Top 10 operational risks for 2024

5. Change management

Change management is another risk reaching an unwelcome milestone this year, climbing to a record fifth place. Chief risk officers and heads of op risk at a dozen firms on the buy and sell side as well as financial market infrastructure firms cite change management as their top concern this year, ahead of seeming existential threats like cyber or geopolitical risk – a stark acknowledgement by the industry that it doesn’t always handle change well. 

“Change management has and will become increasingly complex with advancements in technology, evolving consumer demands and preferences and working in more agile operating models,” says a senior enterprise risk manager at one large US insurer. “Strategic change has become more heavily reliant on data in recent years in addition to the reliance on technology and people, which poses an increased risk to the firm.”

Taxonomy may vary – but firms are united on the need to do a better job of focusing on the consequences of operational change and managing the risks associated with it. In the latest Op Risk Benchmarking survey, eight of the 12 regional and domestic banks polled acknowledged change management as a risk consideration. 

Many banks are adapting their frameworks in response, with some moving to set risk appetite for change backed by risk metrics. Some reported establishing project review committees and increasing dedicated headcount. Several say their senior management teams – and their regulators – are taking a keen interest: five of the eight said their regulator had shown a greater focus on their ability to manage big projects during the past year. In most cases, watchdogs simply demanded enhanced reporting and monitoring – but at least one institution said it had been subject to an on-site inspection.

One driver of change compared to previous years has been the cautious adoption of AI-led solutions, with most firms exploring ways they can harness artificial intelligence to improve their internal processes and products. Many survey respondents say they are already attempting to introduce AI into their processes at the same time as other technological changes. 

An op risk manager at a US G-Sib describes the torturous process of onboarding a new trade surveillance vendor, with the added complexity that the solution promised incorporates elements of AI – necessitating a multi-year due diligence process he likens to “a game of three-dimensional chess”. 

“There is regulatory risk, functional risk, vendor risk, audit risk, coverage risk, monetary risk from regulatory fines, and reputational risk,” the manager says. “Onboarding a vendor who employs AI in this area can take 15 to 18 months, as the AI must pass through model review. I am onboarding potential vendors now for a decision that might not be made for one to two years.”

Even managing the due diligence and risk assessment aspects of change, before a decision is taken and a shift can begin, costs firms an inordinate amount, the manager adds.

Strategic change has become more heavily reliant on data in recent years in addition to the reliance on technology and people, which poses an increased risk to the firm

Senior enterprise risk manager at a large US insurer

Change can be humdrum – one respondent at a US pension plan cites replacing its portfolio accounting system in a typical example – but no less critical in the event it goes wrong. Ramifications, including reputational damage can be enormous: the botched migration of a retail banking platform at TSB left customers without access to their accounts for a week, saw the bank fined almost £50 million ($40 million) by UK regulators, impacting its profitability and capital position – and prompted the UK to become the first major jurisdiction to draft an operational resilience regime, a regulation which takes effect in 12 months’ time.

Many respondents complain current management practices around technological change often end up overwhelming business objectives, furthering delivery risks. An operational risk manager at another bank says: “We have a lot that is now driven by technology teams rather than business teams. Our technology teams sit under the chief operating officer, who is a technology person,” they say. 

Business change often entails replacing personnel. In some cases, this can reinvigorate an organisation by cutting away the so-called dead wood. The op risk manager at the US G-Sib cites the recent management changes at Citi, in which a number of long-serving employees departed the bank, as an example of painful but necessary change: “I would enter into evidence the pain being displayed over at Citi, when management becomes so thick with layers that calcification sets in until, finally, it can no longer be tolerated.”

Citi's re-org, which concluded during the first quarter of 2024, has seen the bank deduplicate management positions and cut intermediate reporting levels, with 1,500 management positions being axed – part of a broader drive to trim headcount and save a $1 billion a year in costs. The changes have been broadly welcomed by bank analysts. 

For financial market infrastructures (FMIs), managing change can have far-reaching implications for the firm’s business – whether a rolling programme of minor deployments to improve stability and functionality of core trading platforms, or an overhaul of client onboarding processes in response to regulatory change. 

The head of op risk at one European FMI worries about his firm’s “ability to deliver large external client change programmes on time, within budget and to required quality while ensuring limited operating issues for external stakeholders”.

6. Resilience risk

The era of codifying elements of business continuity and disaster recovery planning is to hit full speed in 2025. Both the EU’s Digital Operational Resilience Act and the UK’s Operational Resilience Regime are entering full force, while in the US, prudential watchdogs also said earlier this month they would consult on a more granular set of requirements. 

To be sure, there is significant category bleed here, with industry practitioners struggling to separate resilience as a risk distinct from its drivers – geopolitical, cyber and third-party, among others. “Ultimately, it is about our ability to maintain operations and recover rapidly in the event of multiple significant crises unfolding,” says the head of op risk at one US G-Sib. “What we are seeing is a higher likelihood of simultaneous macro events occurring requiring a resiliency response – eg, multiple geopolitical events: Ukraine, Middle East, US elections and so forth – occurring simultaneously, while also coping with a related or unrelated cyber attack on a third party.”

How quickly can we actually get back up? The regulator wants to know if our targets are sufficiently severe

Head of op risk at one UK bank

While the shifting threat landscape is the concern for some, the bigger change in qualitative reasons cited has been the pending final phase-in of regulators’ rulesets in 12 months’ time – after which, as one respondent frets, regulators can start issuing fines. 

Plenty are upfront about this: “The materialisation of this risk increased somewhat due to business continuity events that impacted our client services and were visible to regulators,” says a senior op risk quant at one US super-regional bank. “Risk exposure increased due to ageing technology, reliance on third parties and supply chain, increasing client and regulatory expectations, and workforce resource constraints.”

“It's the regulatory expectations more than actual risk,” agrees the head of markets operational risk at a UK bank. 

For most firms in scope, getting ready to comply with specified impact tolerances has been a multi-year journey towards maturing controls and doing a better job of endpoint management. Still, all these plans have yet to be tested in anger. “How quickly can we actually get back up?” asks the head of op risk at one UK bank. “The regulator wants to know if our targets are sufficiently severe.”

Others choose to see the positives in this codification. According to the head of op risk at one G-Sib, a focus on outcomes rather than risk drivers has helped the bank obviate unnecessary delineation of risk types. The lender increasingly looks at its various resource pillars – people, technology and third parties – responds to those exposures from a resilience perspective, and triages them appropriately.

The EU’s Dora will also be a step change for FMIs, which will designate many as critical third-party suppliers. The UK regime too will force trading and clearing providers to set impact tolerances and timed return to operations targets in the event of major outages. 

An FMI cites their concern over “potential inability to meet the UK op resilience expectations by March 2025 and to articulate consistent goals to staff and stakeholders”.

In the most recent round of Op Risk Benchmarking, all FMIs responding said their primary regulator had shown an increased interest over the past 12 months in how they manage resilience risk – the only unanimous verdict for this question across all risk types during the first three rounds of Risk.net’s survey. Besides closer monitoring, three FMIs said they had been subjected to enhanced reporting, while another said they had been requested to make enhanced disclosures, beyond the scope of the PFMIs.

On the buy side, the codification of resilience expectations has been about growing fast. 

“Meeting the operational resiliency requirements has been challenging and uplifting,” says the head of op risk at one UK insurer. “Educating the business and vendors on the discipline of ops resilience has been something that may take further time in line with the 2025 deadline. As others have observed, this discipline has highlighted various weaknesses that may have been previously okay, but [are] now something the regulator expects to be addressed.”

8. Execution and process errors

Though the financial industry has changed dramatically in the near-two decades since Risk.net began running its survey, execution and process errors have been ever-present. Firms are split, however, on whether the accompanying technological change – the electronification of almost all securities and derivatives markets, faster payments and the advent of shorter settlement cycles as well as real-time transaction monitoring – has made banks more or less safe. 

“Large cash and security movements can be made very rapidly with technology and better connectivity,” says the head of op risk at one US G-Sib. “But there are elements that remain manual, especially for non-standard events, and it remains a concern that a large unintended movement of cash or securities could put a firm at risk. In some cases, the high-speed nature of tech also facilitates high-speed propagation of errors.” 

The 2023 round of Op Risk Benchmarking highlighted methodological disparities in the industry’s approach to gauging execution errors: more regional and domestic banks said they modelled their exposure to execution errors than did a sample of G-Sibs, and used the outputs to inform capital-setting accordingly. 

As one participant in the follow-up study noted, that may be a quirk of prudential regulation. The issues that dominate op risk events in this category, such as payments that go missing, trades that are disputed or fail to reconcile, are usually resolved quickly – sometimes as soon as the next business day, with no net losses. Under the incoming Basel III prudential regime, banks will no longer be required to model near-misses – something that can give false assurance as to true risk exposure, some argue.

Conversely, for the buy side, this category can often be the biggest source of operational losses. “Execution and process error, particularly around trading activity, typically results in the most significant losses experienced by the firm year on year,” says the head of operational risk at one UK asset manager. 

In the follow-up questions to the Top 10 survey, when asked Has your organisation suffered a greater aggregate loss from this risk type over the past 12 months?, buy-side firms gave their joint third-highest risk score, behind only third-party and geopolitical risk.

Others see the consolidation of many systems, especially post-Covid, into the hands of a few vendors responsible for most firms’ IT platforms, as dramatically increasing the potential fallout when internal human management of those systems is found wanting.

“The centralisation of IT, cloudification and outdated systems increase risk; diligent monitoring and safeguarding mitigate it. Nonetheless, disruptions caused by, for example, the failure of end-to-end or user acceptance testing, human error in plugging in servers, ‘phantoms’ in the network or software are increasing,” says a senior risk manager at the Asia-Pacific subsidiary of one large European insurer. 

Managing new processes can bring with it risks, according to the UK asset manager, such as the rollout or rapid re-bucketing of investment products. He cites the need to “code new ESG-type restrictions” as having the potential to increase the risk of error for related trades. 

“Building new capabilities will mean introducing new risks into the system,” agrees the head of op risk at one UK insurer. “Training and resourcing are crucial here.”

9. External fraud

Fraud makes an unwelcome return to the top 10 this year, with survey respondents linking its rise to the development of artificial intelligence tools that can transform “smaller-dollar criminals” into “sophisticated threat actors”, as one puts it.

“There is a concern about the change in the way fraud is happening,” says a senior op risk quant at one European G-Sib. For example, generative AI tools can now create deep fakes with “ridiculous ease”, the quant adds.

The technology to create deep fakes has existed for several years, and scammers have already used it against financial firms with success. However, several large banks privately cite increasingly sophisticated attempts at penetrating their defences. 

In one notable incident last February, a multinational firm in Hong Kong suffered a $25 million fraud when scammers used deep-fake technology to impersonate a senior officer and trick a staff member to transfer funds. 

Rising fears of external fraud among the largest banks have helped propel the risk to sixth place in the top 10 for G-Sibs. Respondents cite deteriorating economic conditions and increased geopolitical risk as factors contributing to the threat of fraud.

As well as the risk of elaborate deep-fake scams and customer impersonations, financial firms are also worried about frauds that stem from internal failings such as a breakdown in financial crime detection systems.

In response, banks are deploying an old-fashioned aid: the telephone. One US super-regional has tightened up its controls so that bankers must call customers to verify transactions in person, rather than relying on email confirmations. Another survey respondent, an FMI, says staff call customers if any bank account information is to be changed. The firm also emphasises the importance of training staff to boost their awareness of developing risks such as generative AI.

Fraud is on regulators’ radars too, as recent action shows. In the UK, the Economic Crime and Corporate Transparency Act 2023 has brought an increased focus on corporates’ responsibility to handle their third parties and fraud risk. 

The UK government also published a draft amendment to the Payment Services Regulation, which will allow banks to further delay outbound payments they consider likely to be fraudulent. Tighter rules have also been proposed in the UK and Europe on refunding customers in the case of payments made by fraudsters using customer accounts. 

10. Conduct risk

History doesn’t repeat itself, but it often rhymes. The aphorism attributed to Mark Twain could also apply to banks scarred by a 15-year cycle of regulatory fines totalling at least $1 trillion for failings related to conduct and internal fraud.

The notoriously long tail of conduct risk also means cases that banks might have considered closed can resurface sometimes decades later: so it has proved for banks active in UK motor financing, as Lloyds Bank last month provisioned £450 million ($568 million) against the impact of a UK Financial Conduct Authority review of historic commissions, as well as others such as Close Brothers moving to provision for potential claims – some dating back to the era of the financial crisis. 

The case has strong echoes of the decade-long drip-drip of payment protection insurance (PPI) claims during the 2010s – something many privately complained was effectively used as a one-size tax for regulators to punish banks for a multitude of crisis-era misdeeds. Banks will be hoping the final tally doesn’t bear comparison to that episode’s £50 billion bill, which brought extra pain through Pillar 2 capital add-ons.

The macro environment is expected to remain volatile, which brings along changes to expectations from consumers and regulators. That tends to increase conduct risk

Senior op risk quant at a European G-Sib

Losses may have dipped slightly in 2023, but watchdogs such as the US Department of Justice have long memories, as the largest global banks have found in recent years. 

Cries of unfairness abound, with a senior risk manager at one large European insurer accusing their regulator of using conduct fines as “ex-post standard setting” – grave charges to lay at the door of those entrusted with ensuring the safe and smooth running of markets and protection of consumers. 

A senior op risk quant at a European G-Sib notes that mis-selling losses tend to spike during choppy markets. One reason is that customers are more likely to claim for mis-selling if a financial security or product has lost money. 

“The macro environment is expected to remain volatile, which brings along changes to expectations from consumers and regulators. That tends to increase conduct risk,” they add.

It’s not just long-tail claims: products that banks are selling now using machine learning approaches to divine customer behaviour and gain an edge in speed and pricing could find themselves in scope should regulatory attitudes change, some fret. 

“Losses in this category take a while to be identified, investigated by regulators, and penalties applied,” says a senior op risk manager at a second European G-Sib. “The underlying cause may be things like model risk, system error,” they add; but “mis-selling has the biggest impact in direct costs: fines and reputational damage. Exposure is increasing as more use is made of AI to make decisions on what products customers should be offered, at what rates.”

Many G20 jurisdictions, including the US and UK, also have government elections this year, which could result in changes in administration and policy – and regulatory attitudes, as well as government resourcing. 

On the buy side, the extension of the UK’s Consumer Duty regime last year has highlighted the levels of risk in how financial firms treat customers, says a senior risk manager at one UK insurer. For example, firms are required to ensure customers in vulnerable circumstances receive due consideration. “This feeds into customer conduct risk management,” the risk manager adds.

Methodology