Welcome to Risk.net’s annual ranking of the top op risks for 2021, based on a survey of operational risk practitioners across the globe and in-depth interviews with respondents.
As in years past, there is no great secret to the methodology: Risk.net’s editorial team gets in touch with 100 chief risk officers, heads of operational risk and senior practitioners at financial services firms, including banks, insurers, asset managers and infrastructure providers, and asks them to list their five most pressing op risk concerns for the year ahead. The results are then weighted and aggregated, and are presented in brief below and analysed in depth in 10 accompanying articles.
The survey focuses on broad categories of risk concern, rather than specific potential loss events. The survey is inherently qualitative and subjective; the weighted list of concerns it produces should be read as an industrywide attempt to relay and share worries anonymously, not as a how-to guide.
As ever, Risk.net invites feedback on the guide and its contents – please send all views to tom.osborn [at] risk.net. Thank you for reading.
Profiles by Steve Marlin, James Ryder, Costas Mourselas, Karen Lai and Tom Osborn. Editing by Tom Osborn, Alex Krohn, Louise Marshall and Olesya Dmitracova.
Click on category for full analysis
1: IT disruption | 2: Data compromise | 3: Resilience risk | 4: Theft and fraud | 5: Third-party risk | 6: Conduct risk | 7: Regulatory risk | 8: Organisational change | 9: Geopolitical risk | 10: Employee wellbeing
1: IT disruption
Risk managers might look back on 2020 as the year in which the threat of IT disruption – an already broad remit encompassing everything from accidental systems blackouts to deliberate attacks by outside actors – exploded into millions of home offices around the globe.
The shift to remote working left financial firms more exposed than ever to cyber attacks by high-tech adversaries, backdoor threats introduced via newly critical third-party suppliers, or hackers intent on causing chaos.
Small wonder then that industry respondents ranked IT disruption their top concern once again in this year’s Top 10 op risks, and by a greater margin than previously.
While the industry surprised itself with its ability to function so effectively from home, some teething problems were inevitable. Housebound employees are intimately familiar with the turmoil created by dodgy Wi-Fi connections, a virtual private network going down at the worst possible time, or the system they are trying to remote into falling over under the sheer weight of traffic.
Meanwhile, threats such as ransomware attempts, which might be easy to manage together and dismiss in the office, took on a new, lethal credibility outside the office.
“The threat landscape from ransomware remains on the rise with threat actors looking for new ways to facilitate ransom payments, such as targeting senior management mail inboxes,” says an operational risk head at one global bank.
Perhaps more surprisingly, there were fewer operational loss events attributable to outages in 2020 compared with previous years. But high-profile tech failures at a number of banks and technology vendors and trading platforms still led to chaos in key markets such as futures and foreign exchange trading during March’s unprecedented cross-market volatility.
Of course, clients and other stakeholders rarely care what causes an outage, meaning any operational failure can also have serious reputational consequences, particularly where customer-facing systems – like banking apps or payments services – are affected.
“Say we’re putting in a bug or enhancement and it goes wrong, and as a result your systems go down. We experienced that when we implemented a new online platform a couple of years ago where it was up and down the first couple of days. You have to understand the criticality and the customer impact of any type of service disruption, whether it is fraud or cyber related or normal change management,” says an operational risk executive at a North American bank.
2: Data compromise
For those tasked with keeping track of their organisations’ sensitive data, 2021 is shaping up to be a tough year. Large numbers of staff working remotely are having to access systems via VPN, often over home wi-fi networks, which increases the opportunity for cyber breaches. With staff scattered to the four winds, managers also lack physical oversight of potential bad actors.
Throw in a steep rise in ransomware attacks and phishing reported by most respondents to this year’s survey, and it’s not hard to see why threats to information security rank a narrow second in the Top 10 op risks 2021, behind only the basic functioning of systems.
“Information security is one area where requests and demands on proving our capability is taking far more work than I thought. The rapid adoption of cloud because of Covid means you have to double down on governance and monitoring,” says the head of cyber risk at a large
At the root of most data compromise events are faulty processes and procedures. Human error can also be a factor – or, in an era when many staff are at risk of job cuts or placed on reduced hours, malfeasance.
Identity and access management are important controls in securing the IT environment, regulators have noted. Financial firms have established controls such as multi-factor authentication, and limitted user privileges to enter and change critical business data, with op risk managers tasked with regularly reviewing levels of assigned access.
3: Resilience risk
Two years ago, in the course of routine business continuity planning, one of the world’s largest banks drew up a scenario in which a third of its global workforce was locked out of their offices without warning due to a pandemic.
It tore it up, dismissing it as unrealistic.
“Our planning wasn't good enough,” says a senior executive at the bank, reflecting on the real-world events of 2020. “I’ll be candid: we never thought about the global non-availability of staff to anything like this degree. We talked about it – we even looked at pandemic modelling based on World Health Organization data – but we said ‘this couldn’t happen’. We only considered the impact in very localised contexts.”
He is far from alone, of course: financial firms of all stripes and in every corner of the globe have weathered coronavirus-related tumult this year, testing their capacity to deal with challenges such as unprecedented market volatility, back-office bottlenecks and trade breaks, all while rushing to properly equip employees for long-term remote working.
Risk managers cited threats to their operational resilience so frequently, in fact, that it appears at third place in this year’s Top 10, behind only risks specifically threatening the basic functioning of systems and the security of data.
4: Theft and fraud
Even in normal times, the risk of theft and fraud is high on the priority list for banks. In the post-Covid age, the risk has intensified as it morphs into new, dangerous forms.
Pandemic-related changes to business practices and consumer habits have opened or exacerbated at least four areas of vulnerability for banks.
Government stimulus programmes have dangled juicy morsels of cash for fraudsters to target. Banks’ fraud detection systems have been thrown off kilter by the sudden shift to online banking. Criminals are taking advantage of the rise in home-working to trick consumers into transferring money to their own coffers. And with more bank staff themselves working remotely, the potential for internal misdeeds is growing.
US banking giant JP Morgan fell victim to home-grown fraud when it discovered last September that staff had siphoned off funds intended for pandemic-hit businesses into their own accounts. The funds were provided by the US government under its Economic Injury Disaster Loan programme. A small number of staff were subsequently fired, according to media reports.
“Any time you have government handouts, there’s always the possibility of fraud,” says an operational risk executive at a North American bank. “You have another round of stimulus handouts so you may see fraud related to that.” US lawmakers approved a third wave of stimulus payments to eligible individuals in late February.
5: Third-party risk
With critical support locations locked shut without warning and on-site inspections out of the question, 2020 stress-tested organisations’ reliance on outsourcing beyond any op risks manager’s worst nightmares.
And with companies facing another year of uncertainty, in which employees and suppliers are part-exiled from their offices – another year in which most firms will be dependent on a handful of vendors to provide video conferencing, remote access to servers, or cloud storage – third-party risk is set to remain top of mind for many managers through 2021.
Among the concerns of financial institutions is to assess security weaknesses of their critical service providers – or for smaller outsourced firms, even their basic financial viability.
“It has never been more crucial for operational risk managers to take account of their company’s critical and core third-party service providers,” says an operational risk executive at a North American bank. “The risk they can expose to a company and its potential impact to daily business operations has never been greater.”
6: Conduct risk
For operational risk managers, circling the trading floor, happening upon colleagues in corridors or at the coffee machine, and going to meetings have long been vital ways to spot hidden behaviours.
“By working in the office, you can pick up informal signals and signs that may point to issues,” says the head of op risk at a large international bank.
With many staff confined to their homes since the early part of 2020, that source of intelligence has been lost. So it is not surprising that in the latest Risk.net ranking of Top 10 op risks, conduct risk has moved up from the seventh-most concerning risk for op risk managers to the sixth.
At the same time informal controls on improper behaviour – such as rogue trading and mis-selling – have been eroded, the risk of misconduct has gone up, notes a regional chief risk officer at another large international bank.
7: Regulatory risk
When supervisors intervened in markets over the past 12 months, it was more often to protect lenders than slap firms with fines: with a couple of notable exceptions, regulatory penalties in 2020 plummeted as Covid-19 spread across the globe.
Still, regulatory risk – the fear that changes to rulesets and supervisory expectations create openings for operational mis-steps, disclosure challenges, restrictions on activity or straightforward financial penalties – is never far from the thoughts of banks, which have been stung by fines and penalties totalling almost $1 trillion over the last decade.
While 2020 brought fewer losses overall from fines and penalties, there were notable exceptions: Goldman Sachs’ mega $5 billion in penalties, settlements and disgorgements for its role in the 1MDB fraud being by far the largest of these. Citi was also fined over control failures that led to the bank inadvertently wiring more than $900 million to a group of hedge funds it was involved in a lending dispute with. The bank’s chief risk officer, Brad Hu, subsequently departed.
Sea-changes in the political landscape can also lead to shifting supervisory attitudes to areas of emerging risk too – and plenty of opportunities for compliance mis-steps. In the US, for instance, regulators have thus far moved with far less speed on climate change. But recent signals suggest that this could change in the near term. In an interview in February, acting Commodity Futures Trading Commission chair Rostin Behnam indicated a more interventionist attitude to climate-financial risk within the Biden administration.
8: Organisational change
When HSBC, Europe’s largest bank, announced late last month that it planned to reduce office space by 40%, it encapsulated what the long months since the start of the coronavirus crisis have driven home to many banks: plenty of the changes to operating environments wrought by Covid will be permanent.
In an era when many customers have learned to live without being able to visit their lender’s branches, many in the industry are openly contemplating a future in which banks can be even leaner, cheaper and more resilient. That's the plan, anyway: getting there will mean an immense amount of upheaval – and plenty of opportunities for mis-steps.
Op risk managers were fretting over their firms’ responses to epochal changes impacting their operating environments well before the pandemic struck: climate change, the Libor transition, Brexit and digitalisation, to name a few. But Covid has accelerated the pace of change while proving that large organisations can be surprisingly nimble at weathering crises.
The rapid shift from on-site to work from home is an example of the need for effective change management for processes and services if it is to become permanent.
“Although the impact of Covid on operations has been well managed to date, there are risks associated with working practices over the coming year,” says an operational risk executive at a large global bank, pointing to changes in firms’ control environments that have only been patched so far as one area needing attention.
9: Geopolitical risk
Covid-19 erupted across the globe just as last year’s Top 10 operational risks survey was going to press – a pandemic few predicted the severity of, nor its long-lasting insidious effects. What followed from governments was equally unprecedented: an attempt to counteract the virus by shuttering entire economies almost overnight, and to tourniquet markets rapidly pricing in the impact with massive fiscal and monetary stimulus.
In the advent, it took a Herculean effort from banks and financial firms just to keep pace with and adapt to these seismic changes to their operating environments. But perhaps greater risks lie in weaning markets off the medicine; in seeing which jurisdictions will move first to unlock their economies, following successful mass vaccination programmes; which will allow unrestricted international travel to resume – and how they’ll set out plans to unwind stimulus measures, and start paying for them in the painful years to come.
All of that seemed far off in March 2020, as central banks rushed to shore up markets that were reeling from the fallout. The US Federal Reserve, for instance, offered trillions in stimulus and monetary easing measures – but only after markets had endured a couple of weeks of unprecedented volatility, and the US Treasury market had flirted with disaster. Stimulus has also had a deeply distorting effect on price valuations: although the S&P fell 33% in March, by September it had risen even higher than pre-Covid levels.
“What is particularly troubling is that we’ve pretty much exhausted the governmental tools that we could use to solve this crisis,” says a regional chief risk officer of one Asian bank. “We can’t lower rates more – they’re at the bottom – and we can’t inject more liquidity, as that will go straight into the stock market again.”
10: Employee wellbeing
Stress. Burnout. Running on empty. Call it what you will – the financial industry faced an equally grave mental health crisis in 2020, to go with the humanitarian one playing out all around it.
The industry might have showcased its resilience with its ability to continue functioning with tens of millions of employees working from home, sometimes in makeshift offices, often competing for space and attention with children and loved ones. But for many employees, the early days and weeks of the pandemic – when markets were in freefall, control environments were being redrawn overnight and processes upended – probably felt more like a grim feat of endurance.
It’s not a working life any employer would wish on their staff. Covid anxiety has resulted in an “unravelling” of productivity, focus and morale at times, says the regional chief risk officer of one global lender – all of which can lead to employees making mistakes. The physical and mental wellbeing of his staff has become his top concern for the year ahead, he says.
“As a company, we are limited as to what we can do to mitigate this risk, which is why I think it's even a bigger risk than others, because we have limited powers to [manage] this. I can't go to the government and say, ‘please reopen the borders, because my staff needs to get out there and travel, they need to meet their family’.”
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
You are currently unable to print this content. Please contact [email protected] to find out more.
You are currently unable to copy this content. Please contact [email protected] to find out more.
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email [email protected]
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email [email protected]