TOP 10 OP RISKS 2021 - RISK.NET MARCH 2021 RISK MANAGEMENT DERIVATIVES REGULATION - BAKER MCKENZIE
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
RISK MANAGEMENT • DERIVATIVES • REGULATION
Risk.net March 2021
Top 10
Supported by
op risks 2021
Top 10 op risks
Contents
2 Introduction 3 Sponsored feature 5 Top 10 op risks 2021
Op risk managers could The importance of getting technology change right The biggest operational
be Covid long haulers risks for 2021, as chosen by
industry practitioners
New threats sprang from old Christoph Kurth, partner and member of the global financial institutions
sources in this year’s Top 10 op leadership team at Baker McKenzie, covers some of the rapid
risks, belying a big drop in losses technological changes under way brought about by, and in the wake of,
the Covid-19 pandemic
#
01 02
# #
03 #
04
5 IT disruption 6 Data compromise 7 Resilience risk 8 Theft and fraud
Integrity of core systems Remote working elevates fears Industry survives biggest real- Changes in working practices
paramount as risk managers of data theft, misuse and abuse world stress test, but challenges since Covid shift angle of
battle outages and hacks in remain for firms and regulators criminal attack on financial
work from home era institutions
05
#
06
# #
07 #
08
9 Third-party risk 10 Conduct risk 11 Regulatory risk 12 Organisational
change
Pandemic and shift to cloud Remote working vastly Big dip in fines belies lingering
computing inflame concerns for complicates the job of conduct fears over Covid loan mis-selling Change the sole constant as
banks and regulators risk supervisors and sanctions risk industry ponders its post-
Covid future
09
# #
10 15 Sponsored feature
Heightened operational risks in a changing world
Christoph Kurth, partner and member of the global financial institutions
13 Geopolitical risk 14 Employee wellbeing leadership team at Baker McKenzie, discusses the growth of conduct
and operational risks in the light of the pandemic, including those
Stimulus unwind, Covid All-encompassing impact of caused by mass home-working, the enhanced technological ability to
nationalism and regime Covid leaves employees with address them, and why we should design a new type of workplace
changes spell volatile the feeling of ‘living from work’ culture or risk losing one altogether
operating environment
1 risk.net March 2021
TopIntroduction
10 op risks
In depth
Monthly special features:
Top 10 operational risks 2021
Illustration: Mark Long, nbillustration.co.uk
Supported by:
Op risk managers could be Covid long haulers
L
ike many, operational risk managers losses, firms tend to divide events between
were glad to see the back of 2020. those stemming from conduct related issues,
Unlike most, their worries show few and everything else. In part this is due to the
signs of easing. The giant sources of difficulty of modelling the former, given it is
op risk engendered by the coronavirus – oppor- skewed by infrequent, but catastrophically large
tunistic cyber attacks, creative money laundering losses.
and vast new possibilities for internal fraud – But conduct losses are also a slow burn: fines
aren’t going anywhere, even as the world charts a for mis-selling, market manipulation and most
“Quote me” course out of lockdown. forms of internal fraud take a long time to
Among broad categories of concern, this year’s come to light, then hang around for far longer
“The consequences of IT disruption Top 10 operational risks look superficially similar – perhaps forever, in r eputational terms. “When
are likely to be higher, because to previous years, with movement between them we model, we assume most conduct losses will
of our increasing dependency as expected: conduct and resilience risk have show a three-to-five year lag – whereas normal,
on technology” both risen up firms’ agendas, with more esoteric transaction-style losses will appear within a
Operational risk consultant concerns like organisational change and talent one-year window. One year into Covid, we’ve
risk dropping. Employee wellbeing was the sole not seen any transaction losses of any real note
“Two years ago, resilience sounded new entry – both a welcome sign that managers – so I don’t know whether we will now. But who
like an academic concept: ‘you’re are taking the human element seriously, and a knows what conduct looks like,” says the head
only as strong as your weakest worrying one that the scale of the problem is big of op risk capital at one E uropean bank.
link’. But it’s so true – this year has enough to be top of mind. Covid has also exposed the limitations of
proved that in spades” Yet within each category, risk profiles have point-in-time year-ahead forecasts, including
Head of strategic risk, US asset manager changed dramatically in ways that are difficult to our Top 10 op risks survey. Few risk manag-
predict and impossible to fully track. The threat ers reported pandemic risk among their top
“By working in the office, you can of IT disruption remains the top collective con- concerns last year – one honest bank admitted it
pick up informal signals and signs cern, for instance, but conversations suggest that drew up a pandemic scenario, before dismissing
that may point to issues” owes as much to insider threats from disgruntled it as unrealistic. It last appeared in 2013’s Top
Head of op risk at a large international bank employees – those on notice or paid leave who 10, in the wake of the Asian swine flu epidemic.
still have access to systems and controls, for So, Risk.net is considering ways to shake up the
“I feel that we are seeing increased instance, or sensitive data – as it does longstand- format of the Top 10 op risks, to make it more
volatility in previously stable ing worries over outages and overloads. And per- dynamic and informative for readers. What might
regions. This could, for example, haps counterintuitively, the trend in op risk losses that look like? A quarterly poll, to see how the
be demonstrated by the recent has been falling during the pandemic, along with main areas of concern for op risk managers evolve
storming of the US Capitol: an attendant capital numbers – 2020 marked a over the course of a year? Or a free-form exercise
event in a country that I would have post-crisis low in both frequency and severity of designed to identify emerging risks?
always considered to be among one losses, according to data from ORX News.
of the most stable in the world” When might the increased array of threats Tom Osborn, Editor, Risk Management
Non-financial risk consultant firms face in the work-from-home era crystallise Let us know your thoughts: send
as loss events? That all depends. When modelling suggestions to tom.osborn@risk.net
risk.net 2
SPONSORED FEATURE
The importance of getting
technology change right
Christoph Kurth, partner and member of the global financial institutions leadership team at Baker McKenzie, covers some of the
rapid technological changes under way brought about by, and in the wake of, the Covid-19 pandemic
Technology change on steroids
Technology in financial services is no longer limited to fintechs. Its adoption is a
Key takeaways
vital component of every financial institution’s business model in responding to
disruptive competitors, meeting higher customer expectations and reducing costs. • C ovid-19-propelled digitisation is increasing the number of technology
We have been living in the fourth industrial revolution for some time, but Covid-19 change projects.
has further accelerated the digitisation of financial services – some commentators • Failed technology changes are more serious than other change
consider parts of the industry have advanced five years within the space of just management failures and they are likely to impact customers.
one year – and, inevitably, installing new IT brings new opportunities, but also • Identifying why projects fail, continuing investment and change, using
risks. Given the intensity of technology changes being put through at a fast pace cloud technology and having robust governance arrangements are all
with stretched resources, the usual risks may be elevated, particularly where there vital to reducing the number of incidents and their impact.
are new technologies. Operational risk managers must design and put in place • Having in place a robust IT or cyber risk incident response plan,
effective processes to identify, manage and monitor them – during and after including required third-party support, is essential to mitigate fallout
change. The increased expectations of financial institutions in this respect are from failed IT change management or other IT and cyber risk incidents.
growing, as reflected in an increasing number of regulatory requirements.
Technology change management review The FCA review confirms that there is no one-size-fits-all solution to successful
The recent publication by the UK Financial Conduct Authority (FCA) of a cross- change management. Nevertheless, it confirms that robust governance
financial services review into technology change management is timely and arrangements and ongoing investment into technology beyond any given change
welcome.1 While the organisations surveyed are UK licensed, the findings are life cycle are central to reducing the number of incidents and their impact.
relevant to all financial institutions wherever they are regulated. The review
considers how financial institutions manage IT change, the impact when Drivers of change
changes fail, and how to reduce their number and seriousness. It aims to identify What are the drivers of change? The review found the most common reasons
ways in which related operational risk can be reduced. for technology change were maintenance and upkeep, satisfying regulatory and
With increased dependency on digital services, even short-lived incidents, legal requirements, followed by improvements for customers – for example,
such as a denial of service, can cause significant disruption, reputational fallout to improve their experience of a service with new interfaces and additional
and regulatory exposure. According to the FCA survey, failed IT changes are functionality. Other drivers include costs and company growth, which is
generally more serious than other change management failures, and even especially relevant for fintech entrants as they begin to scale up their operations
low-level incidents – especially when they are customer-facing – can trigger and customer base.
potential regulatory investigations and public enforcement action. Most financial
institutions, other than fintechs, still rely on legacy infrastructures, and replacing Risk characteristics
them is associated with the highest failure rate in change management. It Where should financial institutions focus their efforts to reduce the risks associated
is for this reason many institutions are reluctant to migrate to new systems with change management projects? The evidence shows there are a number of
when, despite much planning and preparation, there are too many examples of key characteristics shared by all high-risk projects. Some of those identified by the
problematic outcomes. On the other hand, more promisingly, cloud technology is FCA review are unsurprising. These are projects with external dependencies, where
being rapidly adopted. While it has advantages and disadvantages, it can reduce there are tight deadlines or poorly defined goals, as well as matters characterised
the risks involved with technology change. as ‘major’ projects, where complexity and a failure to break them up into more
3 risk.net March 2021
SPONSORED FEATURE
manageably sized projects increases the risk profile. Hence, a reluctance to invest in IT is a false economy.
Of special interest are projects that involve replacing The review data shows that financial institutions
legacy technologies. These have been ‘patched investing a high percentage of their IT budget in
over’ for many years and work alongside newer change activities tend to make fewer changes that
applications – a particular issue with traditional banks give rise to issues. The principle of ‘little but often’
and insurers – and those involving unused technology has its rewards. The concept of regular updates is a
within an organisation or employing emerging reminder that managing the risks of change as part
technologies, such as blockchain, artificial intelligence of everyday project management is more likely to be
and machine learning. successful in comparison to using risk management
Another category bearing elevated levels of risk on a one-off basis.
are those projects with substantial numbers of staff
located offshore. In this regard, the role of third Cloud-based infrastructure
parties is not always factored in sufficiently and Public cloud service providers are fast becoming
clearer communication on their responsibilities is part of the financial infrastructure. They provide
needed. Increasingly, and more so in sectors such on-demand computing services and infrastructure
as payments, reliance is on unregulated companies managed by third parties shared with multiple
providing technology or technical services to the entities. Financial institutions are becoming
financial sector, another important risk factor. Christoph Kurth progressively more dependent on cloud because of
its ability to reduce costs, enable businesses to adopt
The importance of governance and scale new technology on demand, accelerate digital transformation and
Many financial institutions use governance bodies (change advisory boards) facilitate mandatory data analytics. Although they can result in a lower level of
to support the assessment, prioritisation, authorisation and scheduling of oversight and direct control, an additional benefit of change management with
changes. The use of change management by financial institutions is also not cloud is that it allows for more frequent change cycles and greater automation,
new. In fact, the review found that most entities surveyed actually had in place as in repetition and consistency. This not only reduces the need for ‘big bang’
“rigorous governance arrangements”. A key takeaway is that, while less than changes and lowers the manual risks around technology change, but also
2% of technology changes go wrong, due to their sheer number their impact is improves the ability to respond when something goes wrong.
significant, with 14% of these resulting in customer impacts.
As organisations speed up digitisation to enable remote working, the The importance of incident readiness
shift of customer preferences to digital channels and investing to improve Even the best-managed change project does not guarantee frictionless
efficiency, boost productivity and profitability, senior management must plan implementation, and even frictionless implementation of change is no guarantee
the implementation and risk management of change projects with extra care. for ongoing operations without friction. Because of these realities and the ever-
The effective use of project management is also critical to achieve a high rate of wider use of technology, it is recognised that the management of operational
success with change management, not least in ensuring that strategic objectives IT risk and its counterpart, operational IT resilience, are increasingly important.
are met, ensuring high standards of risk management and quality control. This is reflected by the emphasis regulators place on adequate systems and
Effective governance starts with senior managers who should take steps to controls, management reporting and clarity over senior manager responsibilities.
secure an effective operational environment. Here, governance arrangements This is against a background of recent high-profile failures in technology change
that have been in place longer tend to enjoy a higher rate of success. A caveat is management that have led to significant levels of disruption and customer
that such arrangements should not be left to themselves. As opposed to ad hoc detriment. Accordingly, it is essential that, during the change process and
reviews, best practice means regular reviews to ensure they remain adequate beyond, financial institutions have robust IT and cyber incident response plans in
for the task, which may itself evolve when technology and business models place. As a starting point, financial institutions should identify their key business
continue to adapt as quickly as they are currently. Besides senior management, services, including people, processes, facilities, information and, in particular, the
non-executive directors should bolster governance by challenging change plans. technology that support these services. They must have clear governance around
While the board is ultimately responsible, the chief operating officer or another each technology, a clear understanding of the data these technologies process
member of senior management should have direct and specific responsibility and how the process can be controlled or control recovered. Part and parcel of
for managing technology change. Of course, some jurisdictions such as the UK a robust incident response plan are also unambiguous escalation and reporting
impose prescribed responsibilities on senior management function holders, who procedures, a solid understanding of reporting obligations and the instantaneous
will be liable when things go wrong if they have failed to take reasonable steps. availability of trusted partners that can be brought in to help manage an incident
whenever and wherever it materialises, including forensic firms and law firms.
The importance of continued investment and change While customers might benefit from a stronger operating platform in the
The FCA review also reveals a direct correlation between lower levels of legacy future, if technology change results in service disruption, or an increased
infrastructure and the success rate when implementing technology change. technology risk profile post-change is not managed properly, regulatory and
Moreover, financial institutions with less legacy infrastructure are less likely to reputational fallout from technology failure or vulnerabilities will obscure the
have to install IT changes in an emergency, and those changes tend to be more benefits to the business for some time. The opportunities that new technology
successful – a virtuous circle. By their nature, emergency changes are carried out brings requires improved operational risk management capabilities and practices.
with speed, increasing the margin for error and risk, exacerbating any existing This is particularly true during this current time of rapid change.
weaknesses. Clearly, therefore, investment in renewing and deploying up-to-date
technology brings advantages beyond its inherent efficiencies and capabilities. 1
FCA (February 2021), Implementing technology change, https://bit.ly/3upCCPW
risk.net 4Top 10 op risks
Top 10 op risks 2021
W
elcome to Risk.net’s annual presented in brief below and analysed in
ranking of the top op risks for depth in 10 accompanying articles. A. Top 10 operational risks 2021
2021, based on a survey of The survey focuses on broad categories of risk Position Op risk 2020 position
operational risk practitioners concern, rather than specific potential loss 1 IT disruption 1
across the globe and in-depth interviews events. The survey is inherently qualitative and 2 Data compromise 2
with respondents. subjective; the weighted list of concerns it
3 Resilience risk 5
As in years past, there is no great secret to the produces should be read as an industrywide
4 Theft and fraud 3
methodology: Risk.net’s editorial team gets in attempt to relay and share worries anonymously,
touch with 100 chief risk officers, heads of not as a how-to guide. As ever, Risk.net invites 5 Third-party risk 4
operational risk and senior practitioners at feedback on the guide and its contents – please 6 Conduct risk 7
financial services firms, including banks, insurers, send all views to tom.osborn@risk.net. Thank 7 Regulatory risk 8
asset managers and infrastructure providers, and you for reading. ■ 8 Organisational change 6
asks them to list their five most pressing op risk
9 Geopolitical risk 9
concerns for the year ahead. The results are Profiles by Steve Marlin, James Ryder,
10 Employee wellbeing -
then weighted and aggregated, and are Costas Mourselas, Karen Lai and Tom Osborn.
#1 IT disruption the system they are trying to remote into falling
over under the sheer weight of traffic.
2020, the BoE found
that the largest banks
Meanwhile, threats such as ransomware and insurers were
attempts, which might be easy to manage together highly reliant on the
Integrity of core systems paramount as and dismiss in the office, took on a new, lethal two largest cloud
risk managers battle outages and hacks credibility outside the office. providers. In late
“The threat landscape from ransomware 2020, the Federal
in work from home era
remains on the rise with threat actors looking for Reserve Bank of New
new ways to facilitate ransom payments, such as York warned that problems at one of the large
Risk managers might look back on 2020 as the targeting senior management mail inboxes,” says cloud providers could “plague multiple institu-
year in which the threat of IT disruption – an an operational risk head at one global bank. tions at once”, causing a large-scale shock that
already broad remit encompassing everything Regulators are paying close attention. Last “wouldn’t be possible if we had a more diverse
from accidental systems blackouts to deliberate October, Nick Strange, senior technical adviser for ecosystem”.
attacks by outside actors – exploded into millions operational risk and resilience at the Prudential Regulators weren’t immune to high-profile tech
of home offices around the globe. Regulation Authority, said supervisors were failures last year: the European Central Bank
The shift to remote working left financial firms considering whether “regularised” remote working suffered an outage of nearly 10 hours on October
more exposed than ever to cyber attacks by would improve resilience or “increase technology 23, 2020 to its Target2 real-time gross settlement
high-tech adversaries, backdoor threats introduced risk as a single point of failure”. The Bank of system caused by a software defect on a device
via newly critical third-party suppliers, or hackers England is in the midst of putting together its used in the internal network of the central banks
intent on causing chaos. long-awaited operational resilience framework, operating the service on behalf of the Eurosystem.
Small wonder then that industry respondents and recent events may factor into that equation. A review by the ECB, the findings of which will
ranked IT disruption their top concern once again Perhaps more surprisingly, there were fewer be released in the second quarter of 2021, is
in this year’s Top 10 op risks, and by a greater operational loss events attributable to outages in investigating this incident as well as others that
margin than previously. While the industry 2020 compared with previous years. But took place during 2020, including those affecting
surprised itself with its ability to function so high-profile tech failures at a number of banks Target2-Securities, the Eurosystem’s securities
effectively from home, some teething problems and technology vendors and trading platforms settlement platform.
were inevitable. Housebound employees are still led to chaos in key markets such as futures The introduction of new systems and platforms
intimately familiar with the turmoil created by and foreign exchange trading during March’s products always carries risks, some of them harder
dodgy Wi-Fi connections, a virtual private unprecedented cross-market volatility. to quantify than others. Fines for systems outages
network going down at the worst possible time, or In a prescient report published in January are getting bigger, though – and are a clear driver
5 risk.net March 2021Top 10 op risks
of regulators’ recent operational resilience efforts. bespoke way they have been adapted over a tasked with maintaining and upgrading systems
“If we put a new system, and it doesn’t work, number of years,” the op risk head says. caused by the long-term uncertainties of
regulators will come down on us like a ton of Of course, clients and other stakeholders rarely Covid-19 could compound the legacy problem.
bricks. But the biggest damage will be reputa- care what causes an outage, meaning any “There is also the exposure aspect: the
tional damage. And that is difficult to put a dollar operational failure can also have serious reputa- consequences of IT disruption are likely to be
value on. [But] there will be an economic loss tional consequences, particularly where customer- higher, because of our increasing dependency on
financially as well,” says a senior risk manager at facing systems – like banking apps or payments technology,” they add.
one financial market intermediary. services – are affected. While the risk of IT disruption during legacy
Keeping cyber security up to date is a constant “Say we’re putting in a bug or enhancement tech overhauls predates Covid-19, the consultant
battle, and some industry figures see breaches as and it goes wrong, and as a result your systems go points out that, as firms grow ever larger – which
an inevitability. Systems revamps remain a critical down. We experienced that when we imple- in itself boosts concentration risk – the likelihood
– and familiar – source of IT risk; the same mented a new online platform a couple of years of such mistakes also increases; more systems
individual points to the potential for outages ago where it was up and down the first couple of requiring adjustment means more labour, and a
during tech overhauls, adding that, “reliance” on days. You have to understand the criticality and greater chance that mistakes will be made in the
old or legacy systems, “developed using outdated the customer impact of any type of service process.
coding language [and] combined with a shortage disruption, whether it is fraud or cyber related or “The older and bigger firms I work with have
of knowledgeable IT staff” is a continued normal change management,” says an operational more problems,” the consultant says. “Firms that
problem. risk executive at a North American bank. grow by acquisitions often have unintegrated and
“Legacy systems are particularly prone to issues An operational risk consultant shares those fragmented systems; they need to be updated
arising from change management, due to the concerns, adding that “burnout” of key employees and modified.” ■
#2 Data compromise faulty processes and procedures. Human error can
also be a factor – or, in an era when many staff are
Administration’s test
application platform
at risk of job cuts or placed on reduced hours, for the Paycheck
malfeasance. Protection Program,
Remote working elevates fears of data While financial firms publicly reported fewer the bank revealed in
theft, misuse and abuse losses from breaches than in previous years, 2020 a regulatory filing. It
brought some high-profile examples. Many firms became apparent that
say they are closely monitoring the ongoing other lenders and
For those tasked with keeping track of their fallout of the 2020 hack of SolarWinds, fearing their vendors may have been able to view
organisations’ sensitive data, 2021 is shaping they haven’t heard the last of the giant breach at applicant information, such as business address
up to be a tough year. Large numbers of staff at the US software company. and tax identification number, as well as personal
financial firms are working remotely, due to the At the advent of the Covid crisis last March, information.
lingering effects of the coronavirus pandemic. SolarWinds’ Orion software – employed Breaches such as these have a range of effects
Many users are having to access systems via somewhat ironically by a number of US on financial institutions, including legal costs,
VPN, often over home Wi-Fi networks, which government agencies for network outage payments for customer redress and regulatory
increases the opportunity for cyber breaches. monitoring, as well as other companies – was penalties. There is a potentially longer-lasting
With staff scattered to the four winds, managers breached. SolarWinds’ general clients list, which impact from reputational damage, in loss of
also lack physical oversight of potential bad has recently been removed from the firm’s business.
actors. website, included companies like Credit Suisse, A typical breach involves a perpetrator finding
Throw in a steep rise in ransomware attacks MasterCard, and Ameritrade. Various US weaknesses in an institution’s IT infrastructure in
and phishing reported by most respondents to officials have stated that a hacking group backed order to gain access to confidential information.
this year’s survey, and it’s not hard to see why by Russia is behind the attack. This can be accomplished by using malware via
threats to information security rank a narrow On February 1, 2021, the Office of the tactics such as phishing. However, breaches can
second in the Top 10 op risks 2021, behind only Washington State Auditor revealed that personal also occur from the inside, for example when
the basic functioning of systems. information from about 1.6 million unemploy- firms install faulty software.
“Information security is one area where ment claims made in 2020 may have been A further area of weakness can be at the point
requests and demands on proving our capability exposed to unauthorised access. The compromise of contact with third-party service providers. The
is taking far more work than I thought. The took place at a third-party software services increasing reliance of many banks on cloud
rapid adoption of cloud because of Covid means provider, Accellion, when records were in providers is a concern for many IT risk
you have to double down on governance and temporary storage awaiting file transfer. professionals.
monitoring,” says the head of cyber risk at a large Bank of America suffered a data breach on “When you’re utilising cloud providers, you’re at
US bank. April 22, 2020, while it was uploading client loan their mercy. One small hiccup and it’s a headline
At the root of most data compromise events are application data to the Small Business risk,” says the head of cyber risk at the US bank.
risk.net 6Top 10 op risks
The country-level chief risk officer at an an in-house system, because you can have authentication, and implement controls that limit
international bank sees it differently. In his eyes, multiple copies of your overall environment ready user privileges to enter and change critical
while increased use of cloud providers does limit a to be rolled out. As soon as one of them gets business data, and regularly review levels of
bank’s surveillance capabilities versus using hacked, you can have teams monitoring the assigned access.
internal systems, this is partially mitigated by network for instability,” he adds. Institutions are urged to practice good
increased resilience from more sophisticated cloud A joint statement on sound cyber security risk “cyber hygiene” by securely configuring networks,
providers’ defence systems. practices issued by US regulators in 2020 documenting security standards, performing
“You will have an attack, and they’re highlights three critical areas: response and vulnerability scans of all network and hardware
going to get everything they want. All you resilience capabilities, authentication and system components, and rolling out
have to do is check the phishing results, to realise configuration. anti-malware software.
there’s always 1%–5% of your staff that are Identity and access management are important Education is also a key part of an institution’s
going to give their password, their code name, controls in securing the IT environment, defences. Firms should implement ongoing
their email, everything,” he says. regulators noted. Institutions should establish training on recognising cyber threats, phishing
“But the cloud is a lot more resilient than authentication controls such as multifactor and suspicious links. ■
#3 Resilience risk Resilience planning – which the head of
strategic risk at one large US asset manager
stance on hard-and-
fast targets on
distinguishes from operational risk management minimum service
as the ability to bounce back from failures, provision after
Industry survives biggest real-world rather than trying to prevent them from outages, to see
stress test, but challenges remain for happening – was a new entrant in last year’s Top whether they were
10, sitting awkwardly among more familiar “still appropriate”
firms and regulators
threat categories like technological disruption, following the
fraud and conduct risk. Back then, its appear- coronavirus – an issue global supervisors have
Two years ago, in the course of routine ance owed more to a renewed regulatory focus not always seen eye to eye on.
business continuity planning, one of the world’s on both sides of the Atlantic; this year, as the op On October 30, the US Federal Reserve
largest banks drew up a scenario in which a third risk head puts it, it has become a daily reality. published its own sound practices to strengthen
of its global workforce was locked out of their “Two years ago, resilience sounded like an operational resilience proposals, in a short
offices without warning due to a pandemic. academic concept: ‘you’re only as strong as your discussion paper. Prior to publication, Fed
It tore it up, dismissing it as unrealistic. weakest link’. But it’s so true – this year has deputy director for policy Arthur Lindo – who
“Our planning wasn’t good enough,” says a proved that in spades,” he says. also leads the Basel Committee on Banking
senior executive at the bank, reflecting on the Interconnectivity and concentration risk are Supervision’s working group on operational
real-world stress test of the financial industry’s familiar to the financial sector; third-party resilience issues – said that the Fed’s stance had
resilience that was 2020. “I’ll be candid: we never concentration risk was foregrounded sharply been strongly influenced by the responses of
thought about the global non-availability of staff over 2020, with numerous industry voices financial companies to the pandemic.
to anything like this degree. We talked about it calling attention to the increasing reliance of “The importance of design[ing] resilient
– we even looked at pandemic modelling based financial firms on a small group of cloud systems and operations, along with incident
on World Health Organization data – but we providers. The resilience of such entities is response programmes, has been highlighted as
said ‘this couldn’t happen’. We only considered critical, regulators said, with systemic banks have needed to respond to Covid-19
the impact in very localised contexts.” implications; while cloud platform behemoths related impacts,” says one US op risk supervisor.
He is far from alone, of course: financial firms Amazon, Google and Microsoft have enabled The individual adds that the prevalence of other
of all stripes and in every corner of the globe employees to keep working as offices closed, threats, like natural disasters and the use of
have weathered coronavirus-related tumult this even a short outage at any one of them could ransomware, also make the need for such
year, testing their capacity to deal with chal- have huge consequences for the sector at large. resilience clear.
lenges such as unprecedented market volatility, Given global watchdogs are still drafting their The Basel Committee also published its own
back-office bottlenecks and trade breaks, all supervisory frameworks around resilience, the high-level operational resilience proposals in
while rushing to properly equip employees for regulatory context is still vitally important – and 2020, issuing a consultation paper in August.
long-term remote working. in a case of practice rapidly overtaking theory, The Basel paper takes the view that the work of
Risk managers cited threats to their opera- watchdogs are amending their proposed resilience must be multidisciplinary, involving
tional resilience so frequently, in fact, that it requirements in response to the pandemic. concerted efforts from a number of functions
appears at third place in this year’s Top 10, In October, Nick Strange, senior technical including continuity planners, risk management
behind only risks specifically threatening the adviser for operational risk and resilience at the and governance – while leaving national
basic functioning of systems and the security UK’s Prudential Regulation Authority, told a supervisors a fair amount of latitude to tailor
of data. Risk.net conference the UK could revisit its requirements for their own jurisdictions.
7 risk.net March 2021Top 10 op risks
One senior risk manager at a large financial resilience cannot be understood in a vacuum, practices is “partially mitigated” by the
service firm, himself a former supervisor, points given the sheer volume and variety of events that resilience of the cloud providers themselves.
out that defining resilience is in practice difficult can put pressure on a firm’s day-to-day The ex-regulator argues that supervisors
for some supervisors. Operational resilience is performance. It is a meta-category of sorts, given themselves – subject to the same social
defined by the Bank of England and the almost all threats can, in their own way, upset distancing and remote working guidelines as
Financial Conduct Authority (FCA) as the the usual course of business at dense and highly financial companies – were equally ill-prepared
ability of firms to resist and respond to interconnected financial companies. for the coronavirus, and are also struggling to
operational disruption. “Business continuity and operational perform certain duties.
“What do you define as, ‘It’s still working?’” resilience [are] consequential, and pivot off from “They were nowhere near ready,” the
the individual asks. “People have different other operational risk types like information individual says. Having worked for a well-
standards, and tolerances are massively security, third-party and IT risk,” says one op known regulator, they say that the body does
different… How do you capture the diverse risk manager. have some equipment for remote operations,
topography of what people think works for Some risk managers take a sunnier view of the but that the “serious calculatory work”
them? That’s conceptually very hard: it’s easier cloud provision issue. One professional, a chief regulators conduct is not possible without a
for the Fed, the PRA and the SEC, because they risk officer at a global bank, argues that while desktop or high-powered laptop. “You can
deal with major banks; the FCA looks at 56,000 heightened use of such providers and basically write a few scathing letters and email
firms with all sorts of business models.” outsourcing in general increases the risk of IT people,” they add – something which could
Industry professionals agree that operational disruption, the potential danger of such explain the big drop in fines. ■
#4 T heft and fraud US government under its Economic Injury
Disaster Loan programme. A small number of
information or
login credentials,
staff were subsequently fired, according to which criminals can
media reports. use for financial
Changes in working practices since Brazil’s Caixa Bank was forced to block fraud. Finra noted
Covid shift angle of criminal attack on thousands of accounts in July, after hackers that the prevalence
attempted to steal coronavirus relief payments. of remote working
financial institutions
“Any time you have government handouts, may increase the
there’s always the possibility of fraud,” says an likelihood of this type of activity.
Even in normal times, the risk of theft and operational risk executive at a North American Meanwhile, banks’ own defences against fraud
fraud is high on the priority list for banks. In bank. “You have another round of stimulus have been wrong-footed by changes in
the post-Covid age, the risk has intensified as it handouts so you may see fraud related to that.” consumer habits since the onset of the pan-
morphs into new, dangerous forms. US lawmakers approved a third wave of stimulus demic. Artificial intelligence-based systems that
Pandemic-related changes to business practices payments to eligible individuals in late February. were trained on past patterns of behaviour began
and consumer habits have opened or exacerbated A bulletin by the Financial Industry churning out large numbers of false positives as
at least four areas of vulnerability for banks. Regulatory Authority, issued last May, noted an online transactions soared. The bank bots, in
Government stimulus programmes have increase in the use of stolen information to effect, saw breaches when there were none,
dangled juicy morsels of cash for fraudsters to establish accounts to divert congressional increasing the likelihood that real cases of fraud
target. Banks’ own fraud detection systems have stimulus funds and unemployment payments. go undetected amid the noise.
been thrown off kilter by the sudden shift to Op risk managers are right to be worried about In response, banks have had to supplement
online banking. Criminals are also taking fraud. Losses attributable to internal and external machine learning models with more traditional
advantage of the rise in home-working to trick fraud made up the largest single loss category for rules-based systems that classify transactions
consumers into transferring money to fake banks and financial institutions in 2020, according to pre-set criteria such as age,
destinations. And with more bank staff them- according to publicly reported loss data collected occupation and income.
selves working remotely, the potential for internal by ORX News, an op risk data service. Fraud Changes in working patterns have affected
misdeeds is growing. losses totalled $17.9 billion last year, versus $13.8 bank staff too. With many employees either
As the head of operational risk at a North billion for the second-largest category, ‘clients, working from home or remote trading floors,
American dealer says: “The risk of internal fraud products and business practices’. financial institutions have seen an increased
such as rogue trading is amplified by people Another type of scam, according to Finra, potential for internal fraud. As the head of a risk
working remotely.” involves impersonating firms and creating fake control firm described last year, it’s not unusual
US banking giant JP Morgan fell victim to its websites to trick customers into revealing for young traders to co-habit. How can firms
own, home-grown fraud when it discovered last personal information or transferring funds. guard against collusion by housemates who may
September that staff had siphoned off funds Imposter websites typically mimic a firm’s actual work for rival institutions?
intended for pandemic-hit businesses into their website by creating genuine-looking email Banks have reacted by upping their surveillance.
own accounts. The funds were provided by the domains and accounts to obtain personal They are analysing voice communication records,
risk.net 8Top 10 op risks
trade data and employee behaviour to determine
whether a transaction is suspicious. The head of op 1. Losses by event type
risk at the North American dealer says the firm is 28
tightening controls over what people can receive 24 2020 2019 2018
and send in their email systems. 20
Fraud losses haven’t yet trickled through into a
16
material increase in operational risk capital, says
12
the operational risk executive, but that could
$ billion
change once a full year’s worth of data becomes 8
available. “We are working on data which is six 4
months old. So the actual effects of what has been 0
happening recently aren’t apparent yet.” Internal External Employee Clients, Natural Technology Execution,
Ransomware attacks also have seen an increase fraud fraud practices and products and disasters and and delivery and
workplace business public safety infrastructure process
since the start of the pandemic. The number of safety practices failure management
ransomware attacks against the financial sector Source: ORX News
grew by nine times from the beginning of
February 2020 to the end of April 2020,
according to a survey of chief information security Under anti-money laundering rules in the US, that leaves authorities swamped with reports,
officers by tech vendor VMware Carbon Black. Europe and elsewhere, banks must file suspicious many of which are not an enforcement priority.
The Financial Crimes Enforcement Network, activity reports (SARs) for questionable transac- A proposed rulemaking in the US would
a unit of the US Treasury, in 2020 warned of a tions. However, regulators only have the resources encourage banks to boil down the content of
sharp increase in the use of virtual currencies by to investigate a small percentage of these reports. SARs so that the reports only contain
cyber insurance companies, which could Banks have been seeking more clarity on what information with a “high degree of usefulness”
indicate that a business covered by cyber information to include in SARs in the hopes of for enforcement agencies. In other words, the
insurance has been targeted by ransomware. Any cutting down on needless paperwork and being onus shifts from the regulator to the bank in
rise in the flow of criminal money through the able to focus on truly fraudulent activity. deciding what is or isn’t relevant.
financial system could leave banks at greater risk Forthcoming rule changes in the US and Europe In general, experts say institutions can help
of breaching anti-money laundering rules. will introduce what’s hoped to be a more targeted combat the threat of fraud by maintaining good
Despite plummeting cash use in many approach to detecting dirty money. Firms will be cyber hygiene, which is network management
countries facing strict lockdown, money required to identify specific risks and address and configuration and strong authentication,
laundering continues to be a major fraud concern. them directly, instead of the current approach combined with effective security monitoring. ■
#5 Third-party risk Among the concerns of financial institutions is
to assess security weaknesses of their critical
dependency and
we looked at critical
service providers – or for smaller outsourced processes. Are they
firms, even their basic financial viability. being supported
Pandemic and shift to cloud computing “It has never been more crucial for operational domestically or by a
inflame concerns for banks and risk managers to take account of their company’s vendor? If so, we had
critical and core third-party service providers,” to go to service
regulators
says an operational risk executive at a North providers and
American bank. “The risk they can expose to a manage them,” says another operational risk
Creaking middleware vendors; the inability company and its potential impact to daily business executive.
to pen-test data centres; critical support locations operations has never been greater.” Firms have also been fielding enquiries from
locked shut without warning: 2020 stress-tested Once the pandemic took hold, financial regulators, who have expressed keen interest in the
organisations’ reliance on outsourcing beyond any institutions carried out evaluations of critical resilience of organisations. The pandemic has
op risks manager’s worst nightmares. processes to determine whether they were being spurred banks to investigate the controls their
And with multinationals facing another year of handled internally or by third parties. With many vendors have put in place for managing sensitive
uncertainty, in which employees and suppliers are third-party vendors located in far-flung locations data, given the possibility of hackers or rogue
part-exiled from their offices – another year in such as the Philippines, India, Mexico and eastern employees exploiting network vulnerabilities.
which most firms will be dependent on a handful Europe, users have extended their oversight of key Lapses in third-party risk management were a
of vendors to provide video conferencing, remote suppliers. Potential disruption to the third party’s factor in several high-profile legal settlements
access to servers, or cloud storage – third-party risk business from Covid has reinforced the need for during 2020. Deutsche Bank, in settling a case
is set to remain top of mind for many managers extra scrutiny. involving the Foreign Corrupt Practices Act, was
through 2021. “During Covid, we knew this was a big flagged for inadequate due diligence over the risks
9 risk.net March 2021Top 10 op risks
posed by third-party partners, such as the partner’s brokerage website go down due to high demand. Google Cloud sharing most of the market between
reputation and relationships with foreign officials. Financial firms are keeping a close eye on the them. An outage or failure for one of this trio
As part of the settlement, Deutsche must take financial stability of their critical service providers, would create “a mess of awesome proportions”, the
steps to ensure the third party is performing the including scrutinising audited statements to individual says.
work described in the contract, and that its determine their credit standing, sources of As the pandemic has accelerated the move to the
compensation is commensurate with the work liquidity and available capital. cloud, the work to assess the importance of
being provided. The bank must also monitor And regulators are stepping up their oversight of applications being ported becomes more crucial.
third-party relationships through updated due third-party relationships, especially in the area of “We have seen cases where processes associated
diligence, training, audits and compliance cloud computing. In a joint statement in April 2020, with applications are incorrect. Do we know what
certifications by the third party. US regulators warned that firms need to be able to we’re putting into the cloud and making sure it’s
In January 2021, ORX News reported that the identify and control the risks associated with cloud accurate,” says the second operational risk executive.
Australian Securities and Investments Commis- computing, contracts between cloud service providers Controls management is particularly tricky for
sion and the Reserve Bank of New Zealand experi- and financial institutions need to be carefully hybrid cloud environments, say banks, in which
enced data breaches in which a server used for file reviewed and appropriate controls implemented to public and private clouds are combined so that
transfer was hacked. Access to the server prevent operational failures or breaches. data can be shared between them. IT risk
was related to third-party file-sharing software that In general, regulators are neutral to the professionals note that hybrid clouds are more
the two regulators were using. technology or to whether a bank operates in-house, difficult to secure than private clouds, because it’s
Smaller banks that might have a greater reliance outsources to a more traditional network service harder to delineate data flows, which apps are
on outsourcing also found themselves exposed. In provider, or outsources to a cloud provider. Their talking to which, and who has access, especially for
2020 ORX News reported two cases of third- focus is on whether the institution is engaging that organisations with large legacy systems.
party IT suppliers experiencing issues with third-party service in a safe and sound manner. The The UK Prudential Regulation Authority, in
demand during the pandemic: Investitionsbank responsibility for the third-party operation falls to 2019 guidance on third-party risk management,
Berlin experienced a data breach caused by the bank. noted that when testing exit strategies from cloud
overcapacity in a third-party website processing One industry professional points out that cloud service providers, firms with hybrid cloud
grant applications, and Deutsche Kreditbank saw service provision is currently a triopoly, with environments needed to take into account the
its externally hosted mobile banking app and Amazon Web Services, Microsoft Azure and back-up functions located in their private cloud. ■
#6 Conduct risk misconduct has gone up, notes a regional chief
risk officer at another large international bank.
clearly defined to
improve over-
For instance, several sources have pointed to sight. “[These] are
situations where young traders share a house with even more
Remote working vastly complicates the bankers from other organisations, raising the risk important when you
job of conduct risk supervisors that proprietary information will be leaked, don’t see staff
whether by accident or intentionally. Similarly, members every day,”
when working from home, it is much easier to he says.
For operational risk managers, circling the make a call on a personal mobile phone – some- In other cases, traders police themselves – by
trading floor, happening upon colleagues in thing that is prohibited on many trading floors – keeping open through the day a video chat with
corridors or at the coffee machine and going though working in the office is not a panacea either. other traders at their firm, according to a source at
to meetings have long been vital ways to spot “There is nothing to stop staff from doing that a large Asian investment bank.
hidden behaviours. when working from the office,” says the head of But op risk managers also have to simply trust
“By working in the office, you can pick up op risk at the first bank. “They could just as easily staff more than they used to and rely on a good
informal signals and signs that may point to walk out and have a coffee with a client.” corporate culture, sources say. Although culture is
issues,” says the head of op risk at a large Remote working may have also increased a nebulous concept and proved challenging to
international bank. psychological pressures on traders. But, without maintain even in the pre-Covid era, the
With many professionals confined to their regularly seeing them in the office, it is much consequences of an unhealthy culture can be
homes since the early part of 2020, that source of harder to identify those who are not in the right painful and long-lasting.
intelligence has been lost. So it is not surprising state of mind to be taking big risks and making a For example, in January 2021, Deutsche Bank
that in the latest Risk.net ranking of Top 10 op market for clients. agreed to pay US authorities almost $125 million
risks, conduct risk has moved up from the In response, some banks have enhanced formal to settle charges related to actions that took place
seventh-most concerning risk for op risk controls on employees. One example is the during 2008–17. And in one of the largest recent
managers to the sixth. introduction of 24-hour monitoring of the fines for misconduct, Goldman Sachs shelled out a
While informal controls on improper computers of traders who work from home. combined $5 billion in fines and settlements to
behaviour – such as rogue trading and mis-selling The regional chief risk officer at the interna- various parties for its involvement in extensive
– have been eroded, at the same time the risk of tional bank adds that goals for staff need to be fraud at Malaysian sovereign wealth fund 1MDB.
risk.net 10Top 10 op risks
Before a corporate culture can be improved, makes use of machine learning bots across various opportunity for fraud. For instance, in September,
its quality and weak spots need to be channels of staff communication, to identify JP Morgan said in a memo to staff that it was
pinned down. untoward activities. investigating some employees for misuse of the
A novel way of doing that was proposed in But establishing a good culture is not enough. Paycheck Protection Program loans and other
November by a senior executive at HSBC. Firms then need to make sure it is resilient in the government programmes.
Georges Elhedery said firms could draw on the face of unexpected pressures and temptations. With or without the pandemic, ensuring good
vast amounts of employee surveillance data, One such test came during the early stage of the conduct by staff is a perennial job for op risk
currently being gathered by dealers, to capture Covid-19 pandemic, when the US government managers. The danger is that the distance from
positive signals as well as negative on the bank’s launched sweeping economic support measures, colleagues and the potential feeling of alienation
culture. The data could be analysed by machine including loans to be routed to businesses through as many workers remain at home have made that
learning algorithms, he suggested. HSBC already banks. The emergency package provided ample job even harder. ■
#7 Regulatory risk for its decision to extend the economic forecast
horizon on its loan-loss provisioning model
loan proceeds for up
to two-and-a-half
out to three years – even though it argued its times an owner’s
move was designed to free up liquidity monthly payroll.
Big dip in fines belies lingering fears over provision to the real economy in line with As the speed of
Covid loan mis-selling and sanctions risk official sector requests – a decision that was change accelerates,
subsequently vindicated. organisations need to
The speed with which emergency loans to have appropriate pro-
When supervisors intervened in markets over stricken businesses were rolled out meant banks cesses in place to manage the changes. Covid has
the past 12 months, it was more often to protect were forced to expedite some of the usual key clearly pushed the pace of change to the limit.
lenders than slap firms with fines: with a couple processes that safeguard against accusations of “As an example, when we implemented the
of notable exceptions, regulatory penalties in mis-selling by failing to rigorously assess whether PPP programme, the rules came out on a Friday
2020 plummeted as Covid-19 spread across new loan products meet client suitability criteria and we were up and running on a Monday. That
the globe. – chiefly, whether a customer actually needs the doesn’t happen normally,” the senior op risk
Still, regulatory risk – the fear that changes to product, can afford it and that it is offered on a executive says, grimacing with understatement.
rulesets and supervisory expectations create non-discriminatory basis. “We were never [before] forced to operate at
openings for operational mis-steps, disclosure In the US, the Paycheck Protection Program, such speed.”
challenges, restrictions on activity or straightfor- designed to provide financial assistance to small Another senior op risk manager at a large
ward financial penalties – is never far from businesses, resulted in allegations that large European bank says the dynamic holds true for
thought for banks, stung by fines and penalties banks employed deceptive lending practices that their country’s Covid loan programme rollout
totalling almost $1 trillion over the last decade. favoured large clients by providing forgiveness of too – and foresees trouble down the line if the
Those changes do not have to take the form
of regulators wielding a big stick, or even be
aimed at banks themselves; last year’s huge 2. Annual loss summary
government intervention programmes are a case
60 900
in point. Like many official sector initiatives put 55 825
together in a hurry, lenders fear the government 50 750
support packages could become a major source 45 675
Number of loss events
Loss amount ($ billion)
of operational risk. 40 600
Any rapid deviation from stated regulatory 35 525
30 450
policy carries its own risks, many argued at the 25 375
time: “We were having to implement new 20 300
government programmes at lightning speed,” 15 225
says a senior op risk executive at a large North 10 150
American bank. 5 75
0 0
Regulators’ swift attempts during the
2016 2017 2018 2019 2020
springtime to help banks free up liquidity to
support the economy created difficulties from a Number of loss events Loss amount
nuts-and-bolts modelling perspective – as well as
a potential source of reputational risk for those Data refers to financial services firms only. ORX maintains running totals of historical loss events, which it updates periodically – to take
account of fines or settlement amounts subsequently increasing or decreasing, for instance, and to add previously unreported losses to
firms that rapidly became seen as outliers. its database. This means the loss totals reported here may differ from static prior year totals reported by Risk.net.
Source: ORX News
Deutsche Bank, for instance, attracted scrutiny
11 risk.net March 2021You can also read
