Click on category for full analysis
#1 IT disruption | #2 Data compromise | #3 Regulatory risk | #4 Theft and fraud | #5 Outsourcing | #6 Mis-selling | #7 Talent risk | #8 Organisational change | #9 Unauthorised trading | #10 Model risk
This year’s top 10 operational risks look a little different to last year’s, but the changes owe less to any seismic shift in the industry’s prioritisation of the threats it faces and more to the way Risk.net has asked it to list them.
As in the past, respondents were asked to select the top operational risks faced by their organisation over the year ahead. This time, however, they were asked to supplement these risks with real-world examples of potential loss events, which were then aggregated and mapped to the taxonomy above, with broad categories broken down and analysed in a separate chapter for each.
The new method has brought a few boundary changes. No, the industry has not collectively decided cyber risk is not a true operational risk; rather, its impact is now considered so all-pervading that it is treated as a causal factor across multiple categories – principally IT disruption, data compromise, and theft and fraud, but also outsourcing – rather than as a wide group in itself.
The aim, simply, is to give readers a better insight into what their peers spend their time worrying about. The knowledge that more practitioners consider loss of functionality from a cyber attack – whether intended to be disabling or not – to be a (marginally) greater threat than that of data compromise or plain old theft should prove valuable to firms, if not exactly comforting.
The effect of asking for specific examples has not seen broad categories being broken up and atomised; instead, some groupings have expanded.
The resulting taxonomies may look alien to some firms, but the way in which many banks categorise and manage risks is also changing
For instance, many practitioners say they now consider the threat of losses from unauthorised trading from rogue algorithms to outweigh that of rogue humans. The growing risk from errant algos, as well as tighter conduct risk regulations clarifying risk managers’ responsibility for overseeing them, sees the two being considered alongside one another for the first time.
The resulting taxonomies may look alien to some firms, but the way in which many banks categorise and manage risks is also changing – nowhere more so than in the realm of operational risk.
Ashley Bacon, chief risk officer at JP Morgan, last year detailed the bank’s approach to grouping emerging exposures into one of six buckets. Non-financial risks dominate most of them. Deutsche Bank, meanwhile, became perhaps the first large global bank to appoint a group-wide head of non-financial risk last year in Balbir Bakhshi.
In the past, some have criticised the survey for choosing to focus on broad categories of risk concern, rather than specific potential loss events. That approach is deliberate. The survey is inherently qualitative and subjective; the weighted list of concerns it produces should be read as an industrywide attempt to relay and share worries anonymously, not as a how-to guide. Such a list would be brief and dull, with its value to a broad group of readers as an annual health check severely limited.