Top 10 operational risks for 2017

Risk.net presents the top 10 operational risks of 2017, as

chosen by risk practitioners

Financial institutions face a range of operational challenges in 2017

Risk.net staff
@riskdotnet

23 Jan 2017

In a series of interviews that took place in November and December 2016,

Risk.net spoke to chief risk officers, heads of operational risk and other op risk
practitioners at financial services firms, including banks, insurers and asset
managers. Based on the op risk concerns most frequently selected by those
practitioners, we present our ranking of the top 10 operational risks for 2017.

Click to go to section
 #1 Cyber risk and data security | #2 Regulation | #3 Outsourcing | #4
Geopolitical risk | #5 Conduct risk | #6 Organisational change | #7 IT
failure | #8 AML, CTF and sanctions compliance | #9 Fraud | #10
Physical attack

#1: Cyber risk and data security

An overwhelming number of risk managers ranked the threat from cyber attacks
as their top operational risk for 2017 – the second year in a row it has topped the
rankings, this year by an even larger margin.

And this is no surprise as the threat from cyber attacks is not only growing, but
also mutating into new and insidious forms, say risk practitioners.

From the Bangladesh Bank heist back in February – which saw hackers exploit
vulnerabilities in the Swift financial communications network to steal $81 million
from accounts belonging to the central bank – to November's theft of £2.5 million
($3.1 million) from 9,000 Tesco Bank customers' accounts following a data
breach, the threat from cyber attacks was an ever-present over the past year.

As if the reputational damage alone weren't enough to spur banks into action, the
threat of action from regulators for firms whose cyber resiliency isn't up to
scratch probably will be. In September 2016, the UK Financial Conduct Authority
revealed that the number of reported incidents of cyber crimes at firms under its
jurisdiction had jumped to 75 for the year to date, from just five in 2014. That
followed comments from the regulator at June's Cyber Risk Europe conference
that it would be challenging firms more regularly on cyber security going forward.

Under the European Union's forthcoming General Data Protection Regulation

(GDPR), which comes into force in May 2018, financial organisations face eye-
watering fines of up to 4% of their global annual turnover for data privacy
breaches. If GDPR were in force now, Tesco Bank's fine for its data breach could
have been as high as £1.9 billion, according to some estimates.

   

Poll: What type of cyber risk do you fear 
most for 2017?

Data theft

Cyber fraud

DDOS attack

Intellectual property loss

The source of potential cyber threats is hard to pin down, say banks, making
building appropriate controls a serious challenge, and attacks nearly impossible to
avoid.

According to the head of operational risk at one large European bank: "There are
three categories of people that carry out cyber attacks. There's the guy that's
sitting alone in his bedroom doing it; there are organised groups doing it; and
there are governments doing it."

Cyber criminals do not discriminate between organisations based on their size

and location, but the financial sector enjoys the dubious privilege of being one of
the most targeted industries, alongside healthcare. Organisations would do well to
spend more time defining their risk appetite instead of trying to ensure their
systems are impenetrable, practitioners counsel.

Industry view
 Rajat Baijal, head of enterprise risk at BGC and Cantor Fitzgerald:
"Cyber risk will stay pertinent for a while. What I find quite fascinating about
cyber risk is the sheer pace of change: recent events suggest that the
hackers are one step ahead of the banks in this rapidly evolving space.
Given the uncertainties, firms may choose to strike a balance between
actively managing the risk by investing in suitable resource and
infrastructure, and accepting or transferring the risk by buying a suitable
insurance policy for example. This balance between managing and
accepting and transferring the risk will vary across firms, and should be a
key part of defining the firm's risk appetite."

Stephanie Snyder, senior vice president, Aon professional risk solutions:

"We talk about the evolving nature of cyber risk, which is only going to
increase with the Internet of Things and additional automation. I believe
that, as we move into 2017, we're going to start seeing more cyber-related
business interruption losses; you're not going to read about them in the
press, but every organisation that runs off of a technology infrastructure –
which is, really, every organisation – is going to be impacted."

Jonathan Wyatt, global lead of IT governance and risk management,

Protiviti:
"What a cyber strategy should really be doing is not trying to prevent the
attack – because that is very difficult – but trying to manage the outcome.
The problem we have with cyber is most people in financial services are not
doing it this way. They're not stepping back and thinking about outcomes,
risk appetite and what they do; they're throwing money at it, trying to make
the door more secure – but there are still plenty of people who know how to
open the door. When you get techies talking to board executives about
threats, vulnerabilities, weaknesses, the dialogue breaks down."

#2: Regulation
To many op risk practitioners, the landmark regulations of the post-crisis era – the
overhaul of the capital adequacy framework, widespread market structure
reforms, far-reaching changes to accounting practices – represent a laundry list
of potential operational risks for their institution.

Fines and penalties for noncompliance, the restructuring of desks and operations
and the shuttering of businesses all present complex and hard-to-model threats.
In the US, the Dodd-Frank Act alone – irrespective of President Trump's promise
to expunge it – has produced thousands of pages of rulemakings from prudential
and markets regulators, covering everything from stress testing to clearing, trade
execution to hedge fund reporting.

Closer to home for op risk professionals, the Basel Committee on Banking

Supervision's proposal to replace the advanced measurement approach (AMA) for
modelling operational risk is already presenting all manner of issues.

By requiring firms to hold the same amounts of operational risk capital against all
forms of business, regulators are encouraging firms to enter businesses that
exclusively expose themselves to operational risks to maximise their return on
equity, argue op risk practitioners.

"Operational risk seems to be the one that's causing regulators the most concern;
they struggle with it," says the head of operational risk at an international bank in
London. "There is a danger they will push something through in order to get [the
Basel IV agenda] out at the same time. As the SMA proposal stands now, it will
have a huge impact on operational risk capital, and group heads are committed to
not having an increase in capital overall – so it will be interesting to see where that
all comes out."

Industry view

Fenton Aylmer, operational risk management lead for business practices

and conduct, Citi:
"All the rules and regulations since the financial crisis makes us need to be
very quick in our adoption and interpretation. It doesn't give us a lot of time
to react. Because there's so many people that need to be informed,
appropriate and relevant awareness and education programmes are
 critical. We need to make sure that each of our employees is fully aware of
their roles and responsibilities, as well as the ethical repercussions that are
associated with these rules. That creates a challenge to ensure that we
have proper business practices around each product that we launch so we
fully address the client's needs and don't end up on the wrong side of
regulatory surveillance."

Senior op risk manager at a London-based bank:

"Regulatory change has been a constant for a number of years, and it
should be the number one risk in any organisation. With change comes
elevated operational risk that needs to be appropriately managed. The
challenges faced by banks, especially internationally active ones, is
keeping up with the global change agenda and understanding the
interlinkage of regulatory changes across jurisdiction."

Industry consultant and former head of op risk:

"Given the backdrop of a series of financial scandals, global regulators
have used the stick of fines and sanctions to bring more order. There is a
danger that these will become more and more punitive, such that it will be
difficult for firms to recover."

Zahra Al Halwachi, operational risk manager, Mashreq Bank:

"Regulations are changing frequently, which for banks with international
branches may result in fines and penalties if not implemented [properly].
And they are becoming more complex as well."

#3: Outsourcing

Outsourcing makes it into our top three operational risks this year, spurred by a
clear message from regulators that firms must improve oversight of third-party risk
management, or else face punitive sanctions.
Aviva provided one of the highest-profile examples of last year. In October 2016,
the firm was hit with an £8.2 million fine from the UK Financial Conduct Authority
for failure to ensure adequate controls and oversight of outsourced client money
handling arrangements.

The size of the penalty, combined with the undesirable publicity the case
attracted, caused alarm for many op risk practitioners, and emphasised that
regulators are actively hunting for breaches.

Under the EU's forthcoming GDPR legislation (see Cyber segment), financial
organisations must review their existing outsourcing arrangements to ensure they
don't face eye-watering fines – even if the failures are those of third-party service
providers.

GDPR compliance will represent a significant burden, managers say. Banks will
need to know exactly where their customer data is held at all times, and be able to
present this data on demand in a portable format. That will require a thorough
understanding of a complex web of relationships with various outsourcers,
practitioners say.

Industry view

Steve Holt, financial services partner, EY:

"Many companies are only worried about the top 10% of outsourced
arrangements – the ones that they spend most money on. That's not
necessarily reflective of their risk profile; you may be spending millions with
a global outsourcer, but it may be a small outsourcer with not-very-mature
controls that's holding some key customer personal data where you suffer a
loss... In many cases, outsourcing providers actually outsource to other
organisations, so it becomes a massively complex ecosystem. [But]
financial services firms still have overall responsibility for ensuring that the
data is controlled and secure. This is a key requirement of the GDPR."

Simon Ashby, associate professor of financial services, Plymouth Business

School:
"In general, outsourcing is not necessarily cheaper – plus there are
downsides. Reputational risk is definitely one of the key risks; service
delivery, quality, continuity of service are others. Another key risk is, if there
is a big disruption to services – say your outsourcing company goes
 bankrupt or there's another major business continuity effect – can you bring
that activity back in house and can you do it quickly?"

#4: Geopolitical risk

The election of Donald Trump as US president, along with the UK's shock vote to
withdraw from the European Union, have combined to push geopolitical risk into
the top 10 this year, rocketing all the way to number four.

The prospect of a so-called hard Brexit, including a departure from the European
single market, as outlined in UK prime minister Theresa May's January 17
speech, will have serious implications for the financial services industry, with
London home to the European headquarters of most of the world's top banking,
insurance and asset management companies.

Banks are expected to start moving staff out of London in 2017. Those plans are
unlikely to be reversed even if the UK secures favourable access to the European
single market, say op risk practitioners. The consequences could be as painful as
they are idiosyncratic; witness fears of a politically motivated attempt by European
legislators to forcibly relocate euro clearing to the eurozone, the cost of which
could be as high as $100 billion in additional margin requirements for banks and
their clients.

Banks with relatively small operations inside the eurozone, such as the Japanese
banks, are likely to bear the heaviest fallout from Brexit. But even banks with large
eurozone operations will be exposed to increased local market regulator risks,
such as not being allowed to ramp up derivatives trading within a given
jurisdiction.

In addition to its direct costs, Brexit – because it will occur against a backdrop of
significant economic, regulatory and business change – could indirectly
exacerbate other operational risks such as outsourcing (#3), organisational and
business change (#6), regulation (#2), and conduct risk (#5). For example, the
need rapidly to form new supplier relationships opens banks up to heightened
outsourcing risk, say practitioners.

In the US meanwhile, the Trump administration's likely rollback of financial

legislation could create its own risks, risk managers warn. There is also
widespread speculation that supranational regulatory commitments, in particular
the package of prudential reforms collectively dubbed Basel IV, could now be
revisited, creating further uncertainty for banks.

Regulatory capital requirements for political risk differ across jurisdictions:

European banks that rely on Basel III's advanced approaches for calculating risk-
based capital typically set aside capital against political risk.

Industry view

Senior bank op risk manager:

"Excluding the biggest overall risk for banks – the changing environment in
the financial industry itself – as a strategic risk, the biggest remaining risk
results from our rapidly changing world order and its implications for the
financial sector. No banking group can be sure that an investment or
market entry into foreign countries that makes sense at the moment will not
backfire in a couple of years. To ignore this reality and not think about
possible scenarios might prove very costly for international banks in the
upcoming years."

Ariane Chapelle, director at Chapelle Consulting:

"Brexit will likely be an important cause of uncertainty, loss of business,
third-party risk, relocation risk and project management risk, caused by
uncertainty and unfamiliarity with new processes"

#5: Conduct risk

At first glance, 2016 was fairly unremarkable from the point of view of conduct
risk, with a lack of newly uncovered high-profile instances of wrongdoing perhaps
serving to push it further down practitioners' list of worries, from #2 last year to #5
this.

But an absence of recent incidents doesn't indicate that the risk to an organisation
from misconduct has decreased, say managers; quite the contrary. In the UK, the
Senior Managers Regime (SMR), which came into force in March, seeks to
codify a culture of personal responsibility for risk managers, with individuals who
fulfil certain designated control functions now personally liable for various forms of
misconduct.

Under the US Dodd-Frank Act, individuals whose input helps the Securities and
Exchange Commission (SEC) take successful enforcement action against
wrongdoers are entitled to a reward of up to 30% of the fine imposed on an
organisation. Since the legislation came into force, the SEC has levied more than
$500 million in misconduct-related fines.

Industry view

Nick Leeson, speaking at the Risk South Africa conference in March:

"Risk managers have to take more on. If a risk manager doesn't understand
the trade a star trader is trying to put on, there has to be a way of stopping
them. Someone on the risk committee has to say they fully understand it,
and that they're going to take responsibility for it. To this day, a lot of
traders are still able to railroad certain trades through. Until that changes,
there will always be a problem."

Paul Fisher, Bank of England:

"[The SMR's] purpose is to make it clear who is accountable for what
within a firm. The foremost objective of that is not so we know who to
punish when things go wrong. It is to make sure someone is taking full
responsibility for the right outcomes so misbehaviour becomes very much
rarer."
 

#6: Organisational change

Organisational change comes in many forms. But whether prompted by

regulation, technological change or a corporate restructuring, the result is always
upheaval, and enforced changes to op risk frameworks to cope with new and
often idiosyncratic sources of risk.

The convoluted changes to desk structures and internal risk transfer processes
banks will be forced to enact under the Basel Committee on Banking
Supervision's revised market risk capital framework are one of the highest-profile
instances of forced organisational change impacting bank's front-office
businesses at the moment.

The fear of not being able to adapt a business model to technological change
haunts many companies. From Kodak and Blockbuster to Blackberry, many once-
prosperous firms have been sidelined by more tech-savvy and customer-focused
competitors.

The past year in finance has seen technological innovations that present big
opportunities as well as threats to many of the existing financial organisations. A
2016 report from Capgemini showed that, although 96% of banking executives
agree that the industry is moving towards a digital banking ecosystem, only 13%
have the systems in place to keep up with it.

Industry view

Jodi Richard, chief operational risk officer at US Bank:

"The evolution we're seeing in a lot of new systems and technologies being
implemented mean it's difficult to stay on top of innovation and fintech, as
well as just general technologies advancing. So changing that technology
demands change management, and redesigning processes and controls in
 other spaces. That's the core of operational risk there: it's process and
systems, and staying on top of the changes in that space."

Head of operational risk at a European bank:

"Digitisation, fintech, blockchain – all these developments are really
threatening banks' business models. But whether you see them as an
operational risk is moot; I would see them as a strategic development that
banks need to adapt to. But you cannot leave it out of an op risk
framework."

#7: IT failure

Unlike cyber crime, IT failure involves fewer unknown variables. For that reason, it
is perhaps perceived as more manageable by op risk practitioners; but its impact
can be just as debilitating.

Cloud computing was flagged by many respondents to this year's survey as one
of the most important technological trends in 2017. But as well as its advantages
in terms of flexibility and cost-effectiveness, it is prone to outages, with
undesirable consequences potentially including financial losses and damaged
relationships with clients.

Amazon Web Services – now used by many banks for additional processing
capacity, as well as for data storage – experienced a disruption in services in
Sydney in June 2016, causing multiple websites and online services reliant on the
platform to shut down, affecting everything from banking services to pizza
deliveries.

At the beginning of 2016, HSBC suffered a two-day service outage during which
millions of retail customers were unable to access their accounts. That wasn't the
only IT failure to hit the bank in the last couple of years: in 2015 its electronic
payment system experienced disruptions affecting thousands of clients just before
a UK bank holiday weekend.

Industry view

Head of operational risk at a European bank:

"[The impact of IT failure] can be big, not just in terms of direct losses but
also indirect losses, like losing a lot of customers. Many banks, not in
Europe but in Asia, are already talking about cloud solution storing. I can't
assess right now how [disruptions] might affect the business, but I think in
terms of mobility of clients, this could be severe."

#8: AML, CTF and sanctions compliance

Tighter anti-money laundering (AML) controls and efforts to prevent transactions

with internationally sanctioned entities have been a priority of regulators around
the world in recent years, nowhere more so than in the US.

In guidance issued in October 2016, the US Office of the Comptroller of the

Currency said banks should have processes for periodic risk re-evaluations and
account decisions which address a bank's risk appetite for the level of Bank
Secrecy Act (BSA) and AML compliance risk it is willing to accept and can
effectively manage. Banks should provide for an assessment of the implications of
account closure on managing overall exposure to BSA/AML compliance risk that
is consistent with the bank's articulated risk appetite.

For lenders that provide banking services across multiple jurisdictions, that's
easier said than done, say practitioners.
"Increasing global cross-border banking activities, real-time speed of financial
transactions, and sophistication of technology provide alternative means and
opportunity for various manifestations of financial crimes, including AML," says the
head of op risk at a US financial institution.

Industry view

Bradley Bennett, Financial Industry Regulatory Authority speaking in April

2016 at an industry AML conference:
"You need to know your customers. You need to conduct due diligence on
the securities you're selling. You need to tailor your programme to the risks
inherent in your business model. You need to test your programme, and
make updates as your business changes or expands. You need to be sure
your employees are trained, especially when you have new business lines.
You need to make sure you have good supervisory systems when you do
high-risk business like micro-caps."

Maria Vullo, New York State Department of Financial Services'

superintendent, welcomes the state's new anti-terrorism transaction
monitoring and filtering programme regulation:
"This regulation represents an important milestone in DFS's long-standing
mission to improve and strengthen BSA and AML compliance among New
York's financial institutions and make certain that banks are not being used
to help finance terrorism and other illegal activities. DFS will continue its
mission to protect the integrity of New York's financial system and will
continue to take necessary enforcement action to protect against illicit
activities."

#9: Fraud
The threat from internal fraud can be as pernicious as that from external actors, as
Wells Fargo found out the hard way last year. Though the $187.5 million in
penalties and restitution the bank incurred for fabricating customer approval to
open checking and credit card accounts in order to meet sales targets might
barely dent its bottom line, the blow to its reputation was far more serious.

The US Office of the Comptroller of the Currency (OCC) has identified internal
control weaknesses, such as the lack of an effective audit programme, as
common deficiencies in many banks. Even though reliance on strong internal
controls has never been more critical, its supervisory examinations indicate
weakness in audit coverage and other internal controls in some banks.

"Internal and external fraud, which the OCC views as increasing, generally results
in operational losses," says Beth Dugan, deputy comptroller for operational risk at
the OCC in Washington, DC. "A strong internal control system can help a bank
avoid fraud and unintentional errors. Industry trends show that internal control
weakness can lead to increased levels of fraud related losses and longer times for
fraud identification."

Pressure to achieve sales targets or investor expectations can cause otherwise

conscientious employees to act in a way that is ethically or morally wrong, say
practitioners. The chief executive of peer-to-peer lending company Lending Club,
for example, was forced out in May amid allegations the company had altered the
dates on some of its loans to satisfy criteria that allowed it to securitise them.

The threat from external actors – some sophisticated, some dull but malignant – is
a growing threat too, say risk managers.

"We continue to see bad actors developing new schemes and fraudulent
techniques," says the head of operational risk at a US bank. "We've seen
widespread fraud targeting credit card accounts; now we're seeing the same thing
happen in payments. It's a matter of trying to remain a step ahead of bad actors.
When the fraud event happens at another entity, like a store or a hotel chain, it's a
fraud event at our bank, because now the criminals have access to credit card
data and account numbers."

Industry view

Rajat Baijal, head of enterprise risk, BGC and Cantor Fitzgerald:

"Banks are having to make strategic changes as a result of falling volumes,
 which puts additional pressure on the front office. This could further
aggravate the risk of market manipulation, fraud and collusion with external
third parties, as traders strive to meet aggressive targets."

Zahra Al Halwachi, operational risk manager, Mashreq Bank:

"Frauds internally and externally are critical risks to any organisation.
Controls and measures need to be put in place to overcome these types of
risk."

#10: Physical attack

Physical attack, often in the form of terrorism, has fallen one place in our annual
survey, from #9 to #10, possibly reflecting a modest reduction in the global
incidence of terrorist activity since 2015, according to research. Despite this, the
risk to financial services companies of terrorist attack is an ongoing concern for op
risk professionals, making protection of employees, customers and buildings a
high priority.

As the incidents in the European cities of Nice and Berlin last year demonstrate,
the threat from attacks carried out by a few individuals and requiring little planning
can be as devastating as well-financed, state-sponsored acts of terrorism.

Lenders are taking action: US Bank plans to introduce a new mobile app to aid
crisis communication, and more frequent compulsory staff training programmes.
As well as terrorism, the effort will help it prepare for other violent disruptions – for
instance, the possibility of sabotage by disgruntled employees, or widespread civil
disobedience.
"We are assessing physical security of our people and our buildings in response
to domestic and international terrorist attacks. The risk of increasing terrorist
attacks impacts our physical security preparedness as well as our business
continuity preparedness," says Jodi Richard, head of op risk at US Bank in
Minneapolis.

A recent study from the Institute for Economics and Peace put the cost of
terrorism to the global economy at $89.6 billion in 2015 – the second-highest level
since 2000. Over the last 15 years, the economic and opportunity costs arising
from terrorism have increased roughly eleven-fold, it estimates.

Industry view

Industry consultant and former op risk manager:

"A physical terrorist attack is feasible as many capital cities remain on high
alert. Should such an attack include the use of biological or chemical
components, whole areas or cities could become 'no-go' areas, leaving
companies at the mercy of their distributed business continuity plans, which
in turn might be rendered obsolete if the city's infrastructure is affected
also."