TOP 10 OP RISKS 2020 - RISK.NET MARCH 2020 RISK MANAGEMENT DERIVATIVES REGULATION - BAKER MCKENZIE
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
RISK MANAGEMENT • DERIVATIVES • REGULATION
Risk.net March 2020
Top 10
Supported by
op risks 2020
Top 10Contents
op risks
01
# #
02
2 Top 10 op risks 2020 3 IT disruption 4 Data compromise
The biggest operational Risk of downed systems, from Hackers, thieves and wobbly
risks for 2020, as chosen by Supported by hack or outage, continues to in-house data management
industry practitioners make op risk managers fret keep this category near the top
of the list
03
# #
04 05
# #
06
5 Theft and fraud 6 Outsourcing & 8 Resilience risk 9 Organisational change
third-party risk
From mega loan fraud to In an entwined financial system, New tech has created a
canteen theft, the danger is Respondents worry about risks an outage at one bank can perennial state of flux in
ever present stemming from an opaque web reverberate through many more banking, as other kinds of
of vendors with poor controls shake-ups continue
#
07 #
08 09
# #
10
10 Conduct risk 11 Regulatory risk 12 Talent risk 13 Geopolitical risk
Root-and-branch reform of New technology and reams of Firms struggle to reduce Nationalism, trade wars
bank culture remains a work red tape make non-compliance headcount and fill gaps without and epidemics make for
in progress fines more likely cutting corners a heady cocktail
14 Sponsored feature 16 Sponsored feature
Adapting to technological A growing focus on op risk
change in op risk management
Operational risk and resilience have taken centre stage over the past
Baker McKenzie‘s Jonathan Peddie explains how the role of operational year. While op risk concerns all systems and controls that deliver
risk manager has evolved in recent years, how financial firms are effective solutions against the risks financial services businesses
managing increasing demand for data privacy and transparency, and regularly face, Jonathan Peddie, partner at Baker McKenzie and chair of
how technological advancements over the coming decade will change its Financial Institutions industry group, explores those that concern IT
operational risk and its prevention and outsourcing-related failures
risk.net 1
Top 10 op risks
Top 10 op risks 2020
The biggest operational risks for 2020, as chosen by industry practitioners. By Tom Osborn
Supported by list their five most pressing op risk concerns Profiles by Costas Mourselas, Steve Marlin, James
for the year ahead. The results are then Ryder, Alexander Campbell and Aileen Chuang
weighted and aggregated, and are presented
in brief below and analysed in depth in A. Top 10 operational risks 2020
W
10 accompanying articles.
Operational risk 2019 Change
elcome to Risk.net’s annual As before, the survey focuses on broad
#1 IT disruption 2
ranking of the top op risks for categories of risk concern, rather than specific
#2 Data compromise 1
2020, based on a survey of potential loss events. The survey is inherently
operational risk practitioners qualitative and subjective; the weighted list of #3 Theft and fraud 5
across the globe and in-depth interviews with concerns it produces should be read as an #4 Outsourcing & third-party risk 6
respondents. industrywide attempt to relay and share worries #5 Resilience risk – New entry
As in years past, there’s no great secret to the anonymously, not as a how-to guide. #6 Organisational change 4
methodology: Risk.net’s team gets in touch with For a note on the impact of the coronavirus, #7 Conduct risk 10
100 chief risk officers, heads of operational risk see the final chapter, geopolitical risk.
#8 Regulatory risk 7
and senior practitioners at financial services Risk.net invites feedback on the guide – please
#9 Talent risk – Re-entry
firms, including banks, insurers, asset managers email tom.osborn@infopro-digital.com with
#10 Geopolitical risk – Re-entry
and infrastructure providers, and asks them to any views.
2 risk.net March 2020
Top 10 op risks
01
of an organisation being unable to function –
# IT disruption end up looking much the same.
Both concerns also feed into resilience risk,
which considers the consequences of an outage
Risk of downed systems, from hack or outage, or failure in the context of changing regulatory
continues to make op risk managers fret expectations around how and when a firm can
return to operations, as well as the consequences
When bank customers are suddenly unable to of that outage for other firms that depend upon
access their money because of a paralysing cyber its services, and the role it plays within the finan-
attack or a critical IT systems failure, the cial system as a whole. IT failure specifically
consequences for bank profitability and addresses the opportunity cost of failing to do
reputation are clear. business and the consequences, including
Respondents to this year’s Risk.net survey of permanent damage to a firm’s reputation, which one firm can affect business operations at others.
top op risks report a two-pronged risk to systems can last well into the future. A bigger fear is for a cyber attack to spread to
and IT operations. First, the threat from hostile In the US, the FBI’s internet crime complaint the IT systems of multiple connected banks, as a
hacking groups and even nation states laying centre recorded 467,361 complaints in 2019 February report by the European Systemic Risk
siege to a bank’s defences: breach attempts only leading to losses of $3.5 billion, up from Board shows.
have to be successful once to sow widespread 351,937 complaints in 2018 for losses of The ESRB, like the Federal Reserve Bank of
chaos. Second, banks must upgrade or patch $2.7 billion. New York, argues that systemic risk can emerge
ageing IT systems to stay competitive, and in
doing so they can expose themselves to cyber
attacks or good old-fashioned outages.
“It’s no longer just how long the outage is, but also very much how the
“Whenever I talk to my cyber guys, they say
the threats are evolving, becoming more clear public perceives the outage. Banks have to respond very quickly, and in a
about where they target,” says the group head of way that does not open them up to liability”
operational risk at a European bank. Shresti Bijou, FirstRand
“Cyber attacks lead to significant reputational
damage, particularly from retail customers,”
says the head of operational risk at another The hacking of retail foreign exchange services when an outage turns into a liquidity crisis,
European bank. provider Travelex in December highlighted the shattering confidence in the financial system. A
In this year’s survey, IT failure has been grave risks posed by well-executed cyber attacks. smaller-scale but carefully targeted cyber attack
considered alongside IT disruption, where last The firm was forced to shut down its online could therefore have widespread implications for
year the categories were considered separately. currency services for several weeks, with client markets. For example, if a global systemically
Although the drivers and risk management of services by HSBC, Royal Bank of Scotland, important bank was unable to process outgoing
the issues are very different, the consequences – Lloyds and Barclays all affected. payments, other banks would fall below their
the loss of critical services leading to parts or all The Travelex incident shows how an outage at normal reserve levels.
Another target could be systemically
important financial market infrastructure
1. Internet crime reports received by FBI providers (FMIs) such as clearing houses and
settlement providers, on which the functioning
3.5 - - 500 of many markets depends. The chief risk officer
■ Loss amount ($bn)* Number of complaints (000s) of one of the largest FMIs tells Risk.net he
Number of complaints (000s)
3.0 - spends most of his time worrying about
- 440
Loss amount ($bn)
2.5 - non-default risks, and that he’s “particularly
- 380 worried” about risks stemming from
2.0 - cyber attacks.
1.5 - Several survey respondents linked geopolitical
- 320
instability to the heightened risk of cyber attack.
1.0 - For example, the US administration’s sanctions
- 260 regime has spurred target countries to respond
0.5 -
with cyber crime, says Richard Jacobs, the
0.0 - - 200 assistant special agent in charge of the counterin-
2015 2016 2017 2018 2019
telligence cyber division at the FBI.
*Rounded to nearest million.
“There are countries that are very strapped
Source: FBI
financially as a result of sanctions,” he said during
risk.net 3
Top 10 op risks
#
01 IT disruption continued... modelling needed significant improvement. Of straight to the bank,” says Shresti Bijou, group
341 loss events from 2009 to 2017 recorded by head of operational risk management at South
a speech at the Risk USA conference in ORX News, only 103 provided data on the size Africa’s FirstRand. “It’s no longer just how long
November. “And they are literally engaging in of the loss. the outage is, but also very much how the public
massive cyber crime similar to any financially Separately, respondents refer to ongoing perceives the outage. Banks have to respond very
motivated criminal: for money, and that is to digitalisation efforts by many large banks, and quickly, and in a way that does not open them
fund their coffers. We’re dealing with a lot of very highlight that the process of change can result in up to liability.”
sophisticated actors conducting cyber crime on outages or expose critical flaws. These changes In the face of increasingly sophisticated cyber
behalf of government entities for that purpose.” can include adapting to artificial intelligence and attacks, the US Federal Reserve is mulling
blockchain solutions, or overhauling the whether to compel financial firms to submit
IT failure retail-facing online business of the bank. data on cyber incidents. Banks have traditionally
However, systems collapses don’t have to come One former chief information security officer been nervous about sharing information about
from cyber criminals: human error and at a large financial institution says challenger cyber threats, and sources worry that informa-
outmoded hardware and software can pose as banks have a significant advantage over modern tion could leak out, painting a bullseye on other
great a threat. ones when it comes to IT disruption risk, as firms.
Hong Kong Exchange had to freeze futures they have been able to construct the bank on “If you are part of a closed group and nothing
trading in September from 2pm until the more modern, robust systems. leaks out, that would be hugely beneficial,” says
following day because of a software bug. The “Our outward-facing platform for retail Andrew Sheen, a consultant and former
inability to continue supplying data related to customers, including the mobile app, looks operational risk executive at Credit Suisse.
futures meant issuers struggled to price its most great,” says the head of operational risk at the When information leaks, “cyber criminals just
popular retail derivatives contracts, significantly European bank. “However, there is a lot of move on to someone else”.
impeding hedging activity. underlying legacy infrastructure that is a work in But one senior op risk manager suggests that
Several clearing houses last year suffered progress. There are vulnerabilities there, and sharing as much information as possible is the
minor operational failures, but critics point out that’s our main concern.” right approach.
that there isn’t a standardised framework for Social media, too, can amplify issues in the “We have constant discussions with other
recording these outages. As a result, certain eyes of customers and turn a minor outage into banks on industry committees because we really
failures may not be reported and known by a PR nightmare. believe that to mitigate cyber risk, there is no
the market. “We have seen some banking platforms go point taking a siloed approach,” the manager
Research published in the Journal of Opera- down for an hour, and retail clients are very says. “It’s a severe risk that the industry as a
tional Risk last year argued that cyber risk quick to revert to social media without going whole faces.”
Data
#
02 compromise
American bank. “We saw the big Capital One
breach, so it’s certainly not going away.”
Last July, Capital One, the US credit card
provider Carbon Black said 67% of surveyed
financial institutions had reported an increase in
cyber attacks in the previous 12 months, and
giant, said a hacker had penetrated the bank’s 26% had been targeted by “destructive” cyber
Hackers, thieves and wobbly in-house data
firewall and got hold of the personal data of 100 incidents, that is, intrusions that destroyed data.
management keep this category near the top
million credit card applicants as well as 140,000 Several factors are at play. The sophistication
of the list
social security numbers and 80,000 bank of attackers is on the rise. Some may be part of
Sitting atop a trove of personal data, banks account numbers of existing credit card state-sponsored cyber terrorism rings, which can
make tempting targets for hackers looking to customers. The incident would cost Capital One become more volatile in uncertain global times.
make mischief, criminal rings out to collar data as much as $150 million in customer notifica- Others are ordinary criminals seeking to peddle
for cash, even cyber terrorists bent on holding tions, legal fees and technology upgrades, it said. the information for profit.
banks to ransom. In this year’s Top 10, data management, a
While the operations and reputation of any discrete category in previous top 10 lists, has
bank hinge on accurate and secure data, the been folded into data compromise to form a
possibility of breaches, disclosure or destruction single topic. Although the causes and preven-
of information seems to be growing. A handful tions are different – one requires protecting a
of expensive and embarrassing incidents in the firm’s data from external malicious attack, the
past year highlight the threat, with assailants other the risks of mismanaging or mislaying data
relentlessly probing for chinks in bank internally – the financial and reputational harm
cyber defences. can be the same. Last year, data management
“The threats continue to evolve. You have an was eighth on the list.
increased need to be in front of it,” says an Banks face an uphill battle in protecting their
operational risk executive at a large North data. In a March 2019 report, cloud security
4 risk.net March 2020
Top 10 op risks
#
02 Data compromise continued... magnetic tapes was stolen. Initially, the insurer biggest risks,” says an operational risk executive
said 260,000 customers who had purchased at a North American brokerage. “It’s something
“What I really worry about is someone taking roadside assistance had been affected, but it later we actively manage through the RCSA [risk
critical customer data and putting it on the dark emerged that more than 2 million customers control self-assessment] process. We’ve invested
web,” says an operational risk executive at a who had purchased assistance indirectly through to beef up that process.”
North American bank. Some banks have car manufacturers were also exposed. Yet another aspect of data management is
proactively sent ethical hackers on to the dark The other side of data compromise is in-house adherence to the Basel Committee’s principles
web to detect attacks and assess threats. management. Last year, UK authorities fined on risk data aggregation and risk reporting,
At the North American bank, the approach to Goldman Sachs and UBS millions for transac- BCBS 239. Originally conceived as a framework
preventing breaches is twofold: it has put in tion reporting lapses, while Citi was penalised in for internal reporting, BCBS 239 is increasingly
place advanced controls on the most sensitive the US for prudential reporting lapses. Data being applied by regulators to assess the
adequacy of regulatory reporting, and in some
cases they have fined banks for lapses.
“What I really worry about is someone taking critical customer data and The financial industry appears to be getting
putting it on the dark web” the message, with companies investing heavily in
Operational risk executive at a North American bank cleaning up data that is likely to be modified
over the course of time.
data and is educating employees on good mismanagement underpinned all these cases. “We are maintaining our vigilance around
practices, some as basic as how to recognise “Fines tend to be imposed for repeated and data quality, ensuring clear data elements
phishing to keeping up with the latest software systemic failures. To avoid being fined, banks owners, lineage and data tracing,” says the head
patches. The bank has also begun monitoring need to periodically test that their reporting of operational risk at a financial markets utility.
employees with access to critical data, including logic is correct and that trades are correctly “Historical data on legacy systems or in central
IT teams. flagged and that all relevant trades are flowing hubs can increase the risk of cyber threats or
Not all intrusions are virtual, and some are into their reporting engines,” says an op risk data compromise.”
inside jobs. Just last month, Fifth Third Bank executive at a global bank. Banks are still struggling with technical
said several former employees had manually The fines for UBS and Goldman were for aspects of BCBS 239 though, according to a
stolen the information of around 100 customers legacy issues under Mifid I, which was sup- study in the Journal of Risk Model Validation.
and shared it with a fraud ring. The bank planted in 2018 by Mifid II, which banks claim Surveying 29 banks, the study concluded that
underscored that the theft was not a cyber is unduly burdensome. They are lobbying for banks need to make improvements in four areas:
breach, “but rather an orchestrated effort by a revisions in the European Union’s targeted master data management, audit trail, metadata
small group of employees to steal personal review, such as altering the scope of transpar- management and data validation. It also found
information”. ency for over-the-counter derivatives and that external contractors working on model
In yet another old-school theft, last September addressing the delays applied to some types of development, backtesting or any other projects
Allianz Global Assistance, the travel insurance trade reporting. that require the use of data were the primary
arm of Allianz, said a safe containing backup “Trade and transaction reporting is one of our source of problems in the audit trail.
Theft
#
03 and fraud
encompassing a variety of crimes.
Many of the most severe frauds reported last
year, particularly in emerging markets, bore a
sorts of convoluted, tech-centric crime, naturally
theft and fraud can still take place in a more
mundane fashion. Earlier this month, Citi was
similar characteristic: namely, the help of an widely reported to have suspended a senior bond
From mega loan fraud to canteen theft, the
inside operative working for a bank. That leads trader after he was accused of stealing food from
danger is ever present
one respondent to dub this simply “insider risk”. the firm’s canteen in London.
It was also the case for 2018’s biggest fraud loss
Theft and fraud jumps to third in this year’s – an eye-watering $12 billion hit for Chinese
survey – a sign of both its ubiquity for financial insurer Anbang.
institutions of all types, from the largest global Internal fraud incidents can also have a long
lenders to eight-person hedge funds, and likely a tail. Wells Fargo’s legacy losses relating to its
function of its role in five of the 10 largest ‘ghost account’ fraud scandal also increased
reported operational risk losses of 2019. throughout 2019, with the total bill for
Professionals surveyed by Risk.net this year settlements and restitutions already topping
highlighted a wide range of factors behind the several billion dollars and counting – not to
rise: technological innovation, fast-changing mention the long-term impact on the bank’s op
regulatory expectations and rising institutional risk capital requirements.
complexity. The category is also a broad one, While the march of progress may produce all
risk.net 5
Top 10 op risks
#
03 Theft and fraud continued... when a financial criminal has gained access. “It much quicker than in the days of paper-based
can make it more complex for the fraudster, of fraud. “With big data and correlation tools, we
The increasing ease with which low-level course, because they have to work with 10 try to find abnormal patterns in payment
crimes can be orchestrated is helping to keep the systems instead of one. But it creates more systems and trading systems,” the senior risk
category firmly on the radar of risk professionals. points of failure, so I’m not able to say if it’s a manager says. “But it is not the panacea – it’s a
One senior op risk professional cited concerns plus or a minus. A unique system is a unique, work in progress.”
over the profusion of “information available to single point of failure – and 10 systems are 10 Regulation may be another factor in the
fraudsters from ongoing data breaches” amid the entry points,” the risk manager says. ascent of theft and fraud in the rankings this
“rapid pace of digital innovation and instant However, automation and digitisation are year. Gaining access to the data used to commit
money movement”. Data theft is a reliably among the main tools in the fight against theft theft and fraud, some argue, is becoming easier
high-ranking risk in itself, and a serious breach and fraud. Loan frauds may be easier to because of laws compelling financial institu-
can lead to spiralling losses as financial criminals perpetuate online, but when a bank has a large tions to collect larger quantities of information
put the stolen information to use. Often, the digital dataset to parse, it can spot anomalies on customers.
theft of data is just the beginning.
“[We’re seeing] more sophisticated fraud,”
says an operational risk manager at a US bank. 2. Theft- and fraud-related loss events
“What I really worry about is people taking ■ Total loss ($bn) Number of theft-/fraud-related loss events
critical customer data and putting it on the dark 30 - Number of loss events without loss figures
-400
web. I don’t worry about a hold-up.”
Theft and fraud losses are also closely linked 25 - -350
Total loss ($bn)
Number of events
to the drive to automate processes and systems.
A senior risk manager at a global bank points
20 - -300
out that automation of customer authentication,
15 - -250
for example, gives criminals the chance to use
stolen data to fool robot gatekeepers. 10 - -200
“The situation [with automation] is improv-
ing, but the threats are increasing. It’s like 5- -150
the two sides are growing together,” says the
risk manager. 0- -100
Institutional complexity may be a boon to 2018 2019
fraudsters: super-intricate systems architecture Source: ORX Association
can hinder a bank from understanding how and
Outsourcing &
#
04 third-party risk
came in fourth place, moving up from sixth
last year.
Banks don’t believe their thicket of vendors
might agree. The personal details of 1.7 million
of its customers may have been exposed after a
breach at Computer Facilities, one of its
take risk management – particularly cyber vendors, the bank said last month. Computer
Respondents worry about risks stemming
security – nearly seriously enough, with one Facilities carried out text messaging and email
from an opaque web of vendors with
respondent to this year’s survey calling them the marketing for Nedbank, and had access to the
poor controls
“weakest link in the organisation”.
Amit Lakhani, the global head of IT and
Big banks have decided there are many things third-party risks for corporate and institutional
it is not worth their while to do in-house. So banking at BNP Paribas in London, notes that
they contract them out. along with regulatory pressures, how one retains
And that has birthed a whole new anxiety: one’s mission, or ‘unique selling proposition’,
third-party risk, or the possibility of getting needs to be addressed.
body-slammed by problems at a vendor – cyber “You could be in a situation where you are
infiltrators, power failures and disreputable outsourcing so much that all you are is a vendor
behaviour among the most common. manager, not a bank,” he says. “Customers trust
Then there are the vendor’s own third-party us as risk managers to maintain and protect their
vendors. At that point, third-party risk splits data, and management has set certain outsourc-
into fourth-, fifth-, etc, -party risk – a radiating ing thresholds so we don’t lose our USP.”
pond of ever less visible odds. Operational risk managers at Nedbank,
On this year’s top 10 op risk list, third-party headquartered in Johannesburg, South Africa,
6 risk.net March 2020
Top 10 op risks
Outsourcing & third-party risk
#
04 continued...
scrutiny of vendors, as well as their suppliers of Besides third and fourth parties, financial
critical services. The EBA now expects banks to institutions rely on a host of infrastructure
names, addresses and government ID numbers negotiate audit and access rights for fourth providers such as clearing houses to execute and
of the bank’s customers. parties working with their vendors. European clear trades. William Moran, chief risk officer
Power outages at vendors can also bring op risk managers privately say this is wishful for technology at Bank of America, said that
services to a standstill. Last August, an electrical thinking – getting even basic information to rarely is any information provided by
failure at a data centre in Mexico City put the assess the security of those subcontractors clearing houses.
credit cards and cash machines of six banks out is difficult. “They either won’t participate at all – that is,
of commission for several hours. The banks Banks are increasingly turning to other they won’t answer your questions – or they won’t
included HSBC and Santander, as well as vendors to watch their vendors. Cyber-risk let you do an on-site [inspection], or they
basically cherry-pick which questions they want
to answer,” he told a Risk USA conference in
Cyber-risk rating agencies are being touted by banks and insurers as a New York in November.
He similarly criticised regulators, saying they
cost-effective way to keep track of vendors. But some observers say not all “don’t tend to be very responsive about what
these services apply a standard high enough to be reliable they’re doing in terms of cyber”.
Another issue flagged in the new EBA
guidelines is concentration risk. This is defined
domestic lender Banorte and Banjército, rating agencies are being touted by banks and as the outsourcing of many services by one bank
Mexico’s military bank. insurers as a cost-effective way to keep track of to a single provider, making them excessively
Banks involved in these mishaps are flamed to vendors. These agencies scour the deep web – dependent on that vendor, or as a convergence
varying degrees on social media. Respondents to content not indexed by search engines – for of business at just a handful of big companies.
this year’s survey noted that a hit to the brand clues on companies’ cyber security practices. But This could leave companies exposed if anything
can be severe: even false reports can run amok some observers say not all these services apply a went wrong at those few heavyweights.
online, leaving firms scrambling to undo the standard high enough to be reliable, so some Respondents expressed concern that a few
damage. But even if vendors were airtight on banks simply avoid them. cloud providers have tightened their grip on the
cyber security and company culture, what about “The level of much of the detail provided by market, singling out Amazon Web Services and
their vendors? these services is quite good,” said Charles Forde, Microsoft Azure as particularly powerful.
“Fourth-party provider use is even less group head of op risk of Allied Irish Banks in Spending on cloud infrastructure services was up
transparent and difficult to monitor, which Dublin. “I think the challenge is you can’t use all 37% last year, according to research firm
increases exposure to additional avenues for cyber these services in the same way. Some of the Canalys, with AWS, Azure and Google Cloud
and fraud events,” says another respondent. cyber risk ratings apply a very good layer of dominating the business. One source notes that
The risk posed by fourth and fifth parties was analysis to the data they gather, providing the cloud companies are co-ordinating their
much discussed by op risk managers last year, as accurate conclusions. But the data analysis of lobbying efforts in Brussels, making themselves
the European Banking Authority set new some providers can be of low quality, so can’t be heard on a range of issues.
guidelines that significantly raised the bar for used as a decision point in a risk assessment.” Their large market share – AWS and Azure
alone have half the market – also means they can
extract favourable terms from all but the
3. Top third-party risks brawniest financial services companies. Typically,
60 - cloud providers want firms to sign a standard-
ised contract that retains most oversight for
50 - themselves and their own third-party auditors.
The chief executive officer of a systemically
40 -
important financial institution recounts that he
Percentage
rejected the boilerplate contract pushed by one
30 -
of the cloud providers, and then endured
20 - months of winding negotiations to get the
guarantees he wanted before agreeing to move to
10 - the cloud.
Besides concentrations at cloud companies,
0- the EBA guidelines spurred some soul searching
y
nc ty
nc d
tio ty
pa of
ity
l
cy
l
ic
al
l
rit
na
na
cia
lia an
ilie ui
tra ar
eg
tic
ird on
iva
ur
rty
u
es tin
e
tio
e
tio
n
en -p
on another subject: how much outsourcing is
an
ec
mp ry
at
oli
ec
th ati
Pr
nc fth
d r on
co lato
ta
era
Fin
rs
Str
op
ns
c
pu
co nd fi
an s c
Lo
be
Op
Ge
gu
tio
Re
Cy
es
too much? The agency warned that an excess of
Re
ma
-a
sin
th
or
Bu
ur
Inf
Fo
Survey of 94 firms across 43 countries, June–September 2019. contracted services could turn a bank into an
Source: EY and Institute of International Finance global bank risk management survey
“empty shell”.
risk.net 7
Top 10 op risks
Resilience
05
Some banks have moved quickly on the issue: tolerances’ as opposed to risk appetite – the
# last year, HSBC hired Cameron ‘Buck’ Rogers, losses a firm is willing to swallow following an
risk the Bank of England’s cyber risk chief, as its first outage. The rules, which the Bank of England
head of resilience risk, while LCH, the largest plans to finalise in 2020, could include impact
In an entwined financial system, an outage clearing house of over-the-counter derivatives, tolerances for vital services in the broader
at one bank can reverberate through formed a dedicated resilience department. Fears economy, like payment systems.
many more have arisen in the banking world that a cyber That has some companies worried.
attack on a clearing house, for instance, could “Setting blanket impact tolerances in terms of
When a broker can’t execute a trade because reverberate throughout the industry. hours or days could be hugely unhelpful,” says
of a system meltdown, or a customer can’t get Unlike business continuity and disaster the European bank’s op risk manager. “No two
money out of a cash machine, they don’t ponder recovery, which deal with individual systems, firms look the same, and even within the same
whether the bank in question has set its risk resilience looks at how quickly the entire operating model you have very different
appetite correctly. They just want to know organisation can resume its routine. business mixes.” An outage at a retail bank with
when they can get their trade done, or their cash
in hand.
Resilience, the ability to get operations and “Resilience is an outcome, business continuity is a management tool. You
services up and running after a disruption – IT
snafus, cyber attack, bungled third-party
are resilient if your banking system is available to the level you target”
supplies, cataclysmic weather or any other Senior op risk manager at a large European bank
hazard – is a new entrant to the top 10 op risks,
and makes its debut at fifth place. “Resilience is an outcome, business continuity a large card payment network, he adds, could be
Several forces are at work in elevating the is a management tool,” says the European bank’s far more disruptive to the financial system than
topic. The growing complexity of banking and operational risk executive. “You are resilient if a disruption at a big high street bank.
the interwoven nature of the financial system, your banking system is available to the level Exactly what is meant by ‘impact tolerance’ is
both now rooted in technology, have com- you target.” a matter of debate. Some practitioners say risk
bined to make resilience a subject of board- Regulators are taking a closer look. The Basel appetite already includes it.
room discussion. Committee on Banking Supervision established “The paper talks about defining critical
“I definitely see it as a risk in its own right a working group in 2018 with the aim of processes and, for each of those critical processes,
at the moment – and I think that will remain including a discussion of resilience metrics in an defines the acceptable tolerance. Some of that
the case for the next three years at least,” update of its principles on operational risk and, work has already been done through risk
says a senior op risk manager at a large ultimately, to create a set of metrics for the appetite,” says an op risk executive at a North
European bank. industry. The Federal Reserve is also understood American brokerage firm. “That might be an
Several incidents in the past year raised alarm. to be preparing a policy paper on the subject. A area where some examples from the regulator
CI Banco in Mexico found ransomware on an New York Fed study in January said a disruption about what they mean would be beneficial.
employee’s computer and restricted operations, at any of the five most active US banks would Setting the tolerance at a certain level has
taking down online banking services. Smoke in result in significant spillover to other banks, financial implications.”
a Wells Fargo data centre shut off power, affecting 38% of the network on average. Given the digitalisation of financial services,
disrupting online and cash machine services for At the US Treasury Department, network third-party providers can be weak links in the
14 hours. When hackers tried to steal millions theory is now being used to identify which links system. The Bank of England also addressed
from the Bank of Valletta in Malta, the bank in the financial system chain are most vulner- third-party arrangements in a separate consulta-
closed all its branches, its cash machine and its able, and defend them accordingly. In a targeted tion in December. The central bank would
website. It returned to normal service the attack, the hub with the most direct connections require contracts with critical service providers
next day. to other nodes in the network is the most critical to include provisions for data security, audit,
to protect; in a random attack, the hub that sub-outsourcing and business continuity.
connects to the most nodes – directly or The concept of cyber resilience, in particular,
indirectly – is most critical. is well-established in the industry. The Financial
A consultation by the Bank of England last Stability Board’s cyber lexicon defines it as “the
December required companies to set timeframes ability of an organisation to continue to carry
on how quickly services would be restored out its mission by anticipating and adapting to
following any outage. This is a subtle departure cyber threats and other relevant changes in the
from business continuity, which focuses on environment and by withstanding, containing
how long it takes for systems to get back online. and rapidly recovering from cyber incidents”.
The former is about services, the latter Banks are extending this definition or variants
about technology. thereof to operational resilience. “Resiliency is
The consultation will require ‘impact broader than disaster recovery,” says an
8 risk.net March 2020
Top 10 op risks
#
05 Resilience risk continued... More costly than getting things going again “Interconnectivity and social engagement
can be the lasting reputational damage. Today, means you can no longer isolate your failures,”
operational risk executive at a US bank that has there is little cover. If the mainstream media says the European bank executive. “If you’re
set up a working group on operational resilience. does not report the disruption to service, social down for a few seconds, it’s amazing how many
“We’re focusing on end-to-end services.” media almost certainly will. times on Twitter it will get picked up.”
Organisational
#
06 change
an international bank. “Agile development
makes it hard for risk [teams] to catch up and
ensure that risks are being properly addressed.”
Brexit is no longer the anxiety it was a year
ago. One senior risk manager at a leading
European bank says the UK’s rupture with
But the organisational change category takes in Europe required shifts at his company, but that
New tech has created a perennial state
more than the onrush of tech: changes in that work is now largely complete.
of flux in banking, as other kinds of shake-
business strategy, teething issues with new “We had to reorganise in terms of legal
ups continue
management, shake-ups, onboardings and entities, and who trades what,” he explains. The
anything else that could send waves through a “migration tasks” that do remain are well
One large European bank simply calls it company. When a bank shrinks instead of understood and thoroughly mapped out. “It
“change risk”. It refers to the kinks that may expanding, that also requires attention. Downsiz- doesn’t add any value to us as a global bank, but
arise as a bank or firm reshuffles its operations ings that put multitudes of people on the street it makes lawyers and consultants richer,” he says
for any number of reasons. This year, the biggest can hollow out morale and ramp up the of the effort.
of them is the need to keep up with the workloads of those still at their desks. Recently, One perennially predicted insurgency – dis-
unstinting pace of technology. HSBC announced it would slash 15% of its tributed ledger technology – has not yet
The relentless lunge to the latest technology is
being watched closely. However much they
invest, firms cannot responsibly move as fast as
tech companies – but they do have to move. An “Banks are re-engineering many core processes and leveraging fintech
op risk manager at a US bank says rapid solutions, but time to market is short. Agile development makes it
evolution has to be carefully controlled to avoid hard for risk [teams] to catch up and ensure that risks are being
any sudden movements.
“Change management is a top risk for us,” he
properly addressed” Op risk head at an international bank
says. “Agile methodologies are something we
continue to monitor.”
One financial market infrastructure provider, global workforce – 35,000 people. Deutsche materialised. The probability that blockchain will
like many others, is facing significant upheaval Bank, in its restructuring effort, announced it one day bring seismic change to finance is high,
in integrating “new technology platforms, new would cut 18,000 jobs by 2022. Cost-cutting, but for now, it’s somewhere out on the horizon,
services avenues and new management”, its chief generally a sign of lower profits, can be accompa- says the risk manager from the European bank,
risk officer says. nied by reputational risk, especially when despite a surge of ledger-related work.
At a large US asset manager, numerous accompanied by extensive job culls. “I see some niche solutions in blockchain,”
“transformation” efforts are under way, says one Organisational change risks can be more the risk officer continues. “But at the end of the
managing director, as the firm absorbs the mundane. The chief risk officer at one clearing day, position-keeping for cash and securities will
purchase of a business software provider. The house, for example, is dealing with a good still be with a trusted third party – which is
firm refers to this sort of overhaul as “process old-fashioned merger – “a challenge to our IT likely to be a regulated entity, rather than a
re-engineering”. integration and unexpected regulatory require- cryptographic algorithm.”
“We completely rebuilt our front-to-back ments as well”. He adds: “Maybe it’s because I’m old-school.”
systems,” says the head of op risk. “All the
processes we execute manually are going to be
rebuilt using new technology.”
Plenty could go wrong. Conversions of this
sort, new projects and procedures – such as the
long-overdue overhaul of domain models, for
example – and the hatching of new enterprises
often mean more work for employees who are
already under pressure.
“Banks are re-engineering many core
processes and leveraging fintech solutions, but
time to market is short,” says an op risk head at
risk.net 9Top 10 op risks
Conduct The ultimate remedy cited by many practi- adds to the complexity of managing such risk.
#
07 risk
tioners remains an improvement in risk culture
– “doing the right thing when no-one is
An op risk manager points to the notorious
selling of payment protection insurance in the
looking” – rather than quick fixes. UK as an example.
Root-and-branch reform of bank culture “You need to have a culture which says that While the product itself wasn’t deemed wholly
remains a work in progress certain behaviours are inappropriate,” says the inappropriate at the time, the cut-throat sales
UK bank’s op risk head. “You achieve that in a culture led to mis-selling of insurance on loans,
Conduct risk returns to this year’s Top 10 Op number of ways. First, you create a tone at the credit cards and mortgages. The two-decade-
Risks, although it’s never really been away. The top. Second, you ensure that you reward good long practice resulted in payouts exceeding £50
category is an aggregation of two key subsets behaviours and you put in measures to penalise billion ($64.1 billion) by UK banks and credit
of the risk – mis-selling and unauthorised bad behaviours.” card companies. Of this, more than £37 billion
trading – which have appeared repeatedly in One survey respondent says his firm, a bank was returned to complainants, according to
previous years. in North America, has created a new dedicated official data. The remainder was paid in fines
“We still have not moved away from the conduct risk oversight committee, along with a and other costs.
number one risk: conduct,” says an op risk head sales and servicing committee to drive the tone Costly settlements on misconduct-related
at a UK bank, about the financial industry. from the top. lawsuits can linger for years. Litigation and
“Conduct by its nature tends to take some time There are signs a stronger risk culture is misconduct charges reported by large UK banks
to be identified, and then often takes a long time starting to permeate: some banks in the – Barclays, HSBC, Lloyds, Nationwide, RBS,
to manifest itself in outflows from fines or Asia-Pacific region have revised their conduct Santander UK and Standard Chartered –
restitution. You can’t rest on your laurels.” scorecards to reward good behaviour over hard increased 20% to £6.5 billion in 2018,
Gauging the scale of the problem through risk sales. Malaysia’s largest lender, Maybank, has according to their annual reports.
modelling is notoriously hard: the seemingly overhauled its individual compensation model Senior op risk managers recognise that a
sporadic nature of big conduct losses, with low by incorporating client satisfaction and ethical comprehensive framework could be the key to
levels of wearable losses punctuated by extreme behaviour alongside financial targets. ANZ has the changing nature of conducts.
instances of costly wrongdoing, makes it hard to abolished sales targets for its branch staff while “Culture change can sometimes lead to not
parse datasets to deliver credible conduct Commonwealth Bank of Australia has capped being compliant with policies, and that needs to
value-at-risk figures. the weightings of financial metrics at 30%. be managed,” says one op risk head at an EU
In a recent high-profile loss, a rogue trader at Mis-selling itself has an evolving definition bank. “It’s not always intentional. But if you don’t
a subsidiary of Mitsubishi Corporation placed a tied to regulatory risk, as watchdogs and have a framework around it, you have a laidback
series of unauthorised trades in crude oil customer expectation change over time, which attitude where people ask for exceptions.”
derivatives starting in January 2019. The trading
firm discovered the positions in August – but
too late. The bets had already racked up $320
million in losses.
Firms’ focus on conduct has been sharpened
by the implementation of a number of
regulations, among them the UK’s Senior
Managers and Certification Regime, which was
expanded in December to cover some 50,000
regulated firms. The UK Financial Conduct
Authority disclosed in September it had a
pipeline of investigations for “serious” breaches
of the code.
The regime, which seeks to codify a culture of
personal responsibility among bank leaders and
risk managers, has helped spawn similar sets of
rules in other jurisdictions – for example,
Australia. Here, the Banking Executive
Accountability Regime is set to expand in scope
and penalty following a series of mis-selling
scandals that have plagued the country’s banking
and insurance sector. The Australian Securities
and Investments Commission has said it would
not shy away from redoubling enforcement to
punish misconduct.
10 risk.net March 2020Top 10 op risks
Regulatory penalty cap, or from penalties and lawsuits in
#
08 risk
non-GDPR nations – remains high. Fears of
infringing privacy regulations are even undermin-
ing efforts to encourage the sharing of cyber
New technology and reams of red tape make threat information, despite efforts by regulators to
non-compliance fines more likely reassure institutions. With data compromise high
on the list of op risks for another year, the instinct
Regulatory risk slips back a few places to rank to clamp down on data flows is strong in 2020.
at eighth in this year’s Top 10 – a function, And the problems worsen when outsourcing
perhaps, of a slowdown in the printing press of and offshoring relationships are involved, other
rulemakings that have reshaped the post-crisis respondents point out: home regulators still partially successful – full success will require
financial landscape. The bedding down of demand high levels of supervision, which can be considerably more effort from banks. Slow
reforms to derivatives markets, financial more difficult to achieve and verify for external adoption of the BCBS 239 risk data standard
accounting practices, regulatory reporting and providers. Some companies, one respondent has led European regulators to resort to
stress-testing requirements – the list goes on – said, have already reached the “tipping points of unannounced ‘fire drill’ inspections of the banks
doesn’t make compliance with them easy, offshoring, where supervision is harder to they supervise – effective, but onerous.
however. Given the breadth and volume of new continue to prove to home regulators”. Advances in artificial intelligence represent
sets of rules, the potential for mis-steps and That was in evidence from regulatory fines for another source of regulatory risk. Risk managers
misinterpretation is manifest. “Increasing data reporting breaches this year. The Bank of highlighted the vital importance of ensuring
regulatory and compliance requirements – in England fined Citi £44 million ($56.3 million) transparency as AI systems become more widely
the form of both new rules and amendments to in November for submitting incomplete and used. While AI involvement in decision-making
existing rulesets – as well as intense regulatory inaccurate capital and liquidity metrics, a job increases, whether for trading or in customer-
scrutiny, is a perennial challenge,” says the head that was offshored to teams in Budapest and facing roles, the pressure to prove that its
of op risk at one globa bank. Mumbai. The watchdog’s report was a damning decisions are unbiased and well founded grows,
A time-honoured way of staying on top of list of failings: the teams were under-resourced; too – even as the software, and therefore the task
such headaches is to poach those who wrote the the returns were not sufficiently challenged; and of explaining it, becomes more complex.
rules: UBS hired the head of banking supervi- the bank was found not to have spent enough Privacy concerns abound with AI: investment
sion at Switzerland’s Finma, the bank’s primary time on interpretation of UK rules. managers are wary of the privacy risks around
supervisor, as its head of regulatory affairs last With Brexit looming, it seems likely that, alternative data and worries about data
year. Others have hired with the new regulatory once the UK’s exit conditions from the EU are protection are restricting the use of AI in internal
compliance topic du jour, resilience risk, in finally confirmed later this year, they will include surveillance. Fear of regulatory penalties, and of
mind: HSBC hired the Bank of England’s some degree of regulatory divergence for the reputational loss and damages awarded in civil
Cameron ‘Buck’ Rogers as its first global head of financial sector – meaning two sets of reporting suits, makes this an area of particular risk.
resilience risk. requirements for derivatives trades, as well as Other respondents noted that internal
In many areas, differing global interpretations greater difficulty in cross-checking trade reports. pressures were also responsible for significant
of supranational rules, particularly where they Keeping up to date with the details of rapidly regulatory risk – the launch of innovative
butt up against national-level requirements, can changing regulatory requirements represents a products increased the danger of missing
make compliance a nightmare. Take, for significant resource drain by itself, even without reporting deadlines or failing to meet other
instance, the compliance risks involved in new the additional cost of meeting the requirements. regulatory requirements, which in turn could
data protection regulations. The European Efforts to introduce common standards for lead to penalties, intrusive inspections or
Union’s General Data Protection Regulation trade data reporting have been, so far, only reputational damage.
(GDPR) came into force in 2018, followed in
short order by a sometimes conflicting rule from B. Regulatory fines
the US state of California that inevitably binds
Frequency Severity ($ million)
many firms doing business with anyone in the
Region 2018 2019 2018 2018
US’s most populous state.
Africa 10 11 110.6 10.3
One respondent warned: “Many countries
have their own data protection laws, making the Asia-Pacific 41 20 843.5 509.4
exchange of data between units of a group Eastern Europe 3 4 5.0 5.2
operating on five continents like a walk in a Latin America and Caribbean 12 7 78.6 82.5
minefield, especially when the rules are not clear North America 91 76 6,904.7 2,531.5
or fully articulated, or data protection authorities Western Europe 45 64 2,257.6 1,837.6
have not yet provided the required guidance.” Total 202 182 10,200.0 4,976.6
Meanwhile, the potential cost of a failure – Source: ORX Association
whether under GDPR with its 4%-of-revenue
risk.net 11Top 10 op risks
Talent
09
especially important for the growing number of Silicon Valley and other career paths is waning;
# virtual banks around the world. As digital-only making sure a model behaves itself within
risk banks enter the market with more responsive certain known parameters is not as fun as
customer services and product offerings, they are building one from scratch.
Firms struggle to reduce headcount and fill bound to face intense regulatory scrutiny on Banks have tried to raise the profile of some
gaps without cutting corners their risk management. Chief risk officers, chief new hires: for example, UBS has vowed to raise
compliance officers and other senior staff need the profile of the quants responsible for
Talent risk appears in the top 10 for the risk management know-how as well as basic overseeing and validating machine learning-
second time in three years – unwelcome technical understanding of their products. based models the bank is increasingly looking
evidence for banks and other financial firms of Many of those jobs require quants – and in to deploy.
the struggle to recruit and retain the right calibre some markets experienced hands are in short A dearth of staff can also morph into
of staff and deploy them where they’re needed, supply, notably pricing quants in Asia-Pacific on organisational change risk: delaying automation
in an era of dramatic headcount reductions.
As banks shed jobs, it forces them to think
more about how they manage talent risk, says a Banks worry the attraction of the quant profession over the lure of Silicon
global op risk head at a US bank. Operating
with a leaner business model has forced his firm
Valley and other career paths is waning; making sure a model behaves
to recognise more quickly where it does or itself within certain known parameters is not as fun as building one
doesn’t have specific skill sets and juggle from scratch
resources accordingly, he says. At the same time,
a shift in its business mix or change in regulatory both buy and sell side. If the proliferation of and digitisation projects can lead to banks’
priorities can leave the firm exposed. specialist quant finance master’s programmes is “inability to attract, manage, motivate, develop
The emergence of new technologies such anything to go by, the future looks brighter and retain competent resources”, says Evans
as machine learning is pushing financial – though banks may have to watch for their best Kasai, head of op risk at South Africa’s Nedbank.
institutions to adapt their business models quants being lured back into roles in academia. This can have a “negative impact on the
in areas such as anti-money-laundering checks, With the era of rock star front-office quants achievement of strategic group objectives”,
credit decisioning, trading automation and charged with creating and pricing hot new he adds.
improving customer experience. derivatives long since over, banks worry that the Within the risk function itself, the IT skills to
An efficient organisational structure is attraction of the profession over the lure of keep up with digitalisation are in short supply,
hiking the risk to banks, says one op risk head at
a global bank. “Traditional ways of managing
operational risk need to change, and the skills to
identify and manage digital risk are still in
development, but business is digitalising at a
great speed,” he says.
Any time compliance expectations change in
specialised areas, it sparks a scramble among
banks to find appropriate hires. That can be a
particular problem in regions without deep
talent pools. In Singapore, for instance, a shift in
the way the local regulator expected banks to
approach cyber risk management and counter
cyber threats has forced firms to confront a
dearth of IT talent. Salaries have risen as banks
increasingly look to benchmark pay for
technology risk and information hires to levels at
tech firms, recruiters say.
As Basel III moves from rancorous rule-writ-
ing to full-on implementation, banks are
hunting for experienced talents to lead their
efforts. Bank of America, for example, recently
hired one of Deutsche Bank’s most prominent
risk analytics executives to lead strategic market
risk regulatory programmes, such as the
Fundamental Review of the Trading Book.
12 risk.net March 2020You can also read
