
The top 10 op risks – a field guide
Survey should be read as industrywide attempt to relay and share worries anonymously
Click on category for full analysis
\#1 IT disruption | \#2 Data compromise | \#3 Regulatory risk | \#4 Theft and fraud | \#5 Outsourcing | \#6 Mis-selling | \#7 Talent risk | \#8 Organisational change | \#9 Unauthorised trading | \#10 Model risk
This year’s top 10 operational risks look a little different to last year’s, but the changes owe less to any seismic shift in the industry’s prioritisation of the threats it faces and more to the way Risk.net has asked it to list them.
As in the past, respondents were asked to select the top operational risks faced by their organisation over the year ahead. This time, however, they were asked to supplement these risks with real-world examples of potential loss events, which were then aggregated and mapped to the taxonomy above, with broad categories broken down and analysed in a separate chapter for each.
The new method has brought a few boundary changes. No, the industry has not collectively decided cyber risk is not a true operational risk; rather, its impact is now considered so all-pervading that it is treated as a causal factor across multiple categories – principally IT disruption, data compromise, and theft and fraud, but also outsourcing – rather than as a wide group in itself.
The aim, simply, is to give readers a better insight into what their peers spend their time worrying about. The knowledge that more practitioners consider loss of functionality from a cyber attack – whether intended to be disabling or not – to be a (marginally) greater threat than that of data compromise or plain old theft should prove valuable to firms, if not exactly comforting.
The effect of asking for specific examples has not seen broad categories being broken up and atomised; instead, some groupings have expanded.
The resulting taxonomies may look alien to some firms, but the way in which many banks categorise and manage risks is also changing
For instance, many practitioners say they now consider the threat of losses from unauthorised trading from rogue algorithms to outweigh that of rogue humans. The growing risk from errant algos, as well as tighter conduct risk regulations clarifying risk managers’ responsibility for overseeing them, sees the two being considered alongside one another for the first time.
The resulting taxonomies may look alien to some firms, but the way in which many banks categorise and manage risks is also changing – nowhere more so than in the realm of operational risk.
Ashley Bacon, chief risk officer at JP Morgan, last year detailed the bank’s approach to grouping emerging exposures into one of six buckets. Non-financial risks dominate most of them. Deutsche Bank, meanwhile, became perhaps the first large global bank to appoint a group-wide head of non-financial risk last year in Balbir Bakhshi.
In the past, some have criticised the survey for choosing to focus on broad categories of risk concern, rather than specific potential loss events. That approach is deliberate. The survey is inherently qualitative and subjective; the weighted list of concerns it produces should be read as an industrywide attempt to relay and share worries anonymously, not as a how-to guide. Such a list would be brief and dull, with its value to a broad group of readers as an annual health check severely limited.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@risk.net
More on Our take
Living with SA-CCR, one year on
Collateral agreements and FX futures may be some of the ways to tackle increased capital costs
GFXC to entice buy-side code adoption with ESG tie-ups
Rating agency partnerships would link FX code adoption to ESG scores
Clock ticking on UK plan for regulatory reforms
Changes to SMCR and short-selling rules least likely to be completed before next election
How did EU regulators miss the FTX horror story?
Gruesome accounting practices and a questionable cast: plenty of grounds to reject Mifid licence
ARRC’s trivial fight over term SOFR use
Toyota’s ABS deal should not derail effort to expand use of term rate in derivatives
What happens when a bank drops off the systemic risk radar?
Russia’s Sberbank skipped this year’s G-Sib assessment. But just because a bank is invisible doesn’t mean it no longer poses a risk
Degree of influence 2022: in the grip of volatility
Rough volatility, liquidity and trade execution were quants’ top priorities this year
China congress brings new risks to foreign bank JVs
New political risks add to existing challenges for fully controlled ventures in the country