In a series of interviews that took place in January and February 2018, Risk.net spoke to chief risk officers, heads of operational risk and senior practitioners at financial services firms, including banks, insurers, asset managers and infrastructure providers. Based on the op risk concerns most frequently selected by those practitioners, we present our ranking of the industry’s top 10 operational risks for 2018 (see note on methodology at bottom of article).
Click on category for full analysis
#1 IT disruption | #2 Data compromise | #3 Regulatory risk | #4 Theft and fraud | #5 Outsourcing | #6 Mis-selling | #7 Talent risk | #8 Organisational change | #9 Unauthorised trading | #10 Model risk
#1: IT disruption
IT disruptions – whether from a disabling cyber attack, or the more mundane causes of human error or failure of aging hardware – are considered the top threat to financial services firms for 2018 by senior operational risk practitioners.
Ensuring resiliency against disruptive cyber attack is an impossibly broad task, op risk managers admit, taking in everything from information security controls to scenarios and war games, third-party oversight, data protection and fraud authentication processes.
In recognition of the proliferating nature of the threat, last year’s single ‘Cyber risk’ category has been broken out into multiple categories for this year’s survey.
Guarding against known risks such as DDoS is a given. What worries op risk managers more are the harder-to-measure disruptive threats – cyber and physical – to their firm’s networks. Malware, employee error and plain old hardware failure can be just as crippling when it comes to a loss of operational functionality.
Lump in the risk of physical disruption to a bank’s network – from sources as varied as a city-wide power outage, to an attack from a weaponised electromagnetic pulse – and it’s not hard to see why op risk practitioners rank IT disruption as the most significant operational threat facing their firms.
The disruption to services from successful ransomware attacks is usually far more costly than payment made to cyber thieves, as the 2017 WannaCry attack showed. Still harder to quantify are the thousands of man-hours invested in universal training for staff, or spent trying to trace when and where successful breaches occurred.
Many of last year’s worst IT disruptions can be attributed to faulty software, practitioners note. The US Comptroller of the Currency notes weaknesses in controls and governance related to information security within banks. Patch management – the application of fixes or updates when vulnerabilities are identified in software – and access management are of particular concern, because they are the soft spots through which attackers can penetrate a bank’s outer perimeters.
Some argue regulators’ expectations are unreasonable when it comes to cyber attacks. US prudential regulators say financial institutions should be capable of a two-hour return to operations – something practitioners argue is unrealistic and potentially dangerous.
#2: Data compromise
Cyber theft, unauthorised access, accidental disclosure and employee negligence – there are a multitude of ways in which the vast quantities of personal information banks and financial services firms hold can fall into the wrong hands. Small wonder, then, that around half of the op risk professionals that Risk.net spoke to for this year’s Top 10 Op Risks adjudged data theft as the number one operational threat to their organisation for the year ahead.
The headline data breach of 2017 was the cyber attack on credit reporting agency Equifax, which compromised personal information including names, social security numbers, driving licence numbers, credit card numbers and personal documents, relating to an estimated 145 million individuals.
Equifax came in for criticism for not publicly acknowledging the breach until September 2017. The reticence to report cyber attacks is an industry-wide problem, op risk managers admit. From May 2018, the European Union’s General Data Protection Regulation aims to tackle such underreporting by requiring firms to inform their relevant regulator of any data breaches within 72 hours. Failure to do so could result in unprecedented penalties: firms can face fines of up to 4% of their global turnover in the event of a serious data breach.
Op risk practitioners at larger banks describe the job of trying to comply with the regime across all their global businesses before the go-live as akin to “boiling the ocean”. Many candidly acknowledge that the job of updating contracts to update data permission rights will not be complete by May – and that they will find themselves relying on regulatory forbearance to a degree.
Regulators themselves provide tempting targets for data thieves because of the volumes of non-public information they amass on companies. In September 2017, the Securities and Exchange Commission revealed that an incident previously detected in 2016 may have provided the basis for illicit gain through trading.
As for quantifying losses from data breaches, banks have long expressed a need for better tools in making these calculations. For all the time and resources invested in models to estimate potential losses from market and credit risks, many firms are unable to measure their exposure to data breaches with anything like the same degree of accuracy – partly a function of the non-linear relationship between a bank’s safeguards and its likelihood of suffering loss.
#3: Regulatory risk
Anyone looking for a ready-made example of the constantly evolving nature of regulatory attitudes to supervision – and the risks this unpredictability poses to firms as they go about their business – got one last month, courtesy of the US Federal Reserve. Its cease-and-desist order to Wells Fargo in February, which stops the bank from being able to grow at all until it improves its governance and risk management practices, is just the latest sobering example for banks.
This singular action caused Wells to slash its profit estimate for the year by up to $400 million, and has put op risk managers around the world on high alert. The standard pattern in the post-crisis era has seen authorities dole out fines for incidences of misconduct. Op risk practitioners speculate now watchdogs will deploy an array of tools to enforce their will – as the Fed has done – or lean more heavily on periodic, qualitative surveys of their charges as a means of practising ‘soft’ enforcement.
In some ways, fines are diminishing in importance. The Basel Committee’s decision to junk op risk modelling in favour of the simpler standardised measurement approach in December last year comes with the added sweetner of allowing national competent authorities the option of excluding loss history from the calculation of banks’ operational capital, and allows the banks themselves to petition their regulators to remove certain op risk losses they believe they are not in danger of repeating.
One tool at the disposal of supervisors is the ability to adjust an institution’s Pillar 2 capital; and Bank of England governor Mark Carney has suggested UK authorities may do just that if banks demonstrate failures in conduct risk controls.
Other new regulations require supervised entities to report large amounts of complex data to regulators or release it into the public domain. Mifid II, the European Union’s General Data Protection Regulation, and the Fed’s Comprehensive Capital Analysis and Review are three areas cited by the global head of op risk as fraught with regulatory reporting risk.
#4: Theft and fraud
Dealing with theft and fraud is part and parcel of a risk manager’s job. But with attempted breaches from both now concentrated in the digital realm, banks are significantly less worried about physical robberies than they are about cyber bandits.
Whether realised losses from cyber fraud still trump the old-fashioned variety on an industry-wide basis is another matter, however. Many of last year’s largest op risk losses from fraud were more conventional. The Agricultural Bank of China, for instance, faced losses of $497 million after being defrauded by employees of billionaire Guo Wengui – the tenth largest loss event of 2017. In another case, eight Indian banks incurred $770 million in losses in a fraud case involving Kingfisher Airlines founder Vijay Mallya – the industry’s seventh largest reported loss event last year.
Yet the fear among banks of catastrophic losses from cyber theft or fraud remains palpable – probably largely due to the sheer number of daily attacks on their defences. Everything from email phishing threats to highly sophisticated attempts to introduce malware into networks are to be expected for an institution of any size. The potential loss from such incidents could range from pennies to billions of dollars.
In September, for example, Swedish banks were hit with a concentrated phishing attack that saw hackers use malware to gain access to banks’ networks, allowing them to redirect payment orders and siphon off funds. Three of the country’s banks face cumulative potential losses of Skr250 million ($312 million), according to Swedish police.
There is also evidence to suggest a nonlinear relationship between the strength of a bank’s controls and the likelihood of it suffering a cyber attack, op risk managers point out; what appears to matter more to would-be cyber thieves is a bank’s perceived weakness as a target. Some point to the concentration of cyber frauds conducted over payment networks targeting emerging market banks as anecdotal evidence of this.
Outsourcing remains a top operational risk for practitioners this year – unsurprising, given banks’ growing reliance on vast networks of vendors for everything from online platform management to extra grid capacity.
Op risk managers are divided, however, on where outsourcing risk sits within their policy frameworks. Many say they still treat as a discrete risk in its own right – but a few say they see it through the lens of the two principal categories of risk it opens them up to: compromise of their data, or disruption to their own IT environment.
Poor third-party management leaves banks and financial services firms exposed to the risk of costly fines for significant data breaches, lawyers warn, especially with the advent of the EU’s General Data Protection Regulation, which enters into force in May. Given the size of the potential fines in the event of significant data breaches – up to 4% of a firm’s global turnover – legal wrangles over where culpability lies are likely to increase.
Aside from the concerns of data breaches resulting from hacking or the introduction of malware, preserving day-to-day continuity in business is also a top priority. Risk managers say they face difficulty in negotiating the appropriate risk management clauses in standard contracts with large vendors.
Banks’ adoption of cloud computing to cut hardware costs and boost capacity has spurred regulators into action. The European Banking Authority issued final guidance in December on the use of cloud service providers by financial institutions. The guidance crystallises regulatory expectations for firms outsourcing services to cloud providers around key areas such as access and audit rights and contingency plans and exit strategies.
The mis-selling of financial products – from humble residential mortgages, to securitisations stuffed full of thousands of them – has been a perennial concern for op risk managers over the past decade.
Practitioners’ pessimism is well founded. As the harvest of compensation payments in 2017 demonstrates, mis-selling is a crop that takes years to ripen. Take the case brought by the US Federal Housing Finance Agency against RBS for mis-selling mortgage-backed securities. RBS became one of the last banks to settle with US authorities in July for $5.5 billion. A few months previously, the bank paid a share of a $165 million settlement to unhappy investors in a flawed mortgage securitisation it had underwritten in 2006–7, alongside Deutsche Bank and Wells Fargo.
Just as the growing use of automated algorithmic trading software has led to fears of new forms of unauthorised trading, the growth in automated customer advisory systems known as ‘robo-advisers’ has led at least one regulator, the US Securities and Exchange Commission, to lay out guidelines on how these algorithms can avoid misleading customers – and how human overseers should be held accountable if they do.
Increasingly, regulators are putting the onus back on to bank management to change sales culture and root out individual bad apples. In the UK, the FCA shelved its banking culture enquiry in late 2015, putting its faith instead in the Senior Managers Regime which imposes new and explicit lines of responsibility on managers at all levels in large financial institutions.
#7: Talent risk
Talent risk enters the top 10 for the first time this year – an unwelcome sign of the finance industry’s struggle to attract, train and retain the best and brightest amid competition from other sectors such as technology.
It’s not just front office jobs: banks have repeatedly warned in the last 18 months that they are struggling to attract and retain sufficiently experienced risk managers across functions as diverse as regulatory reporting and model validation. This is having real world consequences for the quality of their op risk management, they warn: more than one bank Risk.net spoke to for this year’s top 10 notes an increase in reporting failures due to human error, where less experienced staff had been pushed into high-pressure roles; others point to project overruns due to a shortage of staff.
At the graduate recruitment level, senior risk managers have long warned the industry is struggling to attract the brightest and best quant finance grads in the face of increasing competition from technology firms. In days gone by, quants working in a risk management function for a bank might have cut their teeth in a more front office-oriented role such as derivatives pricing; but such jobs are harder to come by these days, with many banks pulling back from exotic derivatives trading, and US banks for now barred from proprietary trading under the Volcker rule.
Now, grads might be expected to enter a bank as a model risk manager – a well paid job, but not one with the prestige or autonomy of working as a bank quant in the pre-crisis era, and a harder sell when compared with the comparative cool factor of working for a tech firm instead. Those that do enter banks directly as specialists will also be less experienced – leading to a hollowing out of the ranks at the mid-level, senior quants warn.
#8: Organisational change
Almost every survey respondent offered a different answer when asked what worries them most about organisational change. To some, it is the pressure to keep pace with technological change, with the vague promise that, some years down the line, the investment will pay off and allow them to boost revenues or slash costs; to others, it is the ultimate risk that such changes will see them superseded altogether.
Some op risk practitioners point to the immediate problems technological change can bring to organisations that adopt new ways of doing business without yet having a control environment ready to handle them.
Others could see their very future imperilled by regulatory change. Voice brokers complain Mifid II’s push of more financial instruments towards electronic trading could leave their role in arranging transactions redundant; bank research staff have also been impacted by the legislation, with Mifid forcing dealers to unbundle the implied cost of research from trade execution and other services.
Geopolitical risk – absent from this year’s survey as a category in its own right – can also force change on firms, simply due to the physical upheaval. Non-European banks currently using London as their base through which to access the single market will be forced to set up new entities within the EU, to house some of the functions that depend on such access. Political pressure to repatriate jobs will also be a factor.
Political and regulatory mandates aren’t the only source of such change: banks continue to heap misery on their own staff through internal restructuring and cost cutting, which can have a very real impact on the quality of operational risk management, senior practitioners warn.
#9: Unauthorised trading
The definition of unauthorised trading has continued to evolve, in line with changing market structure. Rogue algorithms are now considered an equivalent, if not greater, source of potential losses than rogue traders purposefully circumnavigating the controls, or fat-finger error, according to survey respondents.
Like all sizable op risk losses, the impact on a bank’s capital from an unauthorised trading incident lingers long after the initial breach has occurred. And banks can find wrangles over their losses continuing for years after the event: Societe Generale is currently fighting the French government over a €2.2 billion ($2.73 billion) tax writeoff it took on losses inflicted by the rogue trader Jerome Kerviel in 2008.
In the UK, the Senior Managers Regime mandates clear ownership by named individuals of the development, testing and oversight for each trading algorithm. It also highlights that algorithms should be re-validated before being deployed in a different market, and asks for documentation of the differences between testing and real-world environments – both measures aimed at the risks involved in deploying algorithms in unfamiliar trading conditions.
There are hopeful signs that banks and regulators are getting smarter when it comes to balancing carrot-and-stick incentives to encouraging good behaviour among traders. In the US, Citi has made much of its recent bonus scheme overhaul, intended to change the bank’s culture by linking compensation explicitly to ethical conduct as well as bottom line performance.
However, some fear prudential regulators’ recent upending of the op risk capital framework could have a detrimental impact in this regard. The standardised measurement approach removes banks’ freedom to factor in the impact that changes in internal controls would have in preventing future breaches from the capital calculation process – a tactic many banks were successfully able to employ to reduce requirements under the own-models approach. Practitioners have argued this could take away the incentive to improve controls in the first place, engendering a new source of operational risk.
#10: Model risk
Model risk re-enters the top 10 this year, for the first time since 2015 – a reflection of the growing regulatory burdens placed on banks’ modelling and validation teams in a number of key jurisdictions. It also hints at the potential cost of errors should banks make a mistake.
This year saw the European Central Bank roll out the inspection phase of its Targeted Review of Internal Models (Trim), while the US Federal Reserve incorporated model risk governance into the qualitative portion of its annual stress-testing programme for the largest US banks. The Bank of England also updated its model management principles for UK entities in March, while Canadian watchdogs followed suit in the autumn.
Ironically, the perceived rise in model risk among banks comes at a time when banks' freedom to use internal models to calculate regulatory capital is set to be severely curtailed under Basel III – which partially floors model outputs to capital numbers achieved using a standardised approach – or removed completely in the case of Pillar 1 calculations for operational risk.
Banks have made it clear they intend to keep parts of their op risk modelling apparatus to calculate Pillar 2 requirements – good news for op risk model quants and model validation specialists who might otherwise find themselves out of a job.
Profiles by Tom Osborn, Alexander Campbell, Steve Marlin, Afiq Isa and Louie Woodall
A note on the methodology:
This year, respondents were asked to supplement standardised risk taxonomies with real-world examples of given risks.
Cyber risk, which topped the 2016 and 2017 surveys, was broken up this year, and its impact considered across multiple categories – primarily IT disruption, data compromise and theft and fraud.
Mis-selling and unauthorised trading were considered a function of conduct risk in the 2017 rankings