Whatever the topic under discussion at the OpRisk Europe and North America conferences this month, the conversation inevitably turned to cyber risk. That’s hardly surprising: cyber risk, in its many guises, is an ever-present, ever-mutating danger for banks, consistently ranked the top threat in an institution’s operational risk framework. It also has an increasingly strong bearing on all the other risks in Risk.net’s annual industry poll, from fraud to outsourcing.
Regulators and practitioners alike at both conferences highlighted the business continuity risks posed by a major cyber attack, emphasised the need for rapid recovery from an outage, and called on businesses to improve their planning and modelling.
Banks are still adapting to the threat of attacks, evolving their own three lines of defence (3LOD) frameworks to better incorporate cyber risk, and channelling expertise from other functions across the bank such as IT and information security – and, increasingly, from other industries.
Many practitioners spoke openly about the need for constant fine-tuning of the 3LOD framework if it is to work successfully for larger banks, including the need for a clearer delineation of responsibility between risk managers and front-office staff when it comes to ‘owning the risk’.
Another much-discussed topic was the Basel Committee’s off-again, on-again standardised measurement approach (SMA) to operational risk capital calculation. Banks lamented the lost investment in bespoke models should the framework enter force, while others expounded the benefits of modelling smaller op risk events to help prevent losses in future.
To read more, please click on the articles below.
“If you’re waiting for us to give you regulation, you’re behind the curve,” says Fed’s Ferlazzo
Banks forced to consider link between risks and macroeconomic factors
Most banks fail to establish explicit link between KRIs and identified risk exposures
Credit Suisse is using scenario analysis to model the risks associated with internal fraud losses
Lack of loss data means predictions are a problem
Regulator says banks have good track record overall, but exams reveal weaknesses
Lengthy payout mechanism of cyber policies makes it ineffectual against large losses, dealers argue
Clearer split in responsibilities between first and second lines needed, say op risk chiefs