Op risk managers could be Covid long-haulers

New threats sprang from old sources in this year’s Top 10 op risks, belying a big drop in losses

Like many, operational risk managers were glad to see the back of 2020. Unlike most, their worries show few signs of easing. The giant sources of op risk engendered by the coronavirus – opportunistic cyber attacks, creative money laundering and vast new possibilities for internal fraud – aren't going anywhere, even as the world charts a course out of lockdown.

Among broad categories of concern, this year’s Top 10 Op Risks look superficially similar to previous years, with movement between them as expected: conduct and resilience risk have both risen up firms’ agendas, with more esoteric concerns like organisational change and talent risk dropping. Employee wellbeing was the sole new entry – both a welcome sign that managers are taking the human element seriously, and a worrying one that the scale of the problem is big enough to be top of mind.

Yet within each category, risk profiles have changed dramatically in ways that are difficult to predict and impossible to fully track. The threat of IT disruption remains the top collective concern, for instance, but conversations suggest that owes as much to insider threats from disgruntled employees – those on notice or paid leave who still have access to systems and controls, for instance, or sensitive data – as it does longstanding worries over outages and overloads.

And perhaps counterintuitively, the trend in op risk losses has been falling since the pandemic erupted, along with attendant capital numbers – 2020 marked a post-crisis low in both frequency and severity of losses, according to data from ORX News.

When might the increased array of threats firms face in the work-from-home era crystallise as loss events? That all depends. When modelling losses, firms tend to divide events between those stemming from conduct-related issues, and everything else. In part this is due to the difficulty of modelling the former, given it is skewed by infrequent, but catastrophically large losses.

But conduct losses are also a slow burn: fines for mis-selling, market manipulation and most forms of internal fraud take a long time to come to light, then hang around like a yoke on the neck for far longer – perhaps forever, in reputational terms.

“When we model, we assume that most conduct losses will show a three-to-five-year lag – whereas normal, transaction-style losses will appear within a one-year window. One year into Covid, we've not seen any transaction losses of any real note – so I don’t know whether we will now. But who knows what conduct looks like,” says the head of op risk capital at one European bank.

Covid has also exposed the limitations of point-in-time year-ahead forecasts, including Risk.net's Top 10 Op Risks survey. Few risk managers reported pandemic risk among their top concerns last year – one honest bank admitted to having drawn up a pandemic scenario, before dismissing it as unrealistic. It last appeared in 2013’s Top 10, in the wake of the Asian swine flu epidemic.

So, Risk.net is considering ways to shake up the format of the Top 10 Op Risks going forward, to try and make it more dynamic and informative for readers. What might that look like? A quarterly poll, to see how the main areas of concern for op risks managers evolve over the course of a year? A more granular survey that provides a detailed breakdown of perceived threats? Or a free-form exercise designed to identify emerging risks? 

Let us know your thoughts: send suggestions to Tom.Osborn [at] Risk.net.

 
  • LinkedIn  
  • Save this article
  • Print this page  

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact [email protected] or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact [email protected] to find out more.

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: