Op risk survey shows the insidious effects of political risk

Rise in geopolitical turmoil drives other risk factors, suggests a network analysis of 2017's survey

House of cards
Will Britain's exit from the EU cause a chain reaction of other consequences?

Free content: Rise in geopolitical turmoil drives other risk factors, suggests a network analysis of 2017's survey

Ariane Chapelle is honorary reader in operational risk at University College London and the director of Chapelle Consulting, a UK-based risk management advisory firm

View top 10 operational risks 2017: now free

Top 10 table

There are decades where nothing happens, and there are weeks where decades happen, Lenin once observed. A steep rise in uncertainty and instability in the global political order following the UK's vote to leave the European Union and the election of Donald Trump as US president have certainly spurred a mini-revolution in the ranking of the top 10 operational risks this year, top spot notwithstanding.

The world will be dealing with the consequences of both events for years to come. But op risk managers don't have the luxury of time when it comes to making sense of such events; they need to start incorporating them into their risk frameworks straightaway.

Brexit and Trump's election pose challenges for practitioners because they cut across such a broad array of risk factors. One way of informing decision-making, instead of looking at risks in isolation, is to use network theory to see how they inform one another.

The figure below proposes one network view of the top 10 risks for 2017, where the arrows represent the possible or likely driving relationships between risks.

The most obvious finding is the pivotal role of geopolitical risk. Political changes, Brexit especially, will almost certainly trigger or accelerate organisational restructuring for many banks and other companies, with forced relocations of staff and the establishment of new operations within the European Union already in train.

One obvious example of interconnectedness is the perceived rise in outsourcing risk, which jumps to third position overall this year. Banks considering shifting staff and operations out of London to the eurozone must be alive to the idiosyncratic risks – from internal and external sources – this can open them up to.

Top 10 op risk linkages

Other forms of geopolitical risk, whether trends in immigration, escalations in extremism or political violence, are also a driver of attacks, both physical and cyber. Ill-chosen outsourcers, a possible rise in IT failures and internal fraud are all possible causes of data security breaches.

This network view underlines the necessity for boards and chief risk officers to monitor the political and business environment carefully for potential repercussions within their own firms. The best risk managers will be formulating adaptive strategies already. Studies have demonstrated the quality of risk management is positively correlated within firms: if a bank has a strong op risk framework, it will tend to be a good manager of market or credit risk too, for instance.

If this year's top 10 list and its evolution over time paints an interesting picture of the overall worries and concerns in the financial industry, linking these risks with their likely interconnections shows us another layer.

The op risk network is essentially split into two poles: an overtly operational pole that includes geopolitical, organisational and IT security risk, and a regulatory pole gathering the risks of regulatory changes, sanctions, capital hikes and conduct fines.

Our analysis did not find many strong relationships between regulatory risks and others in the top 10, though there were links with conduct risk and fraud through internal controls weaknesses.

Risks of non-compliance, whether driven by a failure to implement or adapt to regulatory changes (#2), misconduct (#5) or sanction breaches (#8), remain prominent in this year's list compared with last. Overall, however, regulatory risk factors lose ground compared with last year, when they occupied the three top positions after cyber risk. Regulatory fines disappear from the top 10, this time included under regulation risk.

By their nature, different types of regulatory risks are interconnected: conduct risk is connected with fraud, and is a driver of regulatory non-compliance and fines – as are breaches of anti-money laundering (AML) controls, counter-terrorist financing (CTF) and sanctions avoidance.

Cyber risk, unsurprisingly, remains in pole position, with the taxonomy extended this year to encompass data protection. In a world where almost all information, data and money are online, cyber security is likely to be the top priority for all financial organisations, just as security of bank branches and physical safes were in the last century. The conduit has changed, but the need for protection against crime has not.

However, cyber security risk, most often cited as the number one operational risk for the financial sector, appears much more as a consequence than a cause of other risks, counting multiple drivers as varied as physical attacks, organisational change, outsourcing or fraud. This shows the need for considering data protection and cyber security, not only as a risk in its own right, but also as a function of a good – or bad – risk management strategy across a firm.

NB, the diagram above is subjective, driven in large part by experience of working in risk management in the financial sector over the last two decades. Other judges will draw different links – but I hope the benefits of representing the top risk register affecting firms as a connectivity network, rather than a list of standalone threats, allows the ordering and prioritisation of mitigating actions for a more efficient allocation of risk management resources.

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact info@risk.net to find out more.

Financial crime and compliance50 2024

The detailed analysis for the Financial crime and compliance50 considers firms’ technological advances and strategic direction to provide a complete view of how market leaders are driving transformation in this sector

Investment banks: the future of risk control

This Risk.net survey report explores the current state of risk controls in investment banks, the challenges of effective engagement across the three lines of defence, and the opportunity to develop a more dynamic approach to first-line risk control

Op risk outlook 2022: the legal perspective

Christoph Kurth, partner of the global financial institutions leadership team at Baker McKenzie, discusses the key themes emerging from Risk.net’s Top 10 op risks 2022 survey and how financial firms can better manage and mitigate the impact of…

Emerging trends in op risk

Karen Man, partner and member of the global financial institutions leadership team at Baker McKenzie, discusses emerging op risks in the wake of the Covid‑19 pandemic, a rise in cyber attacks, concerns around conduct and culture, and the complexities of…

Moving targets: the new rules of conduct risk

How are capital markets firms adapting their approaches to monitoring and managing conduct risk following the Covid‑19 pandemic? In a Risk.net webinar in association with NICE Actimize, the panel discusses changing regulatory requirements, the essentials…

Building resilience into ESG risk management

Risk and resilience continue to play an important role in the navigation of an increasingly uncertain world. Fusion Risk Management explores why it is equally crucial for technology to support organisations in addressing pertinent environmental, social…

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here