Identifying and managing emerging operational risks

Listen to the MetricStream-sponsored audio webinar, Identifying and managing emerging operational risks

Operational Risk & Regulation: What do you think the biggest, the most important and most potentially damaging emerging risks are for the financial sector?

Brenda Boultwood: The top emerging risk that we’re hearing across the different markets – the US, Europe and Asia – hasn’t changed much in the past year, and even The Economist refers to it as “the criminalisation of business” in a recent issue. It’s the pace of regulatory change and the scope of that change.

The impact on operational risk managers is the interpretations around Basel II, very clear principles have been established. However, every institution must interpret what is the right way to approach that. In addition, at least in the US, under Dodd-Frank we have the emergence of the CFTC [US Commodity Futures Trading Commission], which is now overseeing consumer risks. We also have requirements around capital assessment, stress testing, CCAR [Comprehensive Capital Assessment Review] assessments, as well as FFIEC [Federal Financial Institutions Examination Council] guidelines on the management of third-party risks.

That is really shaping what operational risk managers are looking at in terms of emerging effects. You still have your standard operational risks such as new products, new markets, the impact of social media and cybersecurity concerns. But the pace of regulatory change still stands out as number one in what we’re doing.

Operational Risk & Regulation: In a lot of cases, you’ve got tight deadlines, the risk of high penalties for compliance failures and uncertainty about the exact requirements these new legislations and regulations will bring into place. That’s a killer combination.

Günther Helbok: Cyber risk and IT-related risks are on the top of our list of concerns, also looking at outsourcing in particular. I agree the regulatory changes are something that we have to put a lot of effort in to follow, especially as, in Europe, we also have regulation moving through the European Central Bank and we will have new players, new people and processes in place there shortly. So this is also a major concern for us.

Operational Risk & Regulation: As you say, there are new regulators, new agencies and new parts of governments that are taking it on themselves to intervene in the financial sector. Essentially, you’re dealing with people whose priorities and whose methods of operation you aren’t necessarily familiar with.

So far we have regulatory risk, new products, the risk associated with outsourcing and new markets and cyber risk in general. What else would you put on that list?

Ariane Chapelle: I agree with all the usual suspects that you mentioned. I think on that list would be whatever is specific to an organisation in that there is no unique answer. I can think of international compliance for international companies, managing growth for high-speed-growth clients, emerging exchanges, financial services companies. So, whatever is specific to the business, because the classic emerging risks everybody looks at and is more specific to you in looking internally.

So that’s one thing. Another remark, commenting on what Brenda and Günther said about the complexity and the pace of change of compliance, I fully agree with their diagnoses. However, I’d like to point out to the regulator that this might have the potential reverse effect of diverting a lot of resources in risk management and senior management attention and resources towards regulatory compliance rather than the real risks: cyber, outsourcing, pace of change, and technological evolution like social media and IT.

Operational Risk & Regulation: Let’s talk about how people in the field – practitioners, managers of operational risk at banks and other financial institutions – how they should go about identifying emerging risks. This is a core part of their jobs, not just dealing with the risks they’re aware of and that they have loss history for, but identifying what they should be starting to worry about now in advance of the first losses coming through the gate. How do you do that?

Brenda Boultwood: We see a variety of techniques that are used to identify emerging risks. This is a probably the area where we’ve seen the most progress in terms of risk methodology. Today, we are seeing a variety of resources deployed. One common tool is surveys. These can be formal, such as surveys executed through email, or they might just be meetings held between risk management, business and other functional heads. We’re trying to get closest to where the risk is taken as their first line of defence, and to focus on the new products, the new markets, trends and customer demands, as well as compliance requirements. Through a survey mechanism we’re getting them to talk about what specifically is affecting their business.

For some companies this can come through a robust Risk and Control Self-Assessment (RCSA), where assessment of the emerging risks is built into the self-assessment. Also, leveraging the assessments that are done in other functional areas – making sure risk management is closely tied to the compliance risk or audit risk assessments, and ensuring they benefit from those diverse assessments.

Also, for example, as the IT team perform their application assessments, assessments of data centres and of vendors, what really hits the radar screen in terms of their perspective on risk.

We also see some companies going through a kind of formal annual emerging risk assessment by survey or by interviews, perhaps taking place in some form of risk committee.          

Those are examples of ways that companies are trying to get at this topic of emerging risks to make sure that, from a governance perspective, not only are they able to talk about risks we see in the current environment affecting current business processes but also those that might be one or two years off. Capturing some form of impact of those, as well as the speed and weight of change, and how quickly it might become a risk affecting our businesses.

Operational Risk & Regulation: So, you have the options of a formal annual process, or possibly more frequent processes of identifying emerging risks or rolling it into your other RCSA processes, your other processes of risk identification and risk management.

Günther Helbok: Our bank started its performance surveys more than two or three years ago. However, we found it increasingly difficult because a survey is good for getting a feeling of where risks are but if you don’t push people to quantify, then with emerging risks you can lose traction afterwards. We have recently done that, and we are now trying to integrate and specifically ask for emerging risks when we ask our business to assess the worst-case scenarios that could occur within the bank.

We ask them to identify not only based on the experience that we have, but also on where they see these risks to the bank in the future, and to quantify those emerging risks they deem to be most critical to the bank.

We are in the middle of the process and we have some preliminary results, which are quite good, where businesses are starting to be willing to put a number onto emerging risks we face. In turn, that allows us to think about actions, maybe insurance or other management or remedial actions, that we could possibly take to ensure we limit the exposure to those risks.

Operational Risk & Regulation: So, there has to be an explicit process, because the problem with any form of emerging risk management is that people are psychologically limited. When they predict the future there is always going to be a tendency to assume the future will be much like the past. Emerging risk is the antithesis of this, so you need something to counterbalance that psychological weakness. What are the best sources of information that we should be using to identify these emerging risks?

Ariane Chapelle: There are three practices that I see and like:

• the emerging risk committee;
• the top-down – let’s say executive director level – assessment; and
• emerging risk as part of scenario analysis.

Emerging risk committees exist in a number of large financial services organisations. They are specialised teams that watch the environment, the media, the press, and the noise being made the regulator. What is the social media traffic or the technological evolution? Everything you can think of that might affect the business in question.

They give a quarterly report to the risk committee. The benefit of this is that it is thorough. It is a good method for all risk identification – not just emerging risks – and you catch a lot more fish that way. That’s method one.

The second method is a brainstorming practice, with the most senior layer of management in the firm. It is good because it doesn’t take much time and it is excellent in involving senior management in risk thinking and long-horizon thinking.

The third one, and one that the Operational Risk Data Exchange Consortium (ORX), recommends, is in line with their work on scenario analysis. It is ensuring you have an emerging-risk process. It is true for assessment as well, which should be integrated into the scenario analysis process.

ORX sees emerging risk as a subset of the scenario exercise. So the benefit of this is that you have the full economies of scale and it is just a matter of time horizon and maybe preciseness of quantification that you use, whether for scenarios or for emerging risks.

Operational Risk & Regulation: One of the inputs we can use, as Brenda mentioned, would be questionnaires – interviewing people in their business lines. Another would be the output of the RCSA process. Is there a role here for the use of external data sources as well? If so, what kind of sources should we be using?

Brenda Boultwood: ORX is an important source of external loss event information from other financial institutions. The others we hear about are sources such as the Global Operational Loss Database, which provides information about actual losses.

This information will open up discussion. It could be, as Ariane said, through scenario analysis or, as Günther mentioned, through our quantification of the types of risks that might affect us, either in terms of dollar impact or reputation. Are these risks we will try to mitigate or will we deliberately ignore them as something potentially not relevant to our business model?

These external sources of information can be valuable as they are capturing what types of losses have happened at sister institutions, which might indicate areas or gaps in the current risk assessment for an institution using the advanced measurement approach (AMA) or simply trying to enhance its scenarios.

Scenarios can be built as part of a scenario-based capital modelling approach or, for a company not using the AMA, could just be an important operational risk-led exercise to help assess the financial impact and probability of risks. How much attention are we going to give to these risks? What kinds of investments are we going to make to try to control them, even if they haven’t happened at our company but have happened at another organisation?

Operational Risk & Regulation: So a risk that has already been realised at another organisation is a risk that potentially could be an emerging risk at your organisation. From a practitioner’s point of view, what kind of external sources are most valuable in identifying emerging risks?

Günther Helbok: On one hand, we use the ORX news service because it allows us to capture some of the risks that have already occurred at other banks. On the other hand, we try to challenge our business functions to come up with topics that go beyond this data source, risks that haven’t yet materialised to the extent they have been picked up by the news service. So we use that as the main source but we also try to look beyond that.

Ariane Chapelle: External data sources are particularly important to benchmark your own bias. We all agree about the cognitive limitation of the human mind to assess risk.

There are also external sources outside of the strict arena of operational risk for financial institutions, such as the World Economic Forum, which issues a global risk review every year and is cross-sector. The risk management discipline is so advanced and so much more mature in other industries, and it is definitely worth looking at sources outside of financial services.

Operational Risk & Regulation: Where do government organisations fit in? And regulators and central banks? How much work do they do in identifying emerging risks? Are they producing ‘big picture’ information or are they producing more specific advice on threats that could be used to add more granularity to analysis?

Brenda Boultwood: Some of the most innovative practices are coming from regulators outside the US and Europe. For example, the Central Bank of Malaysia has started to accumulate event data, not just loss events but also near misses and things that could have gone wrong, as reported by banks and their jurisdictions. The Bank oversees perhaps 300 banks. It is collecting the typical standard data fields around loss events. If it is a near miss, it specifies the types of data fields for the typical risk event.

The Bank is taking this information and carrying out analytics and some capital modelling. It also gives valuable information back to the regulated entities.

This practice could become something other regulators in other countries do, as a way of checking capital numbers, but also to improve the timeliness of regulator response to events as well as losses.

The US and European regulators do provide valuable guidance. The recent guidance from the Office of the Comptroller of the Currency [OCC] and FFIEC in the US on third-party oversight is one example. It outlined regulatory expectations for banks operating in the US regarding the risks associated with outsourcing agents, how should they be assessed, and the responsibility of the institution doing the outsourcing.

So we do see very useful guidance. Its timeliness is sometimes criticised, but when it does appear it provides valuable information and thoughts about how risk can be managed.

Ariane Chapelle: Institutes in general could do a lot more. In the UK, regulated entities complain about the lack of guidance from the regulator. Hopefully that will be put into question more and changed in the years to come.

There is a disparity in Europe. France or Belgium, for instance, provide a bit more guidance. The US is a good example of more precise guidance from the regulator.

One example of good guidance is from the Bank of Japan (BoJ), around scenario analysis for earthquakes. The assumption is that, if an earthquake occurs in Japan, it will affect all banks in a similar way, so there is no need for each bank to assess its own likelihood and impact individually.

The BoJ put all the banks around the table and ran a scenario analysis quantification exercise for earthquakes and for the main banks in Japan. This is just one example, but it shows the sort of leadership that the national regulator can take.

If a regulator decides not to take that leadership role, it could be filled by institutions or by an operational risk think-tank. It is a role that is on the rise now and much needed for the sector.

Brenda Boultwood: Central banks and regulators are the recipients of such a diverse set of information and have an opportunity to prepare guidance, whether on types of losses incurred or scenarios that all the banks in their jurisdiction should be considering. Such guidance is looked at very favourably by banks because there are so many principles that they have to interpret.

Günther Helbok: I have not seen much coming from the regulator I mostly deal with. It looks at specific risks we face from foreign exchange loans, for example, assessing the concrete risks we already face and asking for additional analysis. But I do not see any direct input into emerging and forward-looking risks from the regulator’s side.

Operational Risk & Regulation: We’ve talked about AMA compliance, regulatory compliance in general, vendor risk, outsourcing risk, new products and cyber risk as some of the headlines. But there are others, one of which is people risk and specifically the loss of key employees. Is that a significant risk and does it qualify as an emerging risk?

Brenda Boultwood: People risk has always been considered an important current operational risk. Depending on how you define it, it could be whether people are receiving adequate training or whether the processes they operate within are well documented. You could look at specific attrition rates within business and whether they are at expected levels or whether something is causing those rates of attrition to go up.

They are part of every company’s assessment of current operational risk. But in certain markets you could point to some location-specific drivers of emerging risks that might look, two years from today, a little different from current people risks. For example, in Singapore there has been growth in demand for skilled labour in the financial services sector combined with a government-offered incentive to attract financial institutions to that area. Are they able to keep pace with the type of talent that is required to land these enormous divisions of multinational banks?

Brenda Boultwood: From my perspective, I would see people risk as a stable risk. We do, however, see key personnel starting to move towards Frankfurt to join the new regulatory bodies. This is a move we welcome, to have key people there with experience from the banking industry. But otherwise I would see this not as an emerging risk but as an ongoing item.

Ariane Chapelle: Maybe people risk is not an emerging risk, but it is definitely talked about more, especially in the UK. That together with risk appetite, these are the topics that are most in demand.

You could argue that it is more talked about because jobs are getting complex or more specialised. Take cyber security, IT development, change in technology and social media − we are evolving in a world that requires a lot more specific knowledge, and that make might a need for more acute capacities and skills.

I fully agree on the need for mitigation techniques: cross-training, adequate training and adequate documentation of the processes.

Operational Risk & Regulation: Another risk that has received a lot of attention is geopolitical risk − international political tensions and the risks affecting the financial industry from that. Does this qualify as an emerging risk and, if so, what kind of precautionary measures can banks be taking against it?

Brenda Boultwood: Perhaps what highlights the importance of this risk most is the fact that many airlines have enterprise risk management departments. In their case it is a matter of life and death, and many large airlines in their enterprise risk programmes will regularly assess geopolitical risks. Certain large airlines made decisions about not flying over areas such as Ukraine in conflict.

Other, smaller, airlines that perhaps did not have adequate resources were not able to perform such a regular formal process around geopolitical and country risks. They continued to fly their normal routes, potentially because the risks were not highlighted. And there were tragic consequences.

Hopefully we’ll see some change soon about the sharing of risk assessments and best practices around emerging risk assessments. In financial services we don’t have such life or death consequences, but it does highlight the importance of the assessment of geopolitical risk. Not just doing the risk assessment but taking action and bringing it to the attention of management, forcing decisions to be made that can have big consequences on the cost structure of the company.

It is important to make sure geopolitical and country risks are regularly assessed and are part of, if not the current risk assessment, then the assessment of emerging risks.

Operational Risk & Regulation: Looking at gaining the attention of senior management, what is the best way to ensure emerging risks are taken seriously?

Günther Helbok: We still struggle to achieve this, and we have only had a few instances where people in the business have been willing to think about such events. If they are responsive, then we have usually been successful in convincing them to bring them up with the management and to also think about measures.

We have other areas in the bank where people are not so receptive to hearing about these risks and mitigation approaches, and they have simply dismissed them as not so relevant.

We are at the stage of development where it depends on individual people and their willingness to think out of the box, to take new ideas on board and to think about emerging risk. In some areas this works and in others we are really still struggling.

Ariane Chapelle: Just a word on geopolitical risk and climate change: they’re global, and you can put pandemics in that category as well. I slightly disagree with what is being said in the sense that they are taken on board by management when you have a global organisation, when you have operations or vendors on multiple continents. For example, I had a client who had a vendor in the Philippines and a fourth party in New York. When Hurricane Sandy hit New York, the fourth party disrupted the whole operation, and the client was shocked because they didn’t anticipate that.

Going back to outsourcing, organisations with worldwide operations are aware − at least senior management should be and usually are − of the risks of exposure and what to watch.

On the topic wilful blindness and human resistance to scenarios, we have a very good example in the UK, where we have the issue of misselling Payment Protection Insurance (PPI). The first CEO letter from the Financial Services Authority about PPI, voicing concerns about the product, was in 2005. Some large banks did not stop selling PPI until 2008. That shows you the gap and the length of resistance of management to shut down a product that is so profitable.

There are other examples of wilful blindness, such as in rogue trading, where people were obviously cooking the books but making so much money that their employers hesitated until it was too late.

Profit is definitely a hurdle to recognising emerging risks and their consequences. I’d say political currency also – the political cost of blowing the whistle.

Lastly, there is the cost of change, particularly in areas such as cyber security and data theft. Any IT or cyber specialist can give a pretty frightening speech about how much their data is at risk. Are we ready to make the effort to put our data into something more secure and to implement all the necessary controls? Maybe not always.

It is the same with social media. How do we protect our image or how hopeful are we about the control of our image in the property of our data?

Operational Risk & Regulation: Concentration risk possibly also counts as an emerging risk and is a trend we’re seeing in the industry, where more firms are dependent on a small number of third-party service providers.

This could also include consultancies. If you have a small number of consultants being hired by several different institutions, a lot of different institutions are all receiving similar advice and guidance. This could reduce the diversity of strategies, of ideas, and approaches to business. That is another form of concentration risk – a kind of ideological concentration risk.

Do you see this as a possible threat, another aspect of outsourcing risk?

Ariane Chapelle: I fully agree. A large consultancy firm could spread frameworks and methods all over the industry, either internationally for the biggest ones or even at national levels for the smaller countries.

Something that highlight this issue is that, in the UK the Prudential Regulation Authority (PRA) recently changed its practice on Section 166, which relates to its skilled person reports. The PRA uses skilled person reports to get an independent view of aspects of a firm's activities that might cause concern. The previous practice was that a firm could chose the skilled person to do the report, and they always chose the same ones because there is confidence in hiring a big name.

But the PRA moved away from this practice because of exactly that – the concentration of risk and the conflict of interest of being the skilled person and after that the consultant. So now there is an approved list of smaller firms and more specialist firms.

Operational Risk & Regulation: Getting back to the process of managing emerging risks, how do you quantify these risks once you have identified them? If you are dealing with risks that do not have a loss history, how do you project the potential impact?

Günther Helbok: We ask our business experts to come up with an estimate of the operational risk gross loss that can occur out of such risks. We look for either a 10-year or 40-year case, so what is the worst case that can happen once every 10 years and once every 40 years?           

I’m aware that those are always expert opinions, but nevertheless we also ask the questions in our subset areas. So we get responses from functions in different legal entities and we then cross-check them and ask them the question: “If legal entity gives X loss to a certain emerging risk and another legal entity gives a very different number, can you imagine where the difference comes from?” We try to validate it to some extent by looking at the answers we’ve received from different legal entities.

Brenda Boultwood: What we’re seeing as the best practice is to try to go, as a source of information, to the area of the business that is potentially affected. They’re closest to the activities, the customers, the technology and the strategy. We should let them assess impact.

Ten and 40 years is quite a range of possibilities for your business people, but if we can get that input, it is really the best we have.

In addition to that we can look at other risk factors: how likely is this to happen or what is the probability, and again getting the business to provide their assessment of likelihood. Velocity could be another factor – how quickly is the likelihood changing?

Then we can get an assessment for some of the qualitative factors, the biggest one being reputation. It may not have a financial impact that we can assess in 10 to 40 years, but can we agree this would be something harmful to the business or the institution? A categorisation is important to take to management for their attention and decisions about whether to further invest and control, or further study the impact of this risk. Part of that study may be hiring external perspectives to bring in a third party view on those potential emerging risks.

We can try to establish a set of risk factors so that even if the business person struggles to articulate a financial impact it is still possible to identify reputation or other qualitative risk factors that might be just as important for the company’s management consideration.

Operational Risk & Regulation: We’re dealing with translating a qualitative judgement/an expert judgement into a quantitative figure that people can use for spending and investment decisions. What should we be watching out for?

Ariane Chapelle: I would be very cautious in, for instance, multiplying probability and impact together as an expected loss for something that is, by definition, unexpected. We all recognise that assessing probabilities of rare events is extremely difficult, if not impossible, to the human mind, even for experts.

We all remember the Malaysian plane that was shot down over Ukraine. If I had asked you two months ago, “What is the likelihood of having a civilian plane shot down and killing 200 people?” you probably would have said, “1/1000, or it is completely impossible.”

We can look at all these biases; it is easy to document that rare events are a lot less rare than we think, and vice versa. You need to be very careful with that, especially if you use a number. And you don’t actually need a number; you just need to know if there is a management response needed for this emerging risk. In risk jargon the question would be, “Are you above or below risk appetite?” In business jargon it is, “Do you need to do something about it?”

If the answer is yes, the required actions range from close monitoring to look at the velocity – that is, the speed of the evolution of the risk – to a bigger risk management response such as dedicating additional resources to mitigation, adding more controls or contingency planning.

My advice would be to leave quantification to only the scenarios that need to be quantified, need to be integrated into your capital, and form more management scenarios. Or for the emerging risk, just answer this simple question, “Do I need to do more than I need to do or not?”

Operational Risk & Regulation: We’ve discussed that the Bank of Japan and the Central Bank of Malaysia have been quite active in this area, looking at industry-wide scenario planning and emerging risks. Are there others that have also been particularly active?

Brenda Boultwood: Perhaps there has been a reaction to incidents such as what we have seen in the automotive industry, where information known about supplier parts might not have been shared and escalated. In one case, the company was under litigation and was able to quantify, based on the size of the litigation and the prospect of continued litigation. Yet this information was not raised for a management response so no action was taken.

Such incidents have raised awareness even outside the automotive industry about the need to look at matters that have been raised to the legal department by customers or a customer complaint hotline. In fact this is becoming a Consumer Financial Protection Bureau [CFPB] requirement − that customer complaints in a consumer bank are integrated into its operational risk assessments and inform the assessment of risk in the business process. So we’re considering customers as a key stakeholder.

So information in some cases is quantified by litigation, and in other cases there might just be the need to spot trends in a series of customer complaints to know whether there is an issue that risk needs to consider, either emerging or even in the current environment but not previously been identified.

Günther Helbok: What I am more worried about is those risks that we saw in our banks two or three years ago and that we believe we managed well, that we have closed and have since implemented all the necessary measures we could possibly do. But we change our processes and then those risks re-emerge in a few years’ time.

I am also worried about the risks we believe we have under control but which also have to be considered as newly emerging risks, in maybe a slightly different form. I’m worried about the complacency we might have in our institutions towards the risks we believe are fully under control − they might actually be emerging risks that we have to actively consider.

Operational Risk & Regulation: Yes, until now we have been focusing all our attention on the ‘unknown unknowns’, but we should also ensure we paying attention to the ‘unknown knowns’, that is, the risks we know about but no longer consider a problem.

You only have to look at recent history to see that a lot of the risks that have popped up once will pop up again and again, even though everyone says, “Yes we’ve learnt from this instance. We put precautions in place. It could never happen again.” In a way, “It could never happen again” is almost as fatal a phrase to hear as, “It could never happen”, because we could all point to a lot of incidents where very similar losses have occurred again and again.

What are the areas where we are most likely to be missing in emerging risks?

Ariane Chapelle: That is close to an impossible question. In general, we cannot see around the corner at all, by definition. Can we look into long-term trends? Not always, invariably still so. It is so hard to tell.

There is the issue of what is commonly referred to as wilful blindness. What are the risks we are not willing to see? We all know we have a selective side on this.

The risks that are likely to hit us the most are those that happen in the most profitable parts of the business, because the money and profits made are blinding us. Those would be the parts I would look at. Also, as operational risk managers, we know that money flows in transactions are one of the large operational risk drivers, so I would watch the most profitable part of the business.

I would also look at the effort to change. The risks that need the largest organisational change, or even technical change, are the potentially most dangerous risks because these are the ones we might be less willing to tackle.

Brenda Boultwood: If we challenge ourselves to think about what we hold as sacred, it is often related to our strategy. What do we assume is going to be true about the products we sell, the markets we are in, the technology we use, or the level of government regulation, for example? If you think of those four pillars − products, markets, technology and government − we can challenge ourselves by asking: “What do we hold as sacred?”

In the financial services we’ve started to ask ourselves questions such as: “What if customers, in 20 years, never use a branch? What if they just never use the bricks and mortar we’ve invested in? What is banking going to look like?”

Or in energy: “What if technology changes and we are not going to rely on big energy production plants but instead have neighbourhood generation of solar, geothermal and other types of electricity?”

If we just question the fundamental assumptions in our strategy, we are likely to find quite a few emerging risks that haven’t been considered.

Sponsored content