Jump to: Risk appetite and mitigation | KRIs | Risk modelling | Mini-methodology
The threat of cyber-led IT disruption dropped from top spot among global systemically important banks (G-Sibs) in this year’s Top 10 Op Risks survey – perhaps as a consequence of a co-ordinated action from law enforcement to tackle the perpetrators of high-profile ransomware attacks.
It may also be down to big banks’ growing confidence in their ability to measure, monitor and mitigate outages when they inevitably occur: our follow-up Op Risk Benchmarking survey finds banks retooling their models, revamping key risk indicator (KRI) and control frameworks, automating processes and speeding up cloud migration. Others are considering taking out cyber insurance, if they haven’t already.
IT disruption
Top 10 rank: 2
G-Sib rank: 2
Number of benchmarking respondents: 9
To a degree, this is visible by the numbers: whereas last year, four banks said they had breached their appetite for information security and cyber-led IT disruption, only one does this year.
Risk.net has also included responses from its new ‘rate it’ question, which asks banks to gauge how confident they are in each aspect of their frameworks as applied to a given op risk. As with other categories, there is variability in responses, with some banks ranking various aspects of their frameworks at 5 out of 5 – “extremely confident” – and some as low as 2 out of 5, one notch up from “not at all confident”.
Expressions of high confidence surprise managers at rival banks, where cyber risk is concerned: “I think that’s a little bit of a lack of situational awareness,” says a senior risk manager at G-Sib 12, a US universal bank. “Especially in cyber security, if you think you’re a five out of five, you’re the next victim. You always have to err on the side of caution.” The manager explains that the threat from cyber-led IT disruption evolves so fast that any complaisance in risk management can leave a bank exposed.
As July’s global IT outage showed, disruptions remain an inevitability – even when they stem from attempts to keep out malicious actors. Only one bank that responded to the survey, G-Sib 7, explicitly mentions using CrowdStrike, although it is clear from widespread media reports in the wake of the vendor’s outage – reportedly the result of a botched patch release – that several of the banks represented in the survey are customers.
Risk appetite and mitigation
All eight G-Sibs responding to this section say they make use of KRIs when setting risk appetite for IT disruption. Six of them also produce qualitative risk appetite statements, while half also rely on the outputs from scenarios showing the impacts of disruption. G-Sib 8 says it factors in its risk and control assessment outcomes. G-Sib 14 does not formally set risk appetite.
Three banks – G-Sibs 3, 8 and 14 – say they have modified products and/or services in order to reduce exposure to the threat of disruption, while G-Sib 3 says it has also withdrawn certain products or services, although it does not specify which.
Asked whether they have changed any other elements of business strategy to reduce exposure, G-Sib 3 says it has worked on “automation of processes, cloud adoption and global IT platforms”. Similarly, G-Sib 14 has focused on “automation, strengthening builds” and controls around software releases.
Regarding insurance for losses specific to cyber-induced outages, four of seven G-Sibs responding to this question say they do not take out specific cover, although one said it was considering doing so. Two insured banks say they have taken out coverage in line with the previous year’s policy, but costs were “somewhat higher”. Neither had claimed on them in the preceding 12 months.
“We are looking into whether or not we will get a cyber insurance,” says a senior risk manager at G-Sib 9, a European bank.
Benchmarking brief: One veteran op risk manager calls the humble process of risk-appetite-setting the foundation of any sound op risk framework: “Everything starts with that.”
The structure of this section in the survey is much the same this year versus last year. One change is to remove questions around risk data aggregation, which proved difficult to answer for multinational G-Sibs operating on six continents.
One such bank is G-Sib 12, a large US multinational. The firm is in the process of reformulating its risk appetite statement – a multi-year process that has also involved retooling the basic building blocks used to inform whether it is in or out of appetite, including relevant KRIs and controls.
“There are [now] actually risk appetite metrics specifically for unplanned system disruption over a certain time period … if there’s a successful cyber attack [leading to] an interruption,” says the bank’s senior risk manager.
The journey has been a long one, they add, from what was previously a purely qualitative risk appetite statement: “It jumped out at me that the narrative was not really about risk. It was regurgitating what the first line was doing without any contact.”
Now, the bank keeps track of the number of IT incidents that occur, whether this figure has increased or decreased over the same period in the prior year, what the trend is over a three-year period, and which incidents have a financial impact.
That echoes the changes G-Sib 5 says it is introducing to its appetite-setting approach, in making better use of data from its risk and control assessments, to enable management to come to a more informed decision when declaring itself in or out of appetite.
G-Sib 12’s senior risk manager says: “When you’re talking about operational or non-financial risk, the management of your tech and cyber environment has to result in positive outcomes. If there’s a massive financial impact because of operational incidents related to systems, you’re not doing a good job. It’s all about linking the performance of technology and cyber to the operational risks in a tangible way that that leadership can understand.”
Key risk indicators
The largest banks take a broadly similar approach to the KRIs they use to monitor exposure to cyber-led IT disruption, this year’s survey reveals. Perhaps this shouldn’t be a surprise, given how universal the risk is.
Among the common threads, a majority of banks prioritise keeping systems up and running, with some splitting the focus between core systems and customer-facing platforms, such as G-Sib 9, a corporate and consumer-focused bank. The bank is also the only one to explicitly mention impact tolerances for critical business services, a core requirement under regulatory operational resilience frameworks.
Three banks also track how many disruptive incidents occur, and how severe the material impact of these incidents is. As well as attending to symptoms of the ailment, most banks also try to measure their ability to recover from them.
Several cite disaster-recovery targets: G-Sib 14, for instance, notes both number of “major” disruption incidents and the number of those in turn missing recovery targets, while G-Sib 9 notes “continue scores” from disaster recovery and business continuity planning. G-Sib 12 mentions “crisis management failure”.
These aside, other responses are more disparate: G-Sib 3 – a large European-headquartered multinational bank – is the only bank that refers to monitoring scores from controls, as well as systems obsolescence. G-Sib 7, meanwhile, chooses to track issues affecting third parties among its top KRIs.
Benchmarking brief: G-Sib 12 is the only bank that claims to have engaged in a soup-to-nuts redo of its KRI and control frameworks this year, for both aspects of cyber risk. That has raised the lender’s collective confidence that its KRIs are providing a proper gauge of exposure, a senior risk manager at the bank says.
There is, on a relative basis, variation in how confident banks say they are in their KRI frameworks as applied to IT disruption. A majority rate their confidence at 4 out of 5, but G-Sibs 8 and 9 – both European banks – rate themselves at 3 out of 5. G-Sib 5, the European arm of an Asia-Pacific institution, rates itself at 5 out of 5.
G-Sib 5 says its confidence stems from strict endpoint management. “We have a very, very simple system hierarchy. Globally, we all run off a single common platform, everything is centrally managed by our IT department, which has absolute control over everything,” says a senior risk manager at the firm.
The risk manager adds that the core banking system is ring-fenced. For example, staff who receive emails with attachments must upload the emails to personal email accounts before they can open the attachments.
Risk modelling
A majority of G-Sibs – six out of eight – say they model the threat of IT disruption, with some relying on forward-looking scenario analysis to gauge their exposure. Half – G-Sibs 3, 9 and 14 – also make use of a stricter loss distribution approach, while G-Sib 12 specifies a combination approach.
G-Sib 9 says it uses forward-looking scenario analysis specifically to model the impact of advanced persistent threat attacks. G-Sib 5 says it does not set tolerance.
In terms of improvements to modelling approaches, several banks say they have made no changes to their models. G-Sib 6 says it has this year “reviewed and enhanced the risk factors that influence [loss] severity, and also enhanced the model structure”.
G-Sib 8 – the only bank which says aggregate losses from this risk type have exceeded tolerance in the past 12 months – says it has also made enhancements to its model this year, with a “stronger focus on industry threat scenarios”. The bank is planning further improvements, including the use of its risk rating grid to better articulate whether it is in or out of appetite, and monitoring its risk and control assessment outcomes.
In terms of other upcoming changes, G-Sib 9 says it will replace its advanced measurement approach with the revised standardised approach for regulatory capital, and an operational risk economic capital model from January 2025.
Benchmarking brief: Despite the pending implementation of the much-delayed Basel III reforms and the switch to the revised standardised approach for calculating op risk capital, most banks responding to this year’s survey say they expect modeller headcount to hold steady. Only G-Sib 14 says it expects the number to decline “somewhat”.
That’s probably because most are still planning to continue using a quantitative approach for calculating Pillar 2 capital and other aspects of op risk measurement for IT disruption after the switch. G-Sibs 8 and 12 say they have not made a decision on this yet.
A senior risk manager at G-Sib 2 says that, while their bank has never modelled its cyber exposure for the purposes of setting capital, it would like to do so in future, after a programme to overhaul its KRI framework in the last two years has meant a large increase in the frequency of loss events that would now be in scope of modellability.
“I do see the use [of risk modelling] expanding. We have a very large team dedicated to model risk management,” they say. “For one thing, we hadn’t creatively thought about all the risks that would be in scope – the known unknowns and the unknown unknowns. We hadn’t really done that work. We [only] knew the first-level problems.”
“I hate to say, it was just too big a programme to get in front of a lot of these things until we solved all this stuff,” they add.
Mini-methodology
This is the second edition of Risk.net’s Op Risk Benchmarking service focused on risk management practices at G-Sibs; a summary of the findings from the 2023 round can be found here.
Each year, we group respondents to our annual Top 10 Op Risks into four cohorts – G-Sibs, other banks, financial market infrastructures, and asset managers & insurers – creating a separate top five list of concerns tailored to each.
We then engage in detailed follow-up surveys for each cohort about how they manage the top five risks selected by their peer group, from staffing to technology, from modelling to reporting. The Op Risk Benchmarking service is built on the findings of those surveys.
The full dataset is only available to participants in the exercise. Premium subscribers have access to the selected highlights and commentary.
Please send any questions or comments, and if you want to participate in the next round, let us know: ORMBenchmarking@risk.net
Editing by Alex Krohn
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@risk.net
More on IT disruption
On cyber, FMIs seek to avoid being weapons of mass disruption
Controls focus on basic cyber hygiene, but communicating the risk remains a challenge
On cyber risk, regionals have no appetite for disruption
Smaller lenders fear outages and other IT bungles, as do regulators. So, what are they doing about it?
Sizing cyber: banks split on who owns and measures hack threats
G-Sibs split on risk modelling and management for IT disruption and infosec