Cyber risk has emerged as the most common operational risk concern cited by respondents in a survey of op risk practitioners conducted by Risk.net.
In a series of interviews that took place in November and December last year, Risk.net journalists spoke to chief risk officers, heads of operational risk and other op risk practitioners at financial services firms, including banks, insurers and asset managers. Based on the op risk fears most frequently mentioned by those practitioners, Risk.net compiled a list of the Top 10 Operational Risks for 2016.
Topping the list is cyber risk, which was described as “a clear and present danger” to firms and the public by one London-based director of operational risk.
Mark Cooke, group head of operational risk at HSBC, is similarly concerned. “The expansion of digital service channels, along with the increase in the sophistication of attacks, has seen a marked uptick in vulnerability to cyber risk and particularly the reputational impact through loss of client information or denial of core customer services,” he says.
Cyber risks have been kept at the forefront of practitioners’ minds due to a strong focus on the topic from financial regulators and the level of media attention garnered by high-profile attacks. The Federal Reserve Bank of New York has identified cyber as one of its top risk priorities, with a senior supervisor warning the OpRisk North America conference in March 2015 that it could be the source of the next financial crisis.
Op risk practitioners note that cyber attacks regularly make the headlines, both inside and outside the financial sector. One example cited as part of the survey was the hacking of UK-based telecoms provider TalkTalk in October last year, which caused a major loss of customer data.
“With TalkTalk, their shares plummeted when they first had to announce it,” notes one head of op risk at a hedge fund, who did not wish to be named. “If you’re a TalkTalk customer you’re not likely to renew your contract; if you’re a new customer, you’re not likely to go to TalkTalk because you perceive their controls are not really robust enough to protect your data. So these incidents do impact the bottom line and they tend to hurt the smaller guys more than they hurt the big guys.”
This year, the second most frequently cited op risk worry is conduct risk. Practitioners note that poor conduct can result in problems such as mis-selling, market abuse and fraud, which may lead to lawsuits and regulatory penalties. Since the 2008 financial crisis, a brighter spotlight has been shone on conduct due to the creation of the UK Financial Conduct Authority (FCA) in 2013 and the US Consumer Financial Protection Bureau in 2011.
“What I would highlight as one of the biggest issues is conduct risk,” says Rajat Baijal, London-based head of enterprise risk at Cantor Fitzgerald. “It’s certainly been hot on the FCA’s agenda, but is increasingly becoming a global phenomenon.”
In third place on the list is regulation. Op risk practitioners point to the sheer volume of regulatory changes seen in recent years, including those triggered by the US Dodd-Frank Act, Europe’s Mifid II, and changes in capital rules from the Basel Committee on Banking Supervision. The Risk.net survey found that concerns about regulation were widely spread among op risk practitioners – regardless of whether those practitioners worked at banks, insurers or asset managers.
“There is increasing uncertainty around the requirements and expectations of regulators, shifting timelines and a lack of transnational consistency,” complains Enda Collins, an operational risk manager at GE Capital in Dublin. “This has also put pressure on firms’ infrastructure, as limited resources are being directed towards regulatory requirements, as opposed to business [and] customer needs.”
Some of the other most popular op risk worries in this year's survey are organisational change, recruitment and retention, outsourcing, and the risk of IT failure. The timing of the survey, which coincided with the November 13 Paris attacks, helps push the risk of terrorism into the top 10.
An in-depth feature detailing the Top 10 Operational Risks of 2016 will be released on Risk.net tomorrow (January 20). The feature will also be included in the February 2016 issue of Operational Risk magazine.