Welcome to Risk.net’s annual ranking of the top op risks for 2020, based on a survey of operational risk practitioners across the globe and in-depth interviews with respondents.
As in years past, there's no great secret to the methodology: Risk.net’s team gets in touch with 100 chief risk officers, heads of operational risk and senior practitioners at financial services firms, including banks, insurers, asset managers and infrastructure providers, and asks them to list their five most pressing op risk concerns for the year ahead. The results are then weighted and aggregated, and are presented in brief below and analysed in depth in 10 accompanying articles.
As before, the survey focuses on broad categories of risk concern, rather than specific potential loss events. The survey is inherently qualitative and subjective; the weighted list of concerns it produces should be read as an industrywide attempt to relay and share worries anonymously, not as a how-to guide.
For a note on the impact of the coronavirus, navigate to the final chapter, geopolitical risk.
As ever, Risk.net invites feedback on the guide and its contents – please send all views to tom.osborn [at] risk.net. Thank you for reading.
Profiles by Costas Mourselas, Steve Marlin, James Ryder, Alexander Campbell and Aileen Chuang. Editing by Alex Krohn, Joan O’Neill and Tom Osborn.
Click on category for full analysis
#1 IT disruption | #2 Data compromise | #3 Theft and fraud | #4 Outsourcing and third-party risk | #5 Resilience risk | #6 Organisational change | #7 Conduct risk | #8 Regulatory risk | #9 Talent risk | #10 Geopolitical risk
#1: IT disruption
When customers are suddenly unable to access their money because of a paralysing cyber attack or a critical IT systems failure, the consequences for a bank’s profitability and reputation are clear.
Respondents to this year’s Risk.net survey of top op risks report a two-pronged risk to systems and IT operations. First, the threat from hostile hacking groups and even nation states laying siege to a bank’s defences: breach attempts only have to be successful once to sow widespread chaos. Second, banks must upgrade or patch ageing IT systems to stay competitive, and, in doing so, they can expose themselves to cyber attacks or good old-fashioned outages.
“Whenever I talk to my cyber guys, they say the threats are evolving, becoming more clear about where they target,” says the group head of operational risk at a European bank.
In the face of increasingly sophisticated cyber attacks, the US Federal Reserve is mulling whether to compel financial firms to submit data on cyber incidents. Banks have traditionally been nervous about sharing information about cyber threats, and sources worry that information could leak out, painting a bullseye on other firms.
Another target could be systemically important financial market infrastructure providers (FMIs) such as clearing houses and settlement providers, on which the functioning of many markets depends. The chief risk officer of one of the largest FMIs tells Risk.net he spends most of his time worrying about non-default risks, and that he’s “particularly worried” about risks stemming from cyber attacks.
In this year’s survey, IT failure has been considered alongside IT disruption, where last year the categories were considered separately. Although the drivers and risk management of the issues are very different, the consequences – the loss of critical services leading to parts or all of an organisation being unable to function – end up looking much the same.
Both concerns also feed into resilience risk – debuting in fifth place this year – which considers the consequences of an outage or failure in the context of changing regulatory expectations around how and when a firm can return to operations, as well as the consequences of that outage for other firms that depend upon its services, and the role it plays within the financial system as a whole.
IT failure specifically addresses the opportunity cost of failing to do business and the consequences, including permanent damage to a firm’s reputation, which can last well into the future.
#2: Data compromise
Sitting atop a trove of personal data, banks make tempting targets for hackers looking to make mischief, criminal rings out to collar data for cash, even cyber terrorists bent on holding banks to ransom.
While the operations and reputation of any bank hinge on accurate and secure data, the possibility of breaches, disclosure or destruction of information seems to be growing. A handful of expensive and embarrassing incidents in the past year highlight the threat, with assailants relentlessly probing for chinks in bank cyber defences.
“The threats continue to evolve. You have an increased need to be in front of it,” says an operational risk executive at a large North American bank. “We saw the big Capital One breach, so it’s certainly not going away.”
Last July, Capital One, the US credit card giant, said a hacker had penetrated the bank’s firewall and got hold of the personal data of 100 million credit card applicants as well as 140,000 social security numbers and 80,000 bank account numbers of existing credit card customers. The incident could cost Capital One as much as $150 million in customer notifications, legal fees and technology upgrades, it said.
In this year’s Top 10, data management, a discrete category in previous top 10 lists, has been folded into data compromise to form a single topic. Although the causes and preventions are different – one requires protecting a firm’s data from external malicious attack, the other the risks of mismanaging or mislaying data internally – the financial and reputational harm can be the same. Last year, data management was eighth on the list.
The risks are manifest: almost a year ago, UK authorities fined Goldman Sachs and UBS millions for transaction reporting lapses, while Citi was penalised in the US for prudential reporting lapses. Data mismanagement underpinned all these cases.
#3 Theft and fraud
Theft and fraud jumps to third in this year’s survey – a sign of both its ubiquity for financial institutions of all types, from the largest global lenders to eight-person hedge funds, and likely a function of its role in five of the 10 largest reported operational risk losses of 2019.
Many of the most severe frauds reported last year, particularly in emerging markets, bore a similar characteristic: namely, the help of an inside operative working for a bank. That leads one respondent to dub this simply “insider risk”. It was also the case for 2018’s biggest fraud loss – an eye-watering $12 billion hit for Chinese insurer Anbang.
Internal fraud incidents can also have a long tail. Wells Fargo’s legacy losses relating to its ‘ghost account’ fraud scandal also increased throughout 2019, with the total bill for settlements and restitutions already topping several billion dollars and counting – not to mention the long-term impact on the bank’s op risk capital requirements.
Theft and fraud losses are also closely linked to the drive to automate processes and systems. A senior risk manager at a global bank points out that automation of customer authentication, for example, gives criminals the chance to use stolen data to fool robot gatekeepers.
“The situation [with automation] is improving, but the threats are increasing. It’s like the two sides are growing together,” says the risk manager.
While the march of progress may produce all sorts of convoluted, tech-centric crime, naturally theft and fraud can still take place in a more mundane fashion. Earlier this month, Citi was widely reported to have suspended a senior bond trader after he was accused of stealing food from the firm’s canteen in London.
#4 Outsourcing and third-party risk
Big banks have decided there are many things it is not worth their while to do in-house. So they contract them out. And that has birthed a whole new anxiety: third-party risk, or the possibility of getting body-slammed by problems at a vendor – cyber infiltrators, power failures and disreputable behaviour among the most common.
Then there are the vendor’s own third-party vendors. At that point, third-party risk splits into fourth-, fifth-, etc, -party risk – a radiating pond of ever less visible odds. On this year’s top 10 op risk list, third-party came in fourth place, moving up from sixth last year.
Banks don’t believe their thicket of vendors take risk management – particularly cyber security – nearly seriously enough, with one respondent to this year’s survey calling them the “weakest link in the organisation”.
The risk posed by fourth- and fifth-parties was much discussed by op risk managers last year, as the European Banking Authority set new guidelines that significantly raised the bar for scrutiny of vendors, as well as their suppliers of critical services. The EBA now expects banks to negotiate audit and access rights for fourth parties working with their vendors.
European op risk managers privately say this is wishful thinking – getting even basic information to assess the security of those subcontractors is difficult.
#5 Resilience risk
When a broker can’t execute a trade because of a system meltdown, or a customer can’t get money out of a cash machine, they don’t ponder whether the bank in question has set its risk appetite correctly. They just want to know when they can get their trade done, or their cash in hand.
Resilience, the ability to get operations and services up and running after a disruption – IT snafus, cyber attack, bungled third-party supplies, cataclysmic weather or any other hazard – is a new entrant to the top 10 op risks, and makes its debut at fifth place.
Several forces are at work in elevating the topic. The growing complexity of banking and the interwoven nature of the financial system, both now rooted in technology, have combined to make resilience a subject of boardroom discussion.
“I definitely see it as a risk in its own right at the moment – and I think that will remain the case for the next three years at least,” says a senior op risk manager at a large European bank.
Some banks have moved quickly on the issue: last year, HSBC hired Cameron ‘Buck’ Rogers, the Bank of England’s cyber risk chief, as its first head of resilience risk, while LCH, the largest clearing house of over-the-counter derivatives, formed a dedicated resilience department. Fears have arisen in the banking world that a cyber attack on a clearing house, for instance, could reverberate throughout the industry.
Regulators are taking a closer look. The Basel Committee on Banking Supervision established a working group in 2018 with the aim of including a discussion of resilience metrics in an update of its principles on operational risk and, ultimately, to create a set of metrics for the industry.
The Federal Reserve is also understood to be preparing a policy paper on the subject. A New York Fed study in January said a disruption at any of the five most active US banks would result in significant spillover to other banks, affecting 38% of the network on average.
#6 Organisational change
One large European bank simply calls it “change risk”. It refers to the kinks that may arise as a bank or firm reshuffles its operations for any number of reasons. This year, the biggest of them is the need to keep up with the unstinting pace of technology.
The relentless lunge to the latest technology is being watched closely. However much they invest, firms cannot responsibly move as fast as tech companies – but they do have to move.
Plenty could go wrong. Conversions of this sort, new projects and procedures – such as the long-overdue overhaul of domain models, for example – and the hatching of new enterprises often mean more work for employees who are already under pressure.
“Banks are re-engineering many core processes and leveraging fintech solutions, but time to market is short,” says an op risk head at an international bank. “Agile development makes it hard for risk [teams] to catch up and ensure that risks are being properly addressed.”
But the organisational change category takes in more than the onrush of tech: changes in business strategy, teething issues with new management, shake-ups, onboardings and anything else that could send waves through a company.
When a bank shrinks instead of expanding, that also requires attention. Downsizings that put multitudes of people on the street can hollow out morale and ramp up the workloads of those still at their desks. Recently, HSBC announced it would slash 15% of its global workforce – 35,000 people. Deutsche Bank, in its restructuring effort, announced it would cut 18,000 jobs by 2022. Cost-cutting, generally a sign of lower profits, can be accompanied by reputational risk, especially when accompanied by extensive job culls.
#7 Conduct risk
Conduct risk returns to this year’s Top 10 Op Risks, although it’s never really been away. The category is an aggregation of two key subsets of the risk – mis-selling and unauthorised trading – which have appeared repeatedly in previous years.
“We still have not moved away from the number one risk: conduct,” says an op risk head at a UK bank, about the financial industry. “Conduct by its nature tends to take some time to be identified, and then often takes a long time to manifest itself in outflows from fines or restitution. You can’t rest on your laurels.”
Gauging the scale of the problem through risk modelling is notoriously hard: the seemingly sporadic nature of big conduct losses, with low levels of wearable losses punctuated by extreme instances of costly wrongdoing, makes it hard to parse datasets to deliver credible conduct value-at-risk figures.
In a recent high-profile loss, a rogue trader at a subsidiary of Mitsubishi Corporation placed a series of unauthorised trades in crude oil derivatives starting in January 2019. The trading firm discovered the positions in August – but too late. The bets had already racked up $320 million in losses.
Firms’ focus on conduct has been sharpened by the implementation of a number of regulations, among them the UK’s Senior Managers and Certification Regime, which was expanded in December to cover some 50,000 regulated firms. The UK Financial Conduct Authority disclosed in September it had a pipeline of investigations for “serious” breaches of the code.
#8 Regulatory risk
Regulatory risk slips back a few places to rank at eighth in this year’s Top 10 – a function, perhaps, of a slowdown in the printing press of rulemakings that have reshaped the post-crisis financial landscape.
The bedding down of reforms to derivatives markets, financial accounting practices, regulatory reporting and stress-testing requirements – the list goes on – doesn’t make compliance with them easy, however. Given the breadth and volume of new sets of rules, the potential for mis-steps and misinterpretation is manifest.
“Increasing regulatory and compliance requirements – in the form of both new rules and amendments to existing rulesets – as well as intense regulatory scrutiny, is a perennial challenge,” says the head of op risk at one global bank.
A time-honoured way of staying on top of such headaches is to poach those who wrote the rules: UBS hired the head of banking supervision at Switzerland’s Finma, the bank’s primary supervisor, as its head of regulatory affairs last year.
Advances in artificial intelligence represent another source of regulatory risk. Risk managers highlighted the vital importance of ensuring transparency as AI systems become more widely used. While AI involvement in decision-making increases, whether for trading or in customer-facing roles, the pressure to prove that its decisions are unbiased and well founded grows, too – even as the software, and therefore the task of explaining it, becomes more complex.
#9 Talent risk
Talent risk appears in the top 10 for the second time in three years – unwelcome evidence for banks and other financial firms of the struggle to recruit and retain the right calibre of staff and deploy them where they’re needed, in an era of dramatic headcount reductions.
As banks shed jobs, it forces them to think more about how they manage talent risk, says a global op risk head at a US bank. Operating with a leaner business model has forced his firm to recognise more quickly where it does or doesn’t have specific skill sets and juggle resources accordingly, he says. At the same time, a shift in its business mix or change in regulatory priorities can leave the firm exposed.
Within the risk function itself, the IT skills to keep up with digitalisation are in short supply, hiking the risk to banks, says one op risk head at a global bank. “Traditional ways of managing operational risk need to change, and the skills to identify and manage digital risk are still in development, but business is digitalising at a great speed,” he says.
As Basel III moves from rancorous rule-writing to full-on implementation, banks are hunting for experienced talents to lead their efforts. Bank of America, for example, recently hired one of Deutsche Bank’s most prominent risk analytics executives to lead strategic market risk regulatory programmes, such as the Fundamental Review of the Trading Book.
#10 Geopolitical risk
Surveys of this type are always in danger of being rapidly overtaken by events. In the category of geopolitical risk, that can happen before the ink is even dry.
As February drew to a close, the coronavirus left markets reeling from their worst paper losses since the crisis, with governments scrambling to formulate a cohesive response. When the survey was conducted in early January, the virus drew scarcely a mention from respondents, a handful of whom, based in the Asia-Pacific region, flagged it as a blip on the radar.
With the virus likely to contribute to a global economic slowdown, this will trigger wider operational risks – making loan fraud more likely as credit markets deteriorate, for example, or increasing cases of internal fraud as front-office staff struggle to hit targets.
Geopolitical risk continues to manifest itself in plenty of other ways, too, such as regulatory uncertainty. Brexit, which also featured in the 2019 Top 10, continues to be an important concern for the financial sector. Almost four years after the UK voted to leave the European Union, there is still no EU-UK trade deal in place, meaning a lack of clarity on equivalence between UK and EU regulators, and on the ability of UK firms to trade in the EU after full separation at the end of 2020.
Aside from whatever tariffs will eventually apply to a Brexited UK, the US government has imposed a raft of trade barriers on countries over the past three years. Survey respondents pointed out the increased compliance burden this involves, as well as the likelihood of sanctions-evading transactions. Fines for sanctions violations reached $19.9 billion between 2009 and 2019, stressing the need for effective know-your-customer procedures.
Another US election is due in November this year. The 2016 poll brought regulatory uncertainty as the two candidates differed significantly on financial regulation. And while Donald Trump is less of an unknown quantity this time around, November is likely again to present a choice between different regulatory and economic policies.
Climate change, leading the list of emerging global threats, does not appear on this year’s list of top operational risks, but has ascended to the level of a strategic risk for many institutions. Many survey respondents cited disruption from climate change protests and the credit and reputational risks of association with legacy fossil-fuel industry as concerns. The model risk involved in adapting to the new threats to lending and mortgage businesses posed by climate-related disasters such as floods and wildfires is also a worry for banks.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
You are currently unable to print this content. Please contact [email protected] to find out more.
You are currently unable to copy this content. Please contact [email protected] to find out more.
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email [email protected]
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email [email protected]
The week on Risk.net, July 4-10, 2020Receive this by email