In a series of interviews that took place in November and December 2016, Risk.net spoke to chief risk officers, heads of operational risk and other op risk practitioners at financial services firms, including banks, insurers and asset managers. Based on the op risk concerns most frequently selected by those practitioners, we present our ranking of the top 10 operational risks for 2017.
Click to go to section
#1 Cyber risk and data security | #2 Regulation | #3 Outsourcing | #4 Geopolitical risk | #5 Conduct risk | #6 Organisational change | #7 IT failure | #8 AML, CTF and sanctions compliance | #9 Fraud | #10 Physical attack
An overwhelming number of risk managers ranked the threat from cyber attacks as their top operational risk for 2017 – the second year in a row it has topped the rankings, this year by an even larger margin.
And this is no surprise as the threat from cyber attacks is not only growing, but also mutating into new and insidious forms, say risk practitioners.
From the Bangladesh Bank heist back in February – which saw hackers exploit vulnerabilities in the Swift financial communications network to steal $81 million from accounts belonging to the central bank – to November's theft of £2.5 million ($3.1 million) from 9,000 Tesco Bank customers' accounts following a data breach, the threat from cyber attacks was an ever-present over the past year.
As if the reputational damage alone weren't enough to spur banks into action, the threat of action from regulators for firms whose cyber resiliency isn't up to scratch probably will be. In September 2016, the UK Financial Conduct Authority revealed that the number of reported incidents of cyber crimes at firms under its jurisdiction had jumped to 75 for the year to date, from just five in 2014. That followed comments from the regulator at June's Cyber Risk Europe conference that it would be challenging firms more regularly on cyber security going forward.
Under the European Union's forthcoming General Data Protection Regulation (GDPR), which comes into force in May 2018, financial organisations face eye-watering fines of up to 4% of their global annual turnover for data privacy breaches. If GDPR were in force now, Tesco Bank's fine for its data breach could have been as high as £1.9 billion, according to some estimates.
The source of potential cyber threats is hard to pin down, say banks, making building appropriate controls a serious challenge, and attacks nearly impossible to avoid.
According to the head of operational risk at one large European bank: "There are three categories of people that carry out cyber attacks. There's the guy that's sitting alone in his bedroom doing it; there are organised groups doing it; and there are governments doing it."
Cyber criminals do not discriminate between organisations based on their size and location, but the financial sector enjoys the dubious privilege of being one of the most targeted industries, alongside healthcare. Organisations would do well to spend more time defining their risk appetite instead of trying to ensure their systems are impenetrable, practitioners counsel.
Rajat Baijal, head of enterprise risk at BGC and Cantor Fitzgerald:
"Cyber risk will stay pertinent for a while. What I find quite fascinating about cyber risk is the sheer pace of change: recent events suggest that the hackers are one step ahead of the banks in this rapidly evolving space. Given the uncertainties, firms may choose to strike a balance between actively managing the risk by investing in suitable resource and infrastructure, and accepting or transferring the risk by buying a suitable insurance policy for example. This balance between managing and accepting and transferring the risk will vary across firms, and should be a key part of defining the firm's risk appetite."
Stephanie Snyder, senior vice president, Aon professional risk solutions:
"We talk about the evolving nature of cyber risk, which is only going to increase with the Internet of Things and additional automation. I believe that, as we move into 2017, we're going to start seeing more cyber-related business interruption losses; you're not going to read about them in the press, but every organisation that runs off of a technology infrastructure – which is, really, every organisation – is going to be impacted."
Jonathan Wyatt, global lead of IT governance and risk management, Protiviti:
"What a cyber strategy should really be doing is not trying to prevent the attack – because that is very difficult – but trying to manage the outcome. The problem we have with cyber is most people in financial services are not doing it this way. They're not stepping back and thinking about outcomes, risk appetite and what they do; they're throwing money at it, trying to make the door more secure – but there are still plenty of people who know how to open the door. When you get techies talking to board executives about threats, vulnerabilities, weaknesses, the dialogue breaks down."
To many op risk practitioners, the landmark regulations of the post-crisis era – the overhaul of the capital adequacy framework, widespread market structure reforms, far-reaching changes to accounting practices – represent a laundry list of potential operational risks for their institution.
Fines and penalties for noncompliance, the restructuring of desks and operations and the shuttering of businesses all present complex and hard-to-model threats. In the US, the Dodd-Frank Act alone – irrespective of President Trump's promise to expunge it – has produced thousands of pages of rulemakings from prudential and markets regulators, covering everything from stress testing to clearing, trade execution to hedge fund reporting.
Closer to home for op risk professionals, the Basel Committee on Banking Supervision's proposal to replace the advanced measurement approach (AMA) for modelling operational risk is already presenting all manner of issues.
By requiring firms to hold the same amounts of operational risk capital against all forms of business, regulators are encouraging firms to enter businesses that exclusively expose themselves to operational risks to maximise their return on equity, argue op risk practitioners.
"Operational risk seems to be the one that's causing regulators the most concern; they struggle with it," says the head of operational risk at an international bank in London. "There is a danger they will push something through in order to get [the Basel IV agenda] out at the same time. As the SMA proposal stands now, it will have a huge impact on operational risk capital, and group heads are committed to not having an increase in capital overall – so it will be interesting to see where that all comes out."
Fenton Aylmer, operational risk management lead for business practices and conduct, Citi:
"All the rules and regulations since the financial crisis makes us need to be very quick in our adoption and interpretation. It doesn't give us a lot of time to react. Because there's so many people that need to be informed, appropriate and relevant awareness and education programmes are critical. We need to make sure that each of our employees is fully aware of their roles and responsibilities, as well as the ethical repercussions that are associated with these rules. That creates a challenge to ensure that we have proper business practices around each product that we launch so we fully address the client's needs and don't end up on the wrong side of regulatory surveillance."
Senior op risk manager at a London-based bank:
"Regulatory change has been a constant for a number of years, and it should be the number one risk in any organisation. With change comes elevated operational risk that needs to be appropriately managed. The challenges faced by banks, especially internationally active ones, is keeping up with the global change agenda and understanding the interlinkage of regulatory changes across jurisdiction."
Industry consultant and former head of op risk:
"Given the backdrop of a series of financial scandals, global regulators have used the stick of fines and sanctions to bring more order. There is a danger that these will become more and more punitive, such that it will be difficult for firms to recover."
Zahra Al Halwachi, operational risk manager, Mashreq Bank:
"Regulations are changing frequently, which for banks with international branches may result in fines and penalties if not implemented [properly]. And they are becoming more complex as well."
Outsourcing makes it into our top three operational risks this year, spurred by a clear message from regulators that firms must improve oversight of third-party risk management, or else face punitive sanctions.
Aviva provided one of the highest-profile examples of last year. In October 2016, the firm was hit with an £8.2 million fine from the UK Financial Conduct Authority for failure to ensure adequate controls and oversight of outsourced client money handling arrangements.
The size of the penalty, combined with the undesirable publicity the case attracted, caused alarm for many op risk practitioners, and emphasised that regulators are actively hunting for breaches.
Under the EU's forthcoming GDPR legislation (see Cyber segment), financial organisations must review their existing outsourcing arrangements to ensure they don't face eye-watering fines – even if the failures are those of third-party service providers.
GDPR compliance will represent a significant burden, managers say. Banks will need to know exactly where their customer data is held at all times, and be able to present this data on demand in a portable format. That will require a thorough understanding of a complex web of relationships with various outsourcers, practitioners say.
Steve Holt, financial services partner, EY:
"Many companies are only worried about the top 10% of outsourced arrangements – the ones that they spend most money on. That's not necessarily reflective of their risk profile; you may be spending millions with a global outsourcer, but it may be a small outsourcer with not-very-mature controls that's holding some key customer personal data where you suffer a loss... In many cases, outsourcing providers actually outsource to other organisations, so it becomes a massively complex ecosystem. [But] financial services firms still have overall responsibility for ensuring that the data is controlled and secure. This is a key requirement of the GDPR."
Simon Ashby, associate professor of financial services, Plymouth Business School:
"In general, outsourcing is not necessarily cheaper – plus there are downsides. Reputational risk is definitely one of the key risks; service delivery, quality, continuity of service are others. Another key risk is, if there is a big disruption to services – say your outsourcing company goes bankrupt or there's another major business continuity effect – can you bring that activity back in house and can you do it quickly?"
The election of Donald Trump as US president, along with the UK's shock vote to withdraw from the European Union, have combined to push geopolitical risk into the top 10 this year, rocketing all the way to number four.
The prospect of a so-called hard Brexit, including a departure from the European single market, as outlined in UK prime minister Theresa May's January 17 speech, will have serious implications for the financial services industry, with London home to the European headquarters of most of the world's top banking, insurance and asset management companies.
Banks are expected to start moving staff out of London in 2017. Those plans are unlikely to be reversed even if the UK secures favourable access to the European single market, say op risk practitioners. The consequences could be as painful as they are idiosyncratic; witness fears of a politically motivated attempt by European legislators to forcibly relocate euro clearing to the eurozone, the cost of which could be as high as $100 billion in additional margin requirements for banks and their clients.
Banks with relatively small operations inside the eurozone, such as the Japanese banks, are likely to bear the heaviest fallout from Brexit. But even banks with large eurozone operations will be exposed to increased local market regulator risks, such as not being allowed to ramp up derivatives trading within a given jurisdiction.
In addition to its direct costs, Brexit – because it will occur against a backdrop of significant economic, regulatory and business change – could indirectly exacerbate other operational risks such as outsourcing (#3), organisational and business change (#6), regulation (#2), and conduct risk (#5). For example, the need rapidly to form new supplier relationships opens banks up to heightened outsourcing risk, say practitioners.
In the US meanwhile, the Trump administration's likely rollback of financial legislation could create its own risks, risk managers warn. There is also widespread speculation that supranational regulatory commitments, in particular the package of prudential reforms collectively dubbed Basel IV, could now be revisited, creating further uncertainty for banks.
Regulatory capital requirements for political risk differ across jurisdictions: European banks that rely on Basel III's advanced approaches for calculating risk-based capital typically set aside capital against political risk.
Senior bank op risk manager:
"Excluding the biggest overall risk for banks – the changing environment in the financial industry itself – as a strategic risk, the biggest remaining risk results from our rapidly changing world order and its implications for the financial sector. No banking group can be sure that an investment or market entry into foreign countries that makes sense at the moment will not backfire in a couple of years. To ignore this reality and not think about possible scenarios might prove very costly for international banks in the upcoming years."
Ariane Chapelle, director at Chapelle Consulting:
"Brexit will likely be an important cause of uncertainty, loss of business, third-party risk, relocation risk and project management risk, caused by uncertainty and unfamiliarity with new processes"
At first glance, 2016 was fairly unremarkable from the point of view of conduct risk, with a lack of newly uncovered high-profile instances of wrongdoing perhaps serving to push it further down practitioners' list of worries, from #2 last year to #5 this.
But an absence of recent incidents doesn't indicate that the risk to an organisation from misconduct has decreased, say managers; quite the contrary. In the UK, the Senior Managers Regime (SMR), which came into force in March, seeks to codify a culture of personal responsibility for risk managers, with individuals who fulfil certain designated control functions now personally liable for various forms of misconduct.
Under the US Dodd-Frank Act, individuals whose input helps the Securities and Exchange Commission (SEC) take successful enforcement action against wrongdoers are entitled to a reward of up to 30% of the fine imposed on an organisation. Since the legislation came into force, the SEC has levied more than $500 million in misconduct-related fines.
Nick Leeson, speaking at the Risk South Africa conference in March:
"Risk managers have to take more on. If a risk manager doesn't understand the trade a star trader is trying to put on, there has to be a way of stopping them. Someone on the risk committee has to say they fully understand it, and that they're going to take responsibility for it. To this day, a lot of traders are still able to railroad certain trades through. Until that changes, there will always be a problem."
Paul Fisher, Bank of England:
"[The SMR's] purpose is to make it clear who is accountable for what within a firm. The foremost objective of that is not so we know who to punish when things go wrong. It is to make sure someone is taking full responsibility for the right outcomes so misbehaviour becomes very much rarer."
Organisational change comes in many forms. But whether prompted by regulation, technological change or a corporate restructuring, the result is always upheaval, and enforced changes to op risk frameworks to cope with new and often idiosyncratic sources of risk.
The convoluted changes to desk structures and internal risk transfer processes banks will be forced to enact under the Basel Committee on Banking Supervision's revised market risk capital framework are one of the highest-profile instances of forced organisational change impacting bank's front-office businesses at the moment.
The fear of not being able to adapt a business model to technological change haunts many companies. From Kodak and Blockbuster to Blackberry, many once-prosperous firms have been sidelined by more tech-savvy and customer-focused competitors.
The past year in finance has seen technological innovations that present big opportunities as well as threats to many of the existing financial organisations. A 2016 report from Capgemini showed that, although 96% of banking executives agree that the industry is moving towards a digital banking ecosystem, only 13% have the systems in place to keep up with it.
Jodi Richard, chief operational risk officer at US Bank:
"The evolution we're seeing in a lot of new systems and technologies being implemented mean it's difficult to stay on top of innovation and fintech, as well as just general technologies advancing. So changing that technology demands change management, and redesigning processes and controls in other spaces. That's the core of operational risk there: it's process and systems, and staying on top of the changes in that space."
Head of operational risk at a European bank:
"Digitisation, fintech, blockchain – all these developments are really threatening banks' business models. But whether you see them as an operational risk is moot; I would see them as a strategic development that banks need to adapt to. But you cannot leave it out of an op risk framework."
Unlike cyber crime, IT failure involves fewer unknown variables. For that reason, it is perhaps perceived as more manageable by op risk practitioners; but its impact can be just as debilitating.
Cloud computing was flagged by many respondents to this year's survey as one of the most important technological trends in 2017. But as well as its advantages in terms of flexibility and cost-effectiveness, it is prone to outages, with undesirable consequences potentially including financial losses and damaged relationships with clients.
Amazon Web Services – now used by many banks for additional processing capacity, as well as for data storage – experienced a disruption in services in Sydney in June 2016, causing multiple websites and online services reliant on the platform to shut down, affecting everything from banking services to pizza deliveries.
At the beginning of 2016, HSBC suffered a two-day service outage during which millions of retail customers were unable to access their accounts. That wasn't the only IT failure to hit the bank in the last couple of years: in 2015 its electronic payment system experienced disruptions affecting thousands of clients just before a UK bank holiday weekend.
Head of operational risk at a European bank:
"[The impact of IT failure] can be big, not just in terms of direct losses but also indirect losses, like losing a lot of customers. Many banks, not in Europe but in Asia, are already talking about cloud solution storing. I can't assess right now how [disruptions] might affect the business, but I think in terms of mobility of clients, this could be severe."
Tighter anti-money laundering (AML) controls and efforts to prevent transactions with internationally sanctioned entities have been a priority of regulators around the world in recent years, nowhere more so than in the US.
In guidance issued in October 2016, the US Office of the Comptroller of the Currency said banks should have processes for periodic risk re-evaluations and account decisions which address a bank's risk appetite for the level of Bank Secrecy Act (BSA) and AML compliance risk it is willing to accept and can effectively manage. Banks should provide for an assessment of the implications of account closure on managing overall exposure to BSA/AML compliance risk that is consistent with the bank's articulated risk appetite.
For lenders that provide banking services across multiple jurisdictions, that's easier said than done, say practitioners.
"Increasing global cross-border banking activities, real-time speed of financial transactions, and sophistication of technology provide alternative means and opportunity for various manifestations of financial crimes, including AML," says the head of op risk at a US financial institution.
Bradley Bennett, Financial Industry Regulatory Authority speaking in April 2016 at an industry AML conference:
"You need to know your customers. You need to conduct due diligence on the securities you're selling. You need to tailor your programme to the risks inherent in your business model. You need to test your programme, and make updates as your business changes or expands. You need to be sure your employees are trained, especially when you have new business lines. You need to make sure you have good supervisory systems when you do high-risk business like micro-caps."
Maria Vullo, New York State Department of Financial Services' superintendent, welcomes the state's new anti-terrorism transaction monitoring and filtering programme regulation:
"This regulation represents an important milestone in DFS's long-standing mission to improve and strengthen BSA and AML compliance among New York's financial institutions and make certain that banks are not being used to help finance terrorism and other illegal activities. DFS will continue its mission to protect the integrity of New York's financial system and will continue to take necessary enforcement action to protect against illicit activities."
The threat from internal fraud can be as pernicious as that from external actors, as Wells Fargo found out the hard way last year. Though the $187.5 million in penalties and restitution the bank incurred for fabricating customer approval to open checking and credit card accounts in order to meet sales targets might barely dent its bottom line, the blow to its reputation was far more serious.
The US Office of the Comptroller of the Currency (OCC) has identified internal control weaknesses, such as the lack of an effective audit programme, as common deficiencies in many banks. Even though reliance on strong internal controls has never been more critical, its supervisory examinations indicate weakness in audit coverage and other internal controls in some banks.
"Internal and external fraud, which the OCC views as increasing, generally results in operational losses," says Beth Dugan, deputy comptroller for operational risk at the OCC in Washington, DC. "A strong internal control system can help a bank avoid fraud and unintentional errors. Industry trends show that internal control weakness can lead to increased levels of fraud related losses and longer times for fraud identification."
Pressure to achieve sales targets or investor expectations can cause otherwise conscientious employees to act in a way that is ethically or morally wrong, say practitioners. The chief executive of peer-to-peer lending company Lending Club, for example, was forced out in May amid allegations the company had altered the dates on some of its loans to satisfy criteria that allowed it to securitise them.
The threat from external actors – some sophisticated, some dull but malignant – is a growing threat too, say risk managers.
"We continue to see bad actors developing new schemes and fraudulent techniques," says the head of operational risk at a US bank. "We've seen widespread fraud targeting credit card accounts; now we're seeing the same thing happen in payments. It's a matter of trying to remain a step ahead of bad actors. When the fraud event happens at another entity, like a store or a hotel chain, it's a fraud event at our bank, because now the criminals have access to credit card data and account numbers."
Rajat Baijal, head of enterprise risk, BGC and Cantor Fitzgerald:
"Banks are having to make strategic changes as a result of falling volumes, which puts additional pressure on the front office. This could further aggravate the risk of market manipulation, fraud and collusion with external third parties, as traders strive to meet aggressive targets."
Zahra Al Halwachi, operational risk manager, Mashreq Bank:
"Frauds internally and externally are critical risks to any organisation. Controls and measures need to be put in place to overcome these types of risk."
Physical attack, often in the form of terrorism, has fallen one place in our annual survey, from #9 to #10, possibly reflecting a modest reduction in the global incidence of terrorist activity since 2015, according to research. Despite this, the risk to financial services companies of terrorist attack is an ongoing concern for op risk professionals, making protection of employees, customers and buildings a high priority.
As the incidents in the European cities of Nice and Berlin last year demonstrate, the threat from attacks carried out by a few individuals and requiring little planning can be as devastating as well-financed, state-sponsored acts of terrorism.
Lenders are taking action: US Bank plans to introduce a new mobile app to aid crisis communication, and more frequent compulsory staff training programmes. As well as terrorism, the effort will help it prepare for other violent disruptions – for instance, the possibility of sabotage by disgruntled employees, or widespread civil disobedience.
"We are assessing physical security of our people and our buildings in response to domestic and international terrorist attacks. The risk of increasing terrorist attacks impacts our physical security preparedness as well as our business continuity preparedness," says Jodi Richard, head of op risk at US Bank in Minneapolis.
A recent study from the Institute for Economics and Peace put the cost of terrorism to the global economy at $89.6 billion in 2015 – the second-highest level since 2000. Over the last 15 years, the economic and opportunity costs arising from terrorism have increased roughly eleven-fold, it estimates.
Industry consultant and former op risk manager:
"A physical terrorist attack is feasible as many capital cities remain on high alert. Should such an attack include the use of biological or chemical components, whole areas or cities could become 'no-go' areas, leaving companies at the mercy of their distributed business continuity plans, which in turn might be rendered obsolete if the city's infrastructure is affected also."
The week on Risk.net, February 10-16, 2018Receive this by email