In a series of interviews that took place in November and December 2015, Risk.net spoke to chief risk officers, heads of operational risk and other op risk practitioners at financial services firms, including banks, insurers and asset managers. Based on the op risk concerns most frequently selected by those practitioners, we present our ranking of the Top 10 Operational Risks for 2016.
Click to go to section
#10 Regulator fines | #9 Terrorism | #8 IT failure | #7 Recruitment and retention | #6 Outsourcing | #5 Organisational change | #4 AML, CTF and sanctions compliance | #3 Regulation | #2 Conduct risk | #1 Cyber risk
From the mis-selling of subprime mortgages to the manipulation of global foreign exchange markets, regulator fines and legal actions have been a recurring headache for financial firms since the financial crisis.
They have been getting more painful over time. Between 2009 and 2014, the average penalty meted out by the US Securities and Exchange Commission rose by 50%, according to a June 2015 report by Kinetic Partners. During the same period, the average penalty from the US Commodity Futures Trading Commission and UK Financial Conduct Authority (FCA) rose by 772% and 1,815%, respectively.
One of the biggest sources of fines has been the Libor scandal, which has seen banks and brokers pay settlements of close to $9 billion to regulators in relation to the rigging of benchmark interest rates. Another is the manipulation of forex markets. In May 2015, Barclays, Citi, JP Morgan, Royal Bank of Scotland and UBS were forced to pay more than $5.6 billion to UK and US authorities for their part in the scandal. Such mammoth fines have helped bolster firms' focus on conduct risk (#2 in this year's Top 10 Operational Risks).
Nonetheless, there are signs this risk may become less pronounced in the years ahead. After years of growth, the Kinetic Partners report says annual increases in expenditure by global regulators have slowed or reversed since 2013. Fines from the FCA totalled £1.47 billion ($2.1 billion) in 2014, but fell to just £905 million in 2015, according to risk and regulatory technology firm Wolters Kluwer Financial Services.
Mary Stevens, London-based regulatory analysis manager at the firm, thinks 2014 is likely to be a high water mark for fines from the FCA, due in part to the resignation of former chief executive Martin Wheatley in June last year.
"It would appear that we are through the worst, especially against the banking sector," says Stevens. "Wheatley was accused of being too hard on this sector by many as he fought to gain consumer confidence. [UK chancellor] George Osborne is keen to get banks back onside and restore confidence in the market so more foreign investment is attracted."
Op risk practitioners will hope this prediction is proven correct in 2016, although many seem doubtful.
"Looking to the external environment we see that society, clients and regulators are becoming less forgiving regarding missteps of financial institutions and banks in particular. This critical attitude translates into a greater inherent risk profile regarding themes such as product suitability and market abuse."
Diemer Salome (pictured), head of non-financial risk management, Rabobank
"Amid increasing geopolitical tensions worldwide, I see the growing prevalence of both fines and politically influenced regulation as being the biggest threat to banks, particularly those in the western world."
Senior expert in operational risk at a large European bank
Ensuring that employees, buildings and other assets remain safe and defended against the risk of terrorism has once again become a serious concern, say op risk practitioners.
2015 saw a number of so-called 'lone wolf' terrorist attacks carried out by individuals in places such as Ottawa and San Bernardino. Other notable attacks included the shooting of tourists on a beach in Tunisia and the bombing of a Russian airliner over Egypt. Nevertheless, the November 13 Paris attacks proved that a full-scale assault against a major world city remains a salient threat. The killings, which took place as this survey was being carried out, saw 130 people die in a series of bombings and shootings by Islamist extremists across the French capital.
"For most of the last five years, the thinking was that a lot of [terrorism] risk had been mitigated by much more robust counterterrorism measures, by the degradation of al-Qaeda and its global network, and the general turn towards what we've been thinking of as small-scale, lone-wolf terrorism," notes Jonathan Wood, London-based director of global risk analysis at risk consultancy Control Risks.
With the emergence of Islamic State (IS), that calculus has changed, says Wood. Financial firms need to be particularly vigilant about the kind of high-profile attacks that IS seeks to perpetrate, as such attacks are much more likely to be concentrated on large financial centres.
"The transnational threat, the one that is originating from IS, is likely to be much more directed at symbolic or high-profile targets that are calculated to generate the most publicity... That's where the threat of a high-profile attack against a major western city will be of most concern to the financial sector."
"In response to the terrorist attacks in Paris, Nigeria, Tunisia, Ottawa and many others, organisations must re-assess their security postures to ensure the safety of staff and clients. Terrorism, as a threat, is changing as targets are becoming seemingly more random and terrorist acts are being carried out by well-funded organised groups – for example, IS – as well as copycats and lone wolves. It is prudent for organisations to test organisational readiness to respond to such events, and also to assess what measures can be taken to help prevent such catastrophic outcomes."
Iain Wright, head of enterprise and operational risk, Sun Life Financial
"Terrorism is topical, of course. When I was teaching recently, just after the Paris attacks, I said to my class: ‘You can be sure that on the scenario list of every bank you're now going to have terrorist attacks.' That's a reaction to the last headline. Is the risk heightened compared with other years? I don't know whether the risk is heightened compared to other years, but our awareness certainly is, and this is an important step towards prevention."
Ariane Chapelle (pictured), consultant and honorary reader in operational risk, University College London
IT failure is the first of two Top 10 Operational Risks to focus on the drawbacks of technology – something clearly viewed as a double-edged sword by some op risk practitioners.
Whizzy, turbo-charged systems that automate processes from beginning to end are every chief technology officer's dream, but firms say the reality is often very different. Instead, they face a patchwork of disjointed and sometimes incompatible systems that require a heavy dose of manual intervention. An overdependence on these systems and a failure to plan for outages can leave firms in trouble when things go wrong.
"IT risk is an area where we're seeing a lot more activity recently," says Dan McKinney, New York-based leader of the operational risk practice at consultancy EY. "For example, many trading firms have complex electronic trading platforms that process transactions in fractions of a second. Given the velocity of this activity, the risks have become more pronounced."
To mitigate the risks posed by IT breakdowns, practitioners recommend properly identifying critical applications, ensuring those applications have built-in redundancy, making use of remote backups and – ultimately – upgrading systems that are no longer fit for purpose.
"Notably, as technological innovation continues, there is increased reliance on IT systems and operations to deliver financial services. Effective technology risk management is essential to robustly handle potential IT security incidents, system failures, as well as ensuring customer information is protected from unauthorised access or disclosure."
Colin Bell, head of operational risk, UBS
"What seems certain is that our exposure to technology in general has increased. We have these wonderful capabilities of cloud; interconnection of all our devices – this is extremely convenient, but with convenience often comes a risk.
Talking to banks, there are a lot of them that recognise the lack of integration in their systems. Banks have grown and evolved over time and if you look at the banking systems technology-wise, it's more often than not an accumulation of layers of technology and systems that talk to each other with more or less reliability. It is a complicated issue that is very hard to solve. Given the newness of some of these systems, when you add the legacy systems, it creates a very significant risk."
Ariane Chapelle, consultant and honorary reader in operational risk, University College London
Although it is not necessarily a new concern for any industry, the difficulty of recruiting and retaining the right staff is a particular worry for op risk practitioners.
Due to curbs on pay and bonuses in the wake of the financial crisis, firms say it's harder to hang on to the most talented front-office staff, such as star traders and investment managers. Closer to home, op risk practitioners say it has become increasingly difficult to find risk managers. Sources say the pressure is more pronounced in areas including operational risk, credit risk, liquidity risk, regulatory capital and risk governance.
"One of the key reasons is that the intake of graduates seven years ago was limited as part of the cutbacks made in response to the financial crisis, so the talent coming through is harder to find," explains Chad Lawson, London-based associate director of risk and compliance at recruitment consultancy Robert Walters.
The risk of not being able to recruit and retain the right individuals is exacerbated by organisational change (#5 in this year's Top 10 Operational Risks). Some practitioners say it is also becoming more problematic over time, as a younger generation enters the workforce with different career priorities to their forebears.
"People risk is all about having enough people with the right skill-set and the right training, and being able to retain your good people. That's much harder with millennials than it has been historically. The mind-set of millennials and the attitude of millennials just by definition increases your people risk, because they're less likely to stay in the same job for more than five years, they have a very different view about what constitutes work/life balance and they are motivated and incentivised in different ways. If we don't understand that as an organisation – and I don't think we do understand that adequately at the moment – it becomes much harder to have enough of the right people with the right skill-set, corporate memory, training, et cetera."
Head of op risk, large asset manager
"The demand for a very specific [risk management] skill-set is increasing. A growing number of firms are looking for people who can bring real experience, who have been through the cycles, who have learnt the lessons from building frameworks in the past and are able to challenge and engage with regulators. It's actually a small pool and with this increasing demand, we will see significant turnover and the resulting costs [and] disruption.
The more organisations lose people of talent, the harder it is for that risk management discipline to play a leading role, as opposed to being a compliance exercise."
Enda Collins, op risk manager, GE Capital
The use of third-party vendors is pervasive across the financial services industry, introducing risks that must be carefully managed.
Often known as third-party risk, the pitfalls were highlighted in August 2015 when New York-based custodian BNY Mellon suffered a delay in valuing billions of dollars of mutual and exchange-traded funds. The delay was attributed to a third-party valuation system run by risk vendor SunGard, which issued an apology for the snafu.
When it comes to companies' risk controls, Phillip Bray, Charlotte-based principal in the operations risk service network at consultancy KPMG, says outsourced functions are frequently seen as the "weaker links". But regulators are putting pressure on firms to think harder about the risks posed by outsourcing, particularly if those firms are viewed as systemically important.
Dealing with the risk of outsourced vendors means asking, "do we fully understand their information security programme, their business continuity programme, their compliance programme and everything else?" says Jodi Richard, Minneapolis-based chief operational risk officer at US Bank.
More generally, op risk practitioners argue for the use of service-level agreements, key risk indicators and a rigorous monitoring of third parties' own risk controls.
"Third-party risk is largely due to the heightened regulatory focus on the banks. Like many other financial institutions, we have a large number of third-party vendors. Each third party can be very different in their level of activity. As such, a big component of operational risk management is developing third-party risk management programmes. It's not just about the programmes, but it's about really understanding the risk that each relationship provides, and making sure that we understand how our consumer-facing third parties interact with our consumers – as we realise that they're an extension of us, and that we're accountable for these interactions."
Jodi Richard (pictured), chief operational risk officer, US Bank
"Both outsourcing and vendor management have been hot topics for the past several years. It has been an increasing focus of the regulators – certainly on the US side – in terms of how firms risk-manage all of their vendors and outsourcing relationships. Due to the increased focus on the development of recovery and resolution plans, there has been even more of an emphasis on vendors and outsourcing relationships, especially third parties that perform critical processes or functions."
Dan McKinney, leader of operational risk practice, EY
"[Third parties] provide critical applications – for example, fund value calculation, front- and middle-office tech and sub-ledgers – that help us to run our business and ultimately serve our clients, so the risk of these guys falling over is right up there."
Head of operational risk at a hedge fund
In financial services, it seems, change is the only constant. That has been particularly true since the 2008 financial crisis, with many firms undergoing mergers, restructurings, spin-offs and shutdowns of various business lines.
The upheaval and uncertainty that arises from such moves can be debilitating, say op risk practitioners. For example, if firms are restructuring due to diminished revenues, they may face problems retaining talented staff and even an increased risk of fraud. Even if companies are in the happy position of acquiring a major rival, the changes needed are likely to consume resources and distract the attention of senior executives.
The risk of organisational change arises frequently in the context of regulation – for instance, the need to restructure banks to boost their profitability under Basel III minimum capital rules. Firms may yet emerge from such changes leaner, more profitable and more efficient, but in the meantime, they must ensure that good risk management is not compromised.
"[Strategic change] puts additional pressure on the front-office staff to make higher revenue. In my mind, as an operational risk professional, what that tends to do is to push people to do things they wouldn't do otherwise. There's additional risk of market manipulation, market abuse, fraud and collusion with external third parties. We saw this from the UBS [2011 rogue trading] case and in numerous other cases in the US and UK. Because of the increased pressure on the front office to increase revenues, the risk is aggravated."
Rajat Baijal (pictured), head of enterprise risk, Cantor Fitzgerald
"Acquisitions and large initiatives drive change management risk exposures up. Integration of these changes may impede a firm's ability to execute on its strategy, place strain on resources, and distract management attention from core business activities. Effective communication and management of the movement of people, the maintenance of a strong control infrastructure – including for IT and security – and strong business continuity practices remain of top concern in any organisation going through significant change.
People risk rises with the increase in change in an organisation. Companies also continually compete to recruit, develop and retain top talent. This poses a greater challenge where specialised resources in the industry are limited."
Iain Wright, head of enterprise and operational risk, Sun Life Financial
"Banks are operating in an unstable geopolitical environment characterised by the emergence of rapidly evolving and dynamic threats. Further, since the crisis in 2008, major transformation programs within the industry are driving legal entity change, operating model developments and extensive outsourcing and offshoring. All these factors require banks to increase their focus on the related heightened operational resilience risks."
Colin Bell, global head of operational risk, UBS
Criminals and terrorists remain eager to gain access to the global financial system, and governments are just as eager to stop them. As a result, firms must comply with a growing stack of rules and regulations in areas such as sanctions, anti-money laundering (AML) and counter-terrorist financing (CTF).
Firms that fail to meet this challenge can face heavy penalties. After admitting that it flouted sanctions against Cuba, Iran and Sudan, BNP Paribas was forced to pay a whopping $9 billion to US authorities in June 2014. Similarly, in March last year, Commerzbank agreed to pay $1.45 billion to US authorities thanks to AML failures and sanctions violations.
Firms complain that the burden of compliance with AML, CTF and sanctions is increasing and frequent changes to the rules make it difficult to keep up. Some suggest the increasing weight of these rules is driving so-called 'de-risking' – or a general move away from certain businesses or client segments. In a survey published in November 2015 by the World Bank, 19 out of 20 large international banks said worries about breaking the rules had caused them to terminate correspondent banking relationships.
"The systematic prevention of entry and use of our financial network by criminals, sanctioned entities or terrorists remains a challenge, as standards of enforcement are being raised to the point in which banks are required to provide capabilities that were previously the domain of government intelligence and/or law enforcement agencies."
Mark Cooke (pictured), group head of operational risk, HSBC
"The complexity of complying with AML and sanctions requirements for global institutions is a significant challenge and evidence shows that non-compliance can have significant financial consequences."
Director of operational risk at a major US bank
"With continued regulatory changes and evolving expectations, maintenance of a best-in-class financial crime function will continue to be essential to effectively manage risks in this area. Notably, with a rapidly changing geopolitical environment, the global economic sanctions framework is complex and fast moving."
Colin Bell, global head of operational risk, UBS
"The Middle East is a high-octane risk area in terms of political risk, terrorist funding, commercial links with sanctioned countries and money laundering. The potential downside compared to the limited commercial value most banks in the region represent, make it an easy, although not a courageous decision for compliance departments to exit relationships with banks in this part of the world."
Head of operational risk at a Middle Eastern bank
Since the 2008 crisis, new rules and regulations have proliferated across the financial sector, with no end seemingly in sight. The risk posed by regulation was a common fear among respondents to this year's survey – whether those respondents were from banks, asset managers or insurers.
Interpreting and implementing new regulation can divert management time and focus from other tasks. In some cases, new regulations require organisational change – #5 in this year's Top 10 Operational Risks. The risk of regulation is particularly acute for global businesses that must deal with overlapping and sometimes conflicting rules in a range of different jurisdictions, say op risk practitioners.
Among others, the past few years have seen major reforms to Basel III bank capital rules; the introduction of Europe's Solvency II minimum capital rules for insurers; the introduction of rules on the trading and clearing of derivatives under the European Market Infrastructure Regulation and US Dodd-Frank Act; the unveiling of rules designed to mitigate the failure of systemically important banks and insurers; and new laws on trading in financial instruments under Europe's Mifid II.
Some of these changes will affect op risk practitioners more directly than others. As part of its continuing changes to Basel III, the Basel Committee on Banking Supervision is expected to propose a drastic overhaul of op risk capital rules in 2016, which will likely involve stripping banks of the ability to use their own models for calculating op risk capital.
"I would definitely call out regulatory risk. That's something that everybody's feeling at the moment: the pace of it, the delta on it and being able to keep up with it and make sure that, as an organisation, you are correctly understanding and interpreting it."
Head of op risk, large asset manager
"The increased pace and focus of regulatory expectations, in conjunction with dynamic change in an organisation, increase conduct risk and the need for enhanced monitoring and oversight. In particular, we see increasing global regulatory focus on issues related to the treatment of customers ranging from product design, to sales practices, through to the continuing appropriateness of products."
Iain Wright (pictured), head of enterprise and operational risk, Sun Life Financial
"Meeting regulatory requirements has always been a fundamental obligation for any business, but the pace of change has accelerated over the past few years and creates additional and often conflicting priorities for firms."
Director of operational risk, large international bank
"There is increasing uncertainty around the requirements and expectations of regulators, shifting timelines and a lack of transnational consistency. While they impact all institutions, the aggregated impact of these sometimes-conflicting requirements will have a bigger effect on the smaller-scale operations. This has also put pressure on firms' infrastructure, as limited resources are being directed towards regulatory requirements, as opposed to business [and] customer needs."
Enda Collins, op risk manager, GE Capital
"Most regulations in isolation are well understandable; however, combined they pose quite a challenge to those that have to manage the regulatory change agenda."
Diemer Salome, head of non-financial risk management, Rabobank
Conduct risk has shot up the agenda in recent years, and now ranks as one of the largest fears of op risk practitioners.
Firms' focus on conduct has been sharpened by the creation of the UK Financial Conduct Authority (FCA) in 2013, and to a lesser extent, the US Consumer Financial Protection Bureau (CFPB) in 2011.
Conduct risk is the risk that arises as a result of how businesses and employees conduct themselves, particularly in relation to their clients and competitors.
As a director of operational risk at a large international bank says: "Trust is the cornerstone for the financial services industry to operate effectively and ethical behaviour underpins that trust. A few lapses can have a devastating impact on relationships with customers and regulators."
Poor conduct can often result in problems such as mis-selling, market abuse and fraud, which may lead to lawsuits and regulatory penalties. But Ariane Chapelle, consultant and honorary reader in operational risk at University College London, says the ramifications of lapses in conduct can also be far broader – for example, if an instance of money laundering occurred because an employee failed to undertake the right anti-money laundering checks. In this sense, the issue of conduct risk overlaps considerably with many of the other Top 10 Operational Risks.
Op risk practitioners say conduct risk can be mitigated by paying close attention to corporate culture and by making sure basic controls are in place: for instance, by making sure employees are fully aware of the consequences of poor behaviour. In some instances, firms have appointed heads of conduct to oversee efforts to address the risk, but practitioners suggest that more needs to be done.
"One of the biggest issues is conduct risk. It's certainly been hot on the FCA's agenda, but is increasingly becoming a global phenomenon. The regulator wants firms to explicitly highlight risks which impact customers, market integrity and/or competition in the marketplace. Those are the three core elements of conduct risk. What banks will need to evidence is that they've got the right kind of controls to identify and manage conduct risk effectively."
Rajat Baijal, head of enterprise risk, Cantor Fitzgerald
"All firms on the sell and buy side have seen an increase in the regulatory fines coming from the FCA and other regulators across the globe, so it's absolutely essential to address this."
Head of operational risk at a hedge fund
"Conduct, market and business practices are sources of a lot of concern. Market abuse and treating customers fairly are very much the focus of the FCA and other US regulatory bodies, such as the CFPB. Some of the most significant fines and punishments levied by the regulators deal with conduct and/or market abuse issues. This in turn has resulted in a renewed focus by the firms on how they manage and oversee these risks, and in particular a better understanding of the controls in place to minimise these risks. Those two things are really gaining momentum on management's agenda."
Dan McKinney (pictured), leader of the operational risk practice, EY
"Conduct risk is a new name for a risk that has always been there, but now seems to be worthy of a regulatory regime of its own. It will certainly help to focus the minds, but just how far it goes remains to be seen."
Head of operational risk at a Middle Eastern bank
When asked for his response to this year's Top 10 Operational Risks survey, one London-based op risk practitioner gives a curt response: "I would say cyber, cyber and cyber."
Although not everybody is so single-mindedly focused on cyber, a large proportion of respondents mention it as one of their biggest concerns and an area of focus for senior management. That emphasis has been encouraged by supervisors, particularly in the US, who have delivered apocalyptic warnings about the perils of neglecting cyber security.
The sense of nervousness has been escalated by the media attention garnered by high-profile cyber attacks. In 2014, for instance, JP Morgan suffered one of the biggest cyber attacks ever recorded, involving the theft of 83 million customer records. Many other recent attacks, both inside and outside the banking sector, have helped keep cyber risk top of mind. Cyber risk "has been shown to be a clear and present danger to business and the public generally", says one London-based director of operational risk. "All businesses need to address this."
Cyber attacks can not only hinder companies' ability to operate, but can also erode public confidence – a vital asset for financial services firms. The susceptibility of financial institutions to cyber risk is also increasing as they incorporate new technology into their products and services, with innovations such as online banking and mobile payments. Op risk managers need to be concerned about "where we're going in terms of the digital age and the move towards a more digital environment", says a UK-based op risk practitioner.
Notwithstanding this, some cyber risks are more mundane. While unattended computers and unprotected passwords get fewer headlines than targeted attacks by cyber criminals, firms say they are the most likely cause of cyber breaches.
Op risk practitioners say there is much the industry is already doing to mitigate cyber risk, including through industry groups such as the US-based Financial Services Information Sharing and Analysis Center (FS-ISAC). In October 2015, a survey of cyber security governance by the Information Security Center at the Georgia Institute of Technology found the financial sector had the highest percentage of chief information security officers for any industry, at 88% (see table). However, the concerns raised here suggest more work is required.
"The expansion of digital service channels, along with the increase in the sophistication of attacks, has seen a marked uptick in vulnerability to cyber risk and particularly the reputational impact through loss of client information or denial of core customer services."
Mark Cooke, group head of operational risk, HSBC
"Banks are already faced with having to keep their data secure from hacking, but even issues like increasing consumer demand for fast and smooth online and mobile banking can present security problems, as banks are constantly seeking to improve the speed and convenience of their service, which can be contradictory to high security standards."
Oliver Binder (pictured), senior expert in operational risk, UniCredit
"Cyber security risk has increased substantially over the past year due to all of the external threats that hit retailers and other companies, and the knock-on effects they've had on banks. We continue to stay vigilant in this area."
Jodi Richard, chief operational risk officer, US Bank
"When I think about the risks that might cause the next crisis, cyber security is one that concerns me the most... There is still a great degree of clean-up to do to fix long-standing data and technology issues that have built up over the years...
Cyber security is the new normal. It will become part of our vocabulary in almost every exam that we conduct, every conversation with senior management and every conversation about the future of financial services."
Sarah Dahlgren, former head of the Financial Institution Supervision Group at the Federal Reserve Bank of New York, speaking at OpRisk North America in March 2015
While we tried to reflect the most popular worries of op risk practitioners, the survey is by no means scientific and an element of judgement was required in interpreting the results. For one thing, some interviewees had different ways of categorising similar types of op risk. There are also considerable overlaps between some of the risks mentioned in this list – take conduct risk and the risk of regulator fines, for example – along with varying causal relationships between them.
As with the priorities of op risk practitioners, we expect the Top 10 Operational Risks to continue to change over time. To some extent, the popularity of the top risks featured here can be attributed to the evolving threats facing financial firms. But it also seems that op risk managers are human – and with that comes the usual susceptibility to changing industry trends and the latest headlines.
Interestingly, some of this year's risks run along similar lines to those identified by the US Office of the Comptroller of the Currency in its latest Semiannual Risk Perspective – a document released on December 16 last year, as the survey was in its closing stages. In it, the bank regulator expressed concern about "the amount and pace of internally and externally initiated change", the "increased sophistication of cyber threats", and "pervasive technology vulnerabilities".
Despite the ups and downs of the markets, the biggest lesson here may be that operational risk – in all its many forms – continues to pose some of the thorniest challenges faced by the financial sector.