Documente Academic
Documente Profesional
Documente Cultură
net
Risk.net staff
22 Feb 2018
In a series of interviews that took place in January and February 2018, Risk.net
spoke to chief risk officers, heads of operational risk and senior practitioners at
financial services firms, including banks, insurers, asset managers and
infrastructure providers. Based on the op risk concerns most frequently selected by
those practitioners, we present our ranking of the industry’s top 10 operational risks
for 2018 (see note on methodology at bottom of article).
#1: IT disruption
Click here for full article and analysis
https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 1/12
30/3/2018 Top 10 operational risks for 2018 - Risk.net
scenarios and war games, third-party oversight, data protection and fraud
authentication processes.
In recognition of the proliferating nature of the threat, last year’s single ‘Cyber risk’
category has been broken out into multiple categories for this year’s survey.
Guarding against known risks such as DDoS is a given. What worries op risk
managers more are the harder-to-measure disruptive threats – cyber and physical
– to their firm’s networks. Malware, employee error and plain old hardware failure
can be just as crippling when it comes to a loss of operational functionality.
Lump in the risk of physical disruption to a bank’s network – from sources as varied
as a city-wide power outage, to an attack from a weaponised electromagnetic
pulse – and it’s not hard to see why op risk practitioners rank IT disruption as the
most significant operational threat facing their firms.
The disruption to services from successful ransomware attacks is usually far more
costly than payment made to cyber thieves, as the 2017 WannaCry attack showed.
Still harder to quantify are the thousands of man-hours invested in universal
training for staff, or spent trying to trace when and where successful breaches
occurred.
https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 2/12
30/3/2018 Top 10 operational risks for 2018 - Risk.net
The headline data breach of 2017 was the cyber attack on credit reporting agency
Equifax, which compromised personal information including names, social security
numbers, driving licence numbers, credit card numbers and personal documents,
relating to an estimated 145 million individuals.
Equifax came in for criticism for not publicly acknowledging the breach until
September 2017. The reticence to report cyber attacks is an industry-wide problem,
op risk managers admit. From May 2018, the European Union’s General Data
Protection Regulation aims to tackle such underreporting by requiring firms to
inform their relevant regulator of any data breaches within 72 hours. Failure to do
so could result in unprecedented penalties: firms can face fines of up to 4% of their
global turnover in the event of a serious data breach.
Op risk practitioners at larger banks describe the job of trying to comply with the
regime across all their global businesses before the go-live as akin to “boiling the
ocean”. Many candidly acknowledge that the job of updating contracts to update
data permission rights will not be complete by May – and that they will find
themselves relying on regulatory forbearance to a degree.
Regulators themselves provide tempting targets for data thieves because of the
volumes of non-public information they amass on companies. In September 2017,
the Securities and Exchange Commission revealed that an incident previously
detected in 2016 may have provided the basis for illicit gain through trading.
As for quantifying losses from data breaches, banks have long expressed a need
for better tools in making these calculations. For all the time and resources
invested in models to estimate potential losses from market and credit risks, many
firms are unable to measure their exposure to data breaches with anything like
the same degree of accuracy – partly a function of the non-linear relationship
between a bank’s safeguards and its likelihood of suffering loss.
https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 3/12
30/3/2018 Top 10 operational risks for 2018 - Risk.net
This singular action caused Wells to slash its profit estimate for the year by up to
$400 million, and has put op risk managers around the world on high alert. The
standard pattern in the post-crisis era has seen authorities dole out fines for
incidences of misconduct. Op risk practitioners speculate now watchdogs will
deploy an array of tools to enforce their will – as the Fed has done – or lean more
heavily on periodic, qualitative surveys of their charges as a means of practising
‘soft’ enforcement.
In some ways, fines are diminishing in importance. The Basel Committee’s decision
to junk op risk modelling in favour of the simpler standardised measurement
approach in December last year comes with the added sweetner of
allowing national competent authorities the option of excluding loss history from
the calculation of banks’ operational capital, and allows the banks themselves to
petition their regulators to remove certain op risk losses they believe they are not in
danger of repeating.
One tool at the disposal of supervisors is the ability to adjust an institution’s Pillar 2
capital; and Bank of England governor Mark Carney has suggested UK authorities
may do just that if banks demonstrate failures in conduct risk controls.
https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 4/12
30/3/2018 Top 10 operational risks for 2018 - Risk.net
Dealing with theft and fraud is part and parcel of a risk manager’s job. But with
attempted breaches from both now concentrated in the digital realm, banks are
significantly less worried about physical robberies than they are about cyber
bandits.
Whether realised losses from cyber fraud still trump the old-fashioned variety on an
industry-wide basis is another matter, however. Many of last year’s largest op risk
losses from fraud were more conventional. The Agricultural Bank of China, for
instance, faced losses of $497 million after being defrauded by employees of
billionaire Guo Wengui – the tenth largest loss event of 2017. In another case, eight
Indian banks incurred $770 million in losses in a fraud case involving Kingfisher
Airlines founder Vijay Mallya – the industry’s seventh largest reported loss event
last year.
Yet the fear among banks of catastrophic losses from cyber theft or fraud remains
palpable – probably largely due to the sheer number of daily attacks on their
defences. Everything from email phishing threats to highly sophisticated attempts
to introduce malware into networks are to be expected for an institution of any size.
The potential loss from such incidents could range from pennies to billions of
dollars.
In September, for example, Swedish banks were hit with a concentrated phishing
attack that saw hackers use malware to gain access to banks’ networks, allowing
them to redirect payment orders and siphon off funds. Three of the country’s banks
face cumulative potential losses of Skr250 million ($312 million), according to
Swedish police.
#5: Outsourcing
https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 5/12
30/3/2018 Top 10 operational risks for 2018 - Risk.net
Outsourcing remains a top operational risk for practitioners this year – unsurprising,
given banks’ growing reliance on vast networks of vendors for everything from
online platform management to extra grid capacity.
Op risk managers are divided, however, on where outsourcing risk sits within their
policy frameworks. Many say they still treat as a discrete risk in its own right – but a
few say they see it through the lens of the two principal categories of risk it opens
them up to: compromise of their data, or disruption to their own IT environment.
Poor third-party management leaves banks and financial services firms exposed to
the risk of costly fines for significant data breaches, lawyers warn, especially with
the advent of the EU’s General Data Protection Regulation, which enters into
force in May. Given the size of the potential fines in the event of significant data
breaches – up to 4% of a firm’s global turnover – legal wrangles over where
culpability lies are likely to increase.
Aside from the concerns of data breaches resulting from hacking or the introduction
of malware, preserving day-to-day continuity in business is also a top priority. Risk
managers say they face difficulty in negotiating the appropriate risk management
clauses in standard contracts with large vendors.
Banks’ adoption of cloud computing to cut hardware costs and boost capacity has
spurred regulators into action. The European Banking Authority issued final
guidance in December on the use of cloud service providers by financial
institutions. The guidance crystallises regulatory expectations for firms outsourcing
services to cloud providers around key areas such as access and audit rights and
contingency plans and exit strategies.
#6: Mis-selling
Click here for full article and analysis
https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 6/12
30/3/2018 Top 10 operational risks for 2018 - Risk.net
Just as the growing use of automated algorithmic trading software has led to fears
of new forms of unauthorised trading, the growth in automated customer advisory
systems known as ‘robo-advisers’ has led at least one regulator, the US Securities
and Exchange Commission, to lay out guidelines on how these algorithms can
avoid misleading customers – and how human overseers should be held
accountable if they do.
Talent risk enters the top 10 for the first time this year – an unwelcome sign of the
finance industry’s struggle to attract, train and retain the best and brightest amid
competition from other sectors such as technology.
It’s not just front office jobs: banks have repeatedly warned in the last 18 months
that they are struggling to attract and retain sufficiently experienced risk managers
across functions as diverse as regulatory reporting and model validation. This is
having real world consequences for the quality of their op risk management, they
warn: more than one bank Risk.net spoke to for this year’s top 10 notes an
increase in reporting failures due to human error, where less experienced staff had
been pushed into high-pressure roles; others point to project overruns due to a
shortage of staff.
https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 7/12
30/3/2018 Top 10 operational risks for 2018 - Risk.net
At the graduate recruitment level, senior risk managers have long warned the
industry is struggling to attract the brightest and best quant finance grads in the
face of increasing competition from technology firms. In days gone by, quants
working in a risk management function for a bank might have cut their teeth in a
more front office-oriented role such as derivatives pricing; but such jobs are harder
to come by these days, with many banks pulling back from exotic derivatives
trading, and US banks for now barred from proprietary trading under the Volcker
rule.
Now, grads might be expected to enter a bank as a model risk manager – a well
paid job, but not one with the prestige or autonomy of working as a bank quant in
the pre-crisis era, and a harder sell when compared with the comparative cool
factor of working for a tech firm instead. Those that do enter banks directly as
specialists will also be less experienced – leading to a hollowing out of the ranks at
the mid-level, senior quants warn.
Almost every survey respondent offered a different answer when asked what
worries them most about organisational change. To some, it is the pressure to keep
pace with technological change, with the vague promise that, some years down the
line, the investment will pay off and allow them to boost revenues or slash costs; to
others, it is the ultimate risk that such changes will see them superseded
altogether.
Others could see their very future imperilled by regulatory change. Voice brokers
complain Mifid II’s push of more financial instruments towards electronic trading
could leave their role in arranging transactions redundant; bank research staff have
also been impacted by the legislation, with Mifid forcing dealers to unbundle the
implied cost of research from trade execution and other services.
https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 8/12
30/3/2018 Top 10 operational risks for 2018 - Risk.net
Geopolitical risk – absent from this year’s survey as a category in its own right –
can also force change on firms, simply due to the physical upheaval. Non-
European banks currently using London as their base through which to access the
single market will be forced to set up new entities within the EU, to house some of
the functions that depend on such access. Political pressure to repatriate jobs will
also be a factor.
Political and regulatory mandates aren’t the only source of such change: banks
continue to heap misery on their own staff through internal restructuring and cost
cutting, which can have a very real impact on the quality of operational risk
management, senior practitioners warn.
The definition of unauthorised trading has continued to evolve, in line with changing
market structure. Rogue algorithms are now considered an equivalent, if not
greater, source of potential losses than rogue traders purposefully circumnavigating
the controls, or fat-finger error, according to survey respondents.
Like all sizable op risk losses, the impact on a bank’s capital from an
unauthorised trading incident lingers long after the initial breach has occurred. And
banks can find wrangles over their losses continuing for years after the event:
Societe Generale is currently fighting the French government over a €2.2 billion
($2.73 billion) tax writeoff it took on losses inflicted by the rogue trader Jerome
Kerviel in 2008.
In the UK, the Senior Managers Regime mandates clear ownership by named
individuals of the development, testing and oversight for each trading algorithm. It
also highlights that algorithms should be re-validated before being deployed in a
different market, and asks for documentation of the differences between testing
and real-world environments – both measures aimed at the risks involved in
deploying algorithms in unfamiliar trading conditions.
There are hopeful signs that banks and regulators are getting smarter when it
comes to balancing carrot-and-stick incentives to encouraging good behaviour
among traders. In the US, Citi has made much of its recent bonus scheme
https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 9/12
30/3/2018 Top 10 operational risks for 2018 - Risk.net
However, some fear prudential regulators’ recent upending of the op risk capital
framework could have a detrimental impact in this regard. The standardised
measurement approach removes banks’ freedom to factor in the impact that
changes in internal controls would have in preventing future breaches from the
capital calculation process – a tactic many banks were successfully able to employ
to reduce requirements under the own-models approach. Practitioners have
argued this could take away the incentive to improve controls in the first place,
engendering a new source of operational risk.
Model risk re-enters the top 10 this year, for the first time since 2015 – a reflection
of the growing regulatory burdens placed on banks’ modelling and validation teams
in a number of key jurisdictions. It also hints at the potential cost of errors should
banks make a mistake.
This year saw the European Central Bank roll out the inspection phase of its
Targeted Review of Internal Models (Trim), while the US Federal Reserve
incorporated model risk governance into the qualitative portion of its annual
stress-testing programme for the largest US banks. The Bank of England also
updated its model management principles for UK entities in March, while Canadian
watchdogs followed suit in the autumn.
Ironically, the perceived rise in model risk among banks comes at a time when
banks' freedom to use internal models to calculate regulatory capital is set to be
severely curtailed under Basel III – which partially floors model outputs to capital
numbers achieved using a standardised approach – or removed completely in the
case of Pillar 1 calculations for operational risk.
Banks have made it clear they intend to keep parts of their op risk modelling
apparatus to calculate Pillar 2 requirements – good news for op risk model quants
and model validation specialists who might otherwise find themselves out of a job.
https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 10/12
30/3/2018 Top 10 operational risks for 2018 - Risk.net
Profiles by Tom Osborn, Alexander Campbell, Steve Marlin, Afiq Isa and Louie
Woodall
Cyber risk, which topped the 2016 and 2017 surveys, was broken up this year, and
its impact considered across multiple categories – primarily IT disruption, data
compromise and theft and fraud.
Data compromise 2 1*
Regulatory risk 3 2
Theft and fraud 4 9
Outsourcing 5 3
Mis-selling 6 5*
Talent risk 7 new
Organisational change 8 6
Unauthorised trading 9 5*
Model risk 10 -
https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 11/12
30/3/2018 Top 10 operational risks for 2018 - Risk.net
You may share using our article tools. Printing this article is for the sole use of the
Authorised User (named subscriber), as outlined in our terms and conditions -
https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 12/12