30/3/2018 Top 10 operational risks for 2018 - Risk.

net

Top 10 operational risks for 2018

The biggest op risks for 2018, as chosen by industry
practitioners

Risk.net staff
22 Feb 2018

In a series of interviews that took place in January and February 2018, Risk.net
spoke to chief risk officers, heads of operational risk and senior practitioners at
financial services firms, including banks, insurers, asset managers and
infrastructure providers. Based on the op risk concerns most frequently selected by
those practitioners, we present our ranking of the industry’s top 10 operational risks
for 2018 (see note on methodology at bottom of article).

Click on category for full analysis

#1 IT disruption | #2 Data compromise | #3 Regulatory risk | #4 Theft

and fraud | #5 Outsourcing | #6 Mis-selling | #7 Talent risk | #8
Organisational change | #9 Unauthorised trading | #10 Model risk

#1: IT disruption
Click here for full article and analysis

IT disruptions – whether from a disabling cyber attack, or the more mundane

causes of human error or failure of aging hardware – are considered the top threat
to financial services firms for 2018 by senior operational risk practitioners.

Ensuring resiliency against disruptive cyber attack is an impossibly broad task, op

risk managers admit, taking in everything from information security controls to

https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 1/12
30/3/2018 Top 10 operational risks for 2018 - Risk.net

scenarios and war games, third-party oversight, data protection and fraud
authentication processes.

In recognition of the proliferating nature of the threat, last year’s single ‘Cyber risk’
category has been broken out into multiple categories for this year’s survey.

Guarding against known risks such as DDoS is a given. What worries op risk
managers more are the harder-to-measure disruptive threats – cyber and physical
– to their firm’s networks. Malware, employee error and plain old hardware failure
can be just as crippling when it comes to a loss of operational functionality.

Lump in the risk of physical disruption to a bank’s network – from sources as varied
as a city-wide power outage, to an attack from a weaponised electromagnetic
pulse – and it’s not hard to see why op risk practitioners rank IT disruption as the
most significant operational threat facing their firms.

The disruption to services from successful ransomware attacks is usually far more
costly than payment made to cyber thieves, as the 2017 WannaCry attack showed.
Still harder to quantify are the thousands of man-hours invested in universal
training for staff, or spent trying to trace when and where successful breaches
occurred.

Many of last year’s worst IT disruptions can be attributed to faulty software,

practitioners note. The US Comptroller of the Currency notes weaknesses in
controls and governance related to information security within banks. Patch
management – the application of fixes or updates when vulnerabilities are identified
in software – and access management are of particular concern, because they are
the soft spots through which attackers can penetrate a bank’s outer perimeters.

Some argue regulators’ expectations are unreasonable when it comes to cyber

attacks. US prudential regulators say financial institutions should be capable of a
two-hour return to operations – something practitioners argue is unrealistic and
potentially dangerous.

#2: Data compromise

Click here for full article and analysis

https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 2/12
30/3/2018 Top 10 operational risks for 2018 - Risk.net

Cyber theft, unauthorised access, accidental disclosure and employee negligence

– there are a multitude of ways in which the vast quantities of personal information
banks and financial services firms hold can fall into the wrong hands. Small
wonder, then, that around half of the op risk professionals that Risk.net spoke to for
this year’s Top 10 Op Risks adjudged data theft as the number one operational
threat to their organisation for the year ahead.

The headline data breach of 2017 was the cyber attack on credit reporting agency
Equifax, which compromised personal information including names, social security
numbers, driving licence numbers, credit card numbers and personal documents,
relating to an estimated 145 million individuals.

Equifax came in for criticism for not publicly acknowledging the breach until
September 2017. The reticence to report cyber attacks is an industry-wide problem,
op risk managers admit. From May 2018, the European Union’s General Data
Protection Regulation aims to tackle such underreporting by requiring firms to
inform their relevant regulator of any data breaches within 72 hours. Failure to do
so could result in unprecedented penalties: firms can face fines of up to 4% of their
global turnover in the event of a serious data breach.

 
Op risk practitioners at larger banks describe the job of trying to comply with the
regime across all their global businesses before the go-live as akin to “boiling the
ocean”. Many candidly acknowledge that the job of updating contracts to update
data permission rights will not be complete by May – and that they will find
themselves relying on regulatory forbearance to a degree.

Regulators themselves provide tempting targets for data thieves because of the
volumes of non-public information they amass on companies. In September 2017,
the Securities and Exchange Commission revealed that an incident previously
detected in 2016 may have provided the basis for illicit gain through trading.

As for quantifying losses from data breaches, banks have long expressed a need
for better tools in making these calculations. For all the time and resources
invested in models to estimate potential losses from market and credit risks, many
firms are unable to measure their exposure to data breaches with anything like
the same degree of accuracy – partly a function of the non-linear relationship
between a bank’s safeguards and its likelihood of suffering loss.

https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 3/12
30/3/2018 Top 10 operational risks for 2018 - Risk.net

#3: Regulatory risk

Click here for full article and analysis

Anyone looking for a ready-made example of the constantly evolving nature of

regulatory attitudes to supervision – and the risks this unpredictability poses to
firms as they go about their business – got one last month, courtesy of the US
Federal Reserve. Its cease-and-desist order to Wells Fargo in February, which
stops the bank from being able to grow at all until it improves its governance and
risk management practices, is just the latest sobering example for banks.

This singular action caused Wells to slash its profit estimate for the year by up to
$400 million, and has put op risk managers around the world on high alert. The
standard pattern in the post-crisis era has seen authorities dole out fines for
incidences of misconduct. Op risk practitioners speculate now watchdogs will
deploy an array of tools to enforce their will – as the Fed has done – or lean more
heavily on periodic, qualitative surveys of their charges as a means of practising
‘soft’ enforcement.

In some ways, fines are diminishing in importance. The Basel Committee’s decision
to junk op risk modelling in favour of the simpler standardised measurement
approach in December last year comes with the added sweetner of
allowing national competent authorities the option of excluding loss history from
the calculation of banks’ operational capital, and allows the banks themselves to
petition their regulators to remove certain op risk losses they believe they are not in
danger of repeating.

One tool at the disposal of supervisors is the ability to adjust an institution’s Pillar 2
capital; and Bank of England governor Mark Carney has suggested UK authorities
may do just that if banks demonstrate failures in conduct risk controls.

Other new regulations require supervised entities to report large amounts of

complex data to regulators or release it into the public domain. Mifid II, the
European Union’s General Data Protection Regulation, and the Fed’s
Comprehensive Capital Analysis and Review are three areas cited by the global
head of op risk as fraught with regulatory reporting risk.

#4: Theft and fraud

https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 4/12
30/3/2018 Top 10 operational risks for 2018 - Risk.net

Click here for full article and analysis

Dealing with theft and fraud is part and parcel of a risk manager’s job. But with
attempted breaches from both now concentrated in the digital realm, banks are
significantly less worried about physical robberies than they are about cyber
bandits.

Whether realised losses from cyber fraud still trump the old-fashioned variety on an
industry-wide basis is another matter, however. Many of last year’s largest op risk
losses from fraud were more conventional. The Agricultural Bank of China, for
instance, faced losses of $497 million after being defrauded by employees of
billionaire Guo Wengui – the tenth largest loss event of 2017. In another case, eight
Indian banks incurred $770 million in losses in a fraud case involving Kingfisher
Airlines founder Vijay Mallya – the industry’s seventh largest reported loss event
last year.

Yet the fear among banks of catastrophic losses from cyber theft or fraud remains
palpable – probably largely due to the sheer number of daily attacks on their
defences. Everything from email phishing threats to highly sophisticated attempts
to introduce malware into networks are to be expected for an institution of any size.
The potential loss from such incidents could range from pennies to billions of
dollars.

In September, for example, Swedish banks were hit with a concentrated phishing
attack that saw hackers use malware to gain access to banks’ networks, allowing
them to redirect payment orders and siphon off funds. Three of the country’s banks
face cumulative potential losses of Skr250 million ($312 million), according to
Swedish police.

There is also evidence to suggest a nonlinear relationship between the strength of

a bank’s controls and the likelihood of it suffering a cyber attack, op risk managers
point out; what appears to matter more to would-be cyber thieves is a bank’s
perceived weakness as a target. Some point to the concentration of cyber frauds
conducted over payment networks targeting emerging market banks as anecdotal
evidence of this.

#5: Outsourcing

https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 5/12
30/3/2018 Top 10 operational risks for 2018 - Risk.net

Click here for full article and analysis

Outsourcing remains a top operational risk for practitioners this year – unsurprising,
given banks’ growing reliance on vast networks of vendors for everything from
online platform management to extra grid capacity.

Op risk managers are divided, however, on where outsourcing risk sits within their
policy frameworks. Many say they still treat as a discrete risk in its own right – but a
few say they see it through the lens of the two principal categories of risk it opens
them up to: compromise of their data, or disruption to their own IT environment.

Poor third-party management leaves banks and financial services firms exposed to
the risk of costly fines for significant data breaches, lawyers warn, especially with
the advent of the EU’s General Data Protection Regulation, which enters into
force in May. Given the size of the potential fines in the event of significant data
breaches – up to 4% of a firm’s global turnover – legal wrangles over where
culpability lies are likely to increase.

Aside from the concerns of data breaches resulting from hacking or the introduction
of malware, preserving day-to-day continuity in business is also a top priority. Risk
managers say they face difficulty in negotiating the appropriate risk management
clauses in standard contracts with large vendors.

Banks’ adoption of cloud computing to cut hardware costs and boost capacity has
spurred regulators into action. The European Banking Authority issued final
guidance in December on the use of cloud service providers by financial
institutions. The guidance crystallises regulatory expectations for firms outsourcing
services to cloud providers around key areas such as access and audit rights and
contingency plans and exit strategies.

#6: Mis-selling
Click here for full article and analysis

The mis-selling of financial products – from humble residential mortgages, to

securitisations stuffed full of thousands of them – has been a perennial concern for
op risk managers over the past decade. 

https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 6/12
30/3/2018 Top 10 operational risks for 2018 - Risk.net

Practitioners’ pessimism is well founded. As the harvest of compensation payments

in 2017 demonstrates, mis-selling is a crop that takes years to ripen. Take the case
brought by the US Federal Housing Finance Agency against RBS for mis-selling
mortgage-backed securities. RBS became one of the last banks to settle with US
authorities in July for $5.5 billion. A few months previously, the bank paid a share
of a $165 million settlement to unhappy investors in a flawed mortgage
securitisation it had underwritten in 2006–7, alongside Deutsche Bank and Wells
Fargo.

Just as the growing use of automated algorithmic trading software has led to fears
of new forms of unauthorised trading, the growth in automated customer advisory
systems known as ‘robo-advisers’ has led at least one regulator, the US Securities
and Exchange Commission, to lay out guidelines on how these algorithms can
avoid misleading customers – and how human overseers should be held
accountable if they do.

Increasingly, regulators are putting the onus back on to bank management to

change sales culture and root out individual bad apples. In the UK, the FCA
shelved its banking culture enquiry in late 2015, putting its faith instead in the
Senior Managers Regime which imposes new and explicit lines of responsibility
on managers at all levels in large financial institutions.

#7: Talent risk

Click here for full article and analysis

Talent risk enters the top 10 for the first time this year – an unwelcome sign of the
finance industry’s struggle to attract, train and retain the best and brightest amid
competition from other sectors such as technology.

It’s not just front office jobs: banks have repeatedly warned in the last 18 months
that they are struggling to attract and retain sufficiently experienced risk managers
across functions as diverse as regulatory reporting and model validation. This is
having real world consequences for the quality of their op risk management, they
warn: more than one bank Risk.net spoke to for this year’s top 10 notes an
increase in reporting failures due to human error, where less experienced staff had
been pushed into high-pressure roles; others point to project overruns due to a
shortage of staff.

https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 7/12
30/3/2018 Top 10 operational risks for 2018 - Risk.net

At the graduate recruitment level, senior risk managers have long warned the
industry is struggling to attract the brightest and best quant finance grads in the
face of increasing competition from technology firms. In days gone by, quants
working in a risk management function for a bank might have cut their teeth in a
more front office-oriented role such as derivatives pricing; but such jobs are harder
to come by these days, with many banks pulling back from exotic derivatives
trading, and US banks for now barred from proprietary trading under the Volcker
rule.

Now, grads might be expected to enter a bank as a model risk manager – a well
paid job, but not one with the prestige or autonomy of working as a bank quant in
the pre-crisis era, and a harder sell when compared with the comparative cool
factor of working for a tech firm instead. Those that do enter banks directly as
specialists will also be less experienced – leading to a hollowing out of the ranks at
the mid-level, senior quants warn.

#8: Organisational change

Click here for full article and analysis

Almost every survey respondent offered a different answer when asked what
worries them most about organisational change. To some, it is the pressure to keep
pace with technological change, with the vague promise that, some years down the
line, the investment will pay off and allow them to boost revenues or slash costs; to
others, it is the ultimate risk that such changes will see them superseded
altogether.

Some op risk practitioners point to the immediate problems technological change

can bring to organisations that adopt new ways of doing business without yet
having a control environment ready to handle them.

Others could see their very future imperilled by regulatory change. Voice brokers
complain Mifid II’s push of more financial instruments towards electronic trading
could leave their role in arranging transactions redundant; bank research staff have
also been impacted by the legislation, with Mifid forcing dealers to unbundle the
implied cost of research from trade execution and other services.

https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 8/12
30/3/2018 Top 10 operational risks for 2018 - Risk.net

Geopolitical risk – absent from this year’s survey as a category in its own right –
can also force change on firms, simply due to the physical upheaval. Non-
European banks currently using London as their base through which to access the
single market will be forced to set up new entities within the EU, to house some of
the functions that depend on such access. Political pressure to repatriate jobs will
also be a factor.

Political and regulatory mandates aren’t the only source of such change: banks
continue to heap misery on their own staff through internal restructuring and cost
cutting, which can have a very real impact on the quality of operational risk
management, senior practitioners warn.

#9: Unauthorised trading

Click here for full article and analysis

The definition of unauthorised trading has continued to evolve, in line with changing
market structure. Rogue algorithms are now considered an equivalent, if not
greater, source of potential losses than rogue traders purposefully circumnavigating
the controls, or fat-finger error, according to survey respondents.

Like all sizable op risk losses, the impact on a bank’s capital from an
unauthorised trading incident lingers long after the initial breach has occurred. And
banks can find wrangles over their losses continuing for years after the event:
Societe Generale is currently fighting the French government over a €2.2 billion
($2.73 billion) tax writeoff it took on losses inflicted by the rogue trader Jerome
Kerviel in 2008.

In the UK, the Senior Managers Regime mandates clear ownership by named
individuals of the development, testing and oversight for each trading algorithm. It
also highlights that algorithms should be re-validated before being deployed in a
different market, and asks for documentation of the differences between testing
and real-world environments – both measures aimed at the risks involved in
deploying algorithms in unfamiliar trading conditions.

There are hopeful signs that banks and regulators are getting smarter when it
comes to balancing carrot-and-stick incentives to encouraging good behaviour
among traders. In the US, Citi has made much of its recent bonus scheme

https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 9/12
30/3/2018 Top 10 operational risks for 2018 - Risk.net

overhaul, intended to change the bank’s culture by linking compensation explicitly

to ethical conduct as well as bottom line performance.

However, some fear prudential regulators’ recent upending of the op risk capital
framework could have a detrimental impact in this regard. The standardised
measurement approach removes banks’ freedom to factor in the impact that
changes in internal controls would have in preventing future breaches from the
capital calculation process – a tactic many banks were successfully able to employ
to reduce requirements under the own-models approach. Practitioners have
argued this could take away the incentive to improve controls in the first place,
engendering a new source of operational risk.

#10: Model risk

Click here for full article and analysis

Model risk re-enters the top 10 this year, for the first time since 2015 – a reflection
of the growing regulatory burdens placed on banks’ modelling and validation teams
in a number of key jurisdictions. It also hints at the potential cost of errors should
banks make a mistake.

This year saw the European Central Bank roll out the inspection phase of its
Targeted Review of Internal Models (Trim), while the US Federal Reserve
incorporated model risk governance into the qualitative portion of its annual
stress-testing programme for the largest US banks. The Bank of England also
updated its model management principles for UK entities in March, while Canadian
watchdogs followed suit in the autumn.

Ironically, the perceived rise in model risk among banks comes at a time when
banks' freedom to use internal models to calculate regulatory capital is set to be
severely curtailed under Basel III – which partially floors model outputs to capital
numbers achieved using a standardised approach – or removed completely in the
case of Pillar 1 calculations for operational risk.

Banks have made it clear they intend to keep parts of their op risk modelling
apparatus to calculate Pillar 2 requirements – good news for op risk model quants
and model validation specialists who might otherwise find themselves out of a job.

https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 10/12
30/3/2018 Top 10 operational risks for 2018 - Risk.net

Profiles by Tom Osborn, Alexander Campbell, Steve Marlin, Afiq Isa and Louie
Woodall

A note on the methodology:

This year, respondents were asked to supplement standardised risk taxonomies

with real-world examples of given risks. 

Cyber risk, which topped the 2016 and 2017 surveys, was broken up this year, and
its impact considered across multiple categories – primarily IT disruption, data
compromise and theft and fraud. 

Mis-selling and unauthorised trading were considered a function of conduct risk in

the 2017 rankings

Top 10 op risks 2018

Click category for full analysis

2018 position 2017 position Change

IT disruption 1 1*

Data compromise 2 1*

Regulatory risk 3 2
Theft and fraud 4 9

Outsourcing 5 3
Mis-selling 6 5*
Talent risk 7 new
Organisational change 8 6

Unauthorised trading 9 5*
Model risk 10 -

* See note on methodology above

Copyright Infopro Digital Limited 2017. All rights reserved.

https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 11/12
30/3/2018 Top 10 operational risks for 2018 - Risk.net

You may share using our article tools. Printing this article is for the sole use of the
Authorised User (named subscriber), as outlined in our terms and conditions -
https://www.infopro-insight.com/terms-conditions/insight-subscriptions/

https://www.risk.net/risk-management/5424761/top-10-operational-risks-for-2018 12/12