Further losses may be reported as bank refines its methodology, sources say
The biggest op risks for 2019, as chosen by industry practitioners
CFTC chairman says his successor may have to finish regulation
COMMENTARY: Lostway reports
The days are long gone when ‘IT risk’ was a sideline category that barely even featured on the priority lists for operational risk managers. This week, Risk.net published its annual top 10 operational risks survey, and IT-related threats took four of the 10 slots – including the top three. Data compromise, IT disruption and IT failure were first, second and third respectively, with data management featuring in eighth place. And of the others, many had a strong IT flavour. The risks around organisational change often relate to shifts to a new technology platform. The threat of theft and fraud is very largely a cybercrime threat. Third-party risk focuses on cloud providers such as Amazon Web Services.
This represents a success, in some ways. Rather than being sidelined, IT risks are now firmly in the risk manager’s territory, where they belong, and their high ranking – based on our survey of operational risk managers – reflects this relocation. It also follows growing emphasis from regulators and governments on the importance of good IT practice, as displayed through, for example. the EU General Data Protection Regulation.
But it’s also a sign of failure. The banking industry, like the rest of the world, still struggles to come to grips with serious and systemic risks stemming from various forms of IT failure. The losses suffered in headline cyber attacks and IT disruptions continue to grow. Once in the tens of millions, the costs climbed to the hundreds of millions and then into the billions – with incidents such as the NotPetya malware attacks on Maersk and others. Can we expect a $10 billion cyber loss in the next couple of years? Based on the failure of IT risk management around the world in the past decade, why shouldn’t we?
There’s a dangerous assumption that progress is inevitable; that throwing time, money and resources at the problem will always mean a steady – if sometimes slow – march to victory. It isn’t always the case.
Neil Sheehan wrote one of the best accounts of organisational failure in A Bright Shining Lie: John Paul Vann and America in Vietnam. “The post-war American system,” Sheehan noted, “was receptive only to the recording of sunny hours. All reports were by nature progress reports.” US commander Harkins’ weekly report to the Joint Chiefs and Secretary of Defense Robert McNamara, for example, was entitled ‘Headway Report’. He had no ‘Lostway Report’ for a contingency like the US defeat at the battle of Ap Bac in 1963.
IT risks’ steady rise up the Top 10 list is, in its way, a Lostway Report for the operational risk sector; and it will not be the last.
STAT OF THE WEEK
Total credit valuation adjustment capital for the eight US global systemically important banks fell 9% – $1.3 billion – in the last three months of 2018 to $14 billion. Goldman Sachs alone reported a drop of $674 million.
QUOTE OF THE WEEK
“If the central bankers say rates are not moving, it doesn’t really make people want to speculate on rates. I mean, you can have a good day, but then you’ll follow it with 364 very boring ones. It’s not great for the wallet” – senior rates trader