regulatory environment has got much tighter. There are not so many offshore havens. Various governments are tracking the banks’ watch lists – they are growing fast, so banks will have to work hard to maintain and update them.”

This year has seen two UK banks facing FSA enforcement efforts after their anti-money laundering (AML) policies were found to be inadequate – as with the UK Bribery Act, this might signal a shift in regulatory emphasis towards reprimanding institutions for weak safeguards as much as for actual individual instances of wrongdoing. ‘Know your customer’ procedures will come under increasing scrutiny in 2012.

“We’ve seen an increase in regulatory enforcement – the UK Bribery Act, and increased efforts by the US Securities and Exchange Commission and Department of Justice aimed at corporations and financial services. Finance is a high-profile, easy target for regulation and increased enforcement – it’s in the spotlight,” Turecek says.

Reputational risk
Bank failure represents one extreme of reputational risk. The self-fulfilling prophecy of a bank run or a liquidity crunch – its equivalent on the wholesale funding market – is an example of how quickly a damaged reputation can bring down an institution. But any operational risk failure can have reputational effects. The question for operational risk managers, as discussions at this year’s OpRisk conferences showed, is how and if these effects can be managed. Speakers at OpRisk Asia in Singapore in June asserted that reputational risk can be managed but not modelled – the process of reputational damage is too difficult to reproduce.

The ‘Occupy movement’ protests highlight that the reputation of the financial industry as a whole is about as poor as it has been in living memory – and also give an insight into the effect of protest organising tools, in particular social media software and online petition sites. Boycotts and consumer action spread further faster now than ever – the experiences of the UK newspaper the News of the World, which shut down in the face of a boycott of advertisers, and the rapid reversal of Bank of America’s decision to impose a $5 debit card fee, show the power of modern organised consumers. While reputational risk remains largely imponderable, it’s still set to become more important in 2012.

Political risk
The US and France both face general elections in 2012. And in the US in particular, a change of government could mean significant shifts in policy. For example, the Dodd-Frank Act included a provision setting up the Consumer Financial Protection Bureau. Republicans in Congress have mounted a sustained delaying action against this aspect of the Act, to the point where one of its architects, academic Elizabeth Warren, has given up hope of being confirmed as its first director and is now running for the Senate. A Republican victory in the 2012 presidential election could mean the abolition of the CFPB before it is even off the ground, comments one US political insider.

In a more general sense, political risk covers the uncertainty surrounding implementation of new regulations – but it will also include the actions of national governments that are now, as a result of the crisis and bailout efforts, more actively involved in the financial industry than they have been in decades. To take another example, whether Greece – and other countries – leave the eurozone is ultimately a political decision, but dealing with the break-up of the eurozone and the emergence of one or several new currencies would be an operational risk challenge on an unimaginable scale. The willingness of various national governments to intervene to shore up failing banks, rein in the financial industry, preserve the euro or stimulate economic growth is one of the biggest and most momentous unknowns of 2012.

Operational risk best practice will be discussed at OpRisk Europe on June 11-14 in London. For more information and details about attending visit opriskeurope.com