Earlier this year, Risk.net published its annual list of the top 10 operational risks. Based on a survey of practitioners around the world and interviews with industry insiders, the ranking aims to highlight the 10 most important operational risks for the financial sector in the year ahead.
Looking at the concerns that have appeared on the list over the past decade, emerging operational risks can be sorted into three categories – the risks we all know, the risks we should know and the risks we don’t know – and each holds a lesson for practitioners.
The first type comprises risks that are flagged from year to year. The persistence of certain risks might mean the sector never learns and keeps ignoring gaps in controls.
The second category consists of truly emerging but often underappreciated risks, such as those arising from climate change and growing income inequality. The category also contains self-inflicted risks: obvious internal vulnerabilities that have not been addressed.
The last bucket groups together risks that are nigh on impossible to predict – say, an unexpected physical attack or political swing – reinforcing the importance of operational resilience, rather than just risk prevention.
Table A provides an overview of the top 10 risks that have appeared on Risk.net lists since 2010. Starting with the 2016 list, the risks are ranked in order of importance. Each recurring idiosyncratic risk, or group of related risks, is given its own colour. Risks that have been mentioned only once or twice are left white – these are usually based on recent events and so can be described as predicting the past.
Cyber risk and data security, regulatory fines and outsourcing feature frequently. These are the threats we all know, also appearing on the ORX list of top operational risks as chosen by banks and insurers.
Risk.net’s taxonomy has changed in recent years, but cyber risk in its various guises has still topped the list since 2013. This year it is represented by data compromise (#1), IT disruption (#2) and theft and fraud (#5).
Reputational risk dropped out after 2014, followed by the related social media risk a year later. Business continuity also stopped appearing in the top 10 after 2014. Arguably, both are more impacts than risks, and their absence might simply be due to a clearer distinction made now between risks and impacts.
Outsourcing risk was mentioned in 2011 and re-emerged in 2016, remaining on the list ever since. Organisational change, which refers to the risk of mishaps during any kind of internal transition, appeared in 2016 and has remained in the top 10 since then. It seems that operational risk managers agree with the philosopher Heraclitus that “everything changes and nothing stands still”, but they see it more as a risk than the core of a philosophy.
If the same risks rank in the top 10 over a decade, it might simply mean they are not being tackled, at least not effectively
Some other risks come and go, depending on the news flow over the previous months. A good example is the threat of terrorism, which was flagged in the 2016 list, following the Charlie Hebdo attacks in January 2015 and the November 2015 violence in the Bataclan concert arena in Paris. Other examples are political risk, which appeared in the ranking in 2012, 2013, 2017 and 2019, and model risk, which featured in the 2015 and 2018 lists.
Other perceived hazards are even more news-driven, such as the risk of epidemic disease mentioned only in 2013, after an outbreak of salmonella in the US and a major epidemic of ebola in West Africa in 2012; index rigging in 2014 after the Libor scandal broke in early 2013; and board overstretch in 2014 after post-financial crisis rules on corporate governance were published in 2013. These topical risks were short-lived and demonstrated that human minds are especially good at predicting the past.
But, as the table shows, there is also a great deal of consistency across the yearly lists. There are two possible explanations for this and one of them is concerning: if the same risks rank in the top 10 over a decade, it might simply mean they are not being tackled, at least not effectively. It seems that talking about an issue, often at length, or mentioning it as a priority or as a main concern gives us the illusion of having prevented it, even before any effective measure is implemented – a cycle that ensures we report the same concerns over and over again.
The more reassuring explanation for the high degree of overlap between Risk.net’s annual lists is that, despite its diversity, operational risk displays a certain stability around its core drivers. These are systems and data, fraud, financial crime and related regulatory sanctions, outsourcing risks, and conduct and culture. Arguably, they give rise, at least in part, to the other risks.
Latent risks and curveballs
Some of the truly emerging risks, which firms should consider but often don’t, are the slow-burning risks that banks have little control over, such as water scarcity, migration and social unrest. These can be assessed using the so-called Pestle analysis – an acronym representing the political, economic, socio-cultural, technological, legal and environmental factors that can affect the risks for a firm or a project.
Other latent risks we should all be aware of are those stemming from internal weaknesses that no-one has the resource, the time or the will to address. A scandal or, if you are lucky, a large near-miss, often act as a wake-up call to strengthen controls and tackle long-overdue issues. Examples include rogue traders at UBS and Societe Generale and money laundering facilitated by HSBC.
And then there are real surprises, unpredictable by definition. For example, neither Brexit nor any other kind of political risk made it into the 2016 Risk.net ranking, which was compiled at the end of 2015 whereas the UK referendum and then the US presidential election took place in 2016. Geopolitical risk duly appeared in the 2017 list.
Since firms cannot foresee, let alone prevent, every risk, they should have in place an adequate operational resilience framework. When disruptions inevitably occur, such a framework will ensure, first, continued service provision at a minimum level; second, return to a normal state; and third, learning from the incident and improving prevention. It is an approach proposed by the Bank of England and the UK’s Financial Conduct Authority in a discussion paper on operational resilience and reaffirmed in a recent BoE speech.
We cannot predict the future, but we can study our environment and adapt accordingly – the most successful firms are those able to adapt not through magical foresight, but through constant observation and change.
Editing by Olesya Dmitracova