Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Risk.net staff
@riskdotnet
23 Jan 2017
Click to go to section
#1 Cyber risk and data security | #2 Regulation | #3 Outsourcing | #4
Geopolitical risk | #5 Conduct risk | #6 Organisational change | #7 IT
failure | #8 AML, CTF and sanctions compliance | #9 Fraud | #10
Physical attack
An overwhelming number of risk managers ranked the threat from cyber attacks
as their top operational risk for 2017 – the second year in a row it has topped the
rankings, this year by an even larger margin.
And this is no surprise as the threat from cyber attacks is not only growing, but
also mutating into new and insidious forms, say risk practitioners.
From the Bangladesh Bank heist back in February – which saw hackers exploit
vulnerabilities in the Swift financial communications network to steal $81 million
from accounts belonging to the central bank – to November's theft of £2.5 million
($3.1 million) from 9,000 Tesco Bank customers' accounts following a data
breach, the threat from cyber attacks was an ever-present over the past year.
As if the reputational damage alone weren't enough to spur banks into action, the
threat of action from regulators for firms whose cyber resiliency isn't up to
scratch probably will be. In September 2016, the UK Financial Conduct Authority
revealed that the number of reported incidents of cyber crimes at firms under its
jurisdiction had jumped to 75 for the year to date, from just five in 2014. That
followed comments from the regulator at June's Cyber Risk Europe conference
that it would be challenging firms more regularly on cyber security going forward.
Poll: What type of cyber risk do you fear
most for 2017?
Data theft
Cyber fraud
DDOS attack
Intellectual property loss
The source of potential cyber threats is hard to pin down, say banks, making
building appropriate controls a serious challenge, and attacks nearly impossible to
avoid.
According to the head of operational risk at one large European bank: "There are
three categories of people that carry out cyber attacks. There's the guy that's
sitting alone in his bedroom doing it; there are organised groups doing it; and
there are governments doing it."
Industry view
Rajat Baijal, head of enterprise risk at BGC and Cantor Fitzgerald:
"Cyber risk will stay pertinent for a while. What I find quite fascinating about
cyber risk is the sheer pace of change: recent events suggest that the
hackers are one step ahead of the banks in this rapidly evolving space.
Given the uncertainties, firms may choose to strike a balance between
actively managing the risk by investing in suitable resource and
infrastructure, and accepting or transferring the risk by buying a suitable
insurance policy for example. This balance between managing and
accepting and transferring the risk will vary across firms, and should be a
key part of defining the firm's risk appetite."
#2: Regulation
To many op risk practitioners, the landmark regulations of the post-crisis era – the
overhaul of the capital adequacy framework, widespread market structure
reforms, far-reaching changes to accounting practices – represent a laundry list
of potential operational risks for their institution.
Fines and penalties for noncompliance, the restructuring of desks and operations
and the shuttering of businesses all present complex and hard-to-model threats.
In the US, the Dodd-Frank Act alone – irrespective of President Trump's promise
to expunge it – has produced thousands of pages of rulemakings from prudential
and markets regulators, covering everything from stress testing to clearing, trade
execution to hedge fund reporting.
By requiring firms to hold the same amounts of operational risk capital against all
forms of business, regulators are encouraging firms to enter businesses that
exclusively expose themselves to operational risks to maximise their return on
equity, argue op risk practitioners.
"Operational risk seems to be the one that's causing regulators the most concern;
they struggle with it," says the head of operational risk at an international bank in
London. "There is a danger they will push something through in order to get [the
Basel IV agenda] out at the same time. As the SMA proposal stands now, it will
have a huge impact on operational risk capital, and group heads are committed to
not having an increase in capital overall – so it will be interesting to see where that
all comes out."
Industry view
#3: Outsourcing
Outsourcing makes it into our top three operational risks this year, spurred by a
clear message from regulators that firms must improve oversight of third-party risk
management, or else face punitive sanctions.
Aviva provided one of the highest-profile examples of last year. In October 2016,
the firm was hit with an £8.2 million fine from the UK Financial Conduct Authority
for failure to ensure adequate controls and oversight of outsourced client money
handling arrangements.
The size of the penalty, combined with the undesirable publicity the case
attracted, caused alarm for many op risk practitioners, and emphasised that
regulators are actively hunting for breaches.
Under the EU's forthcoming GDPR legislation (see Cyber segment), financial
organisations must review their existing outsourcing arrangements to ensure they
don't face eye-watering fines – even if the failures are those of third-party service
providers.
GDPR compliance will represent a significant burden, managers say. Banks will
need to know exactly where their customer data is held at all times, and be able to
present this data on demand in a portable format. That will require a thorough
understanding of a complex web of relationships with various outsourcers,
practitioners say.
Industry view
The election of Donald Trump as US president, along with the UK's shock vote to
withdraw from the European Union, have combined to push geopolitical risk into
the top 10 this year, rocketing all the way to number four.
The prospect of a so-called hard Brexit, including a departure from the European
single market, as outlined in UK prime minister Theresa May's January 17
speech, will have serious implications for the financial services industry, with
London home to the European headquarters of most of the world's top banking,
insurance and asset management companies.
Banks are expected to start moving staff out of London in 2017. Those plans are
unlikely to be reversed even if the UK secures favourable access to the European
single market, say op risk practitioners. The consequences could be as painful as
they are idiosyncratic; witness fears of a politically motivated attempt by European
legislators to forcibly relocate euro clearing to the eurozone, the cost of which
could be as high as $100 billion in additional margin requirements for banks and
their clients.
Banks with relatively small operations inside the eurozone, such as the Japanese
banks, are likely to bear the heaviest fallout from Brexit. But even banks with large
eurozone operations will be exposed to increased local market regulator risks,
such as not being allowed to ramp up derivatives trading within a given
jurisdiction.
In addition to its direct costs, Brexit – because it will occur against a backdrop of
significant economic, regulatory and business change – could indirectly
exacerbate other operational risks such as outsourcing (#3), organisational and
business change (#6), regulation (#2), and conduct risk (#5). For example, the
need rapidly to form new supplier relationships opens banks up to heightened
outsourcing risk, say practitioners.
Industry view
But an absence of recent incidents doesn't indicate that the risk to an organisation
from misconduct has decreased, say managers; quite the contrary. In the UK, the
Senior Managers Regime (SMR), which came into force in March, seeks to
codify a culture of personal responsibility for risk managers, with individuals who
fulfil certain designated control functions now personally liable for various forms of
misconduct.
Under the US Dodd-Frank Act, individuals whose input helps the Securities and
Exchange Commission (SEC) take successful enforcement action against
wrongdoers are entitled to a reward of up to 30% of the fine imposed on an
organisation. Since the legislation came into force, the SEC has levied more than
$500 million in misconduct-related fines.
Industry view
The convoluted changes to desk structures and internal risk transfer processes
banks will be forced to enact under the Basel Committee on Banking
Supervision's revised market risk capital framework are one of the highest-profile
instances of forced organisational change impacting bank's front-office
businesses at the moment.
The fear of not being able to adapt a business model to technological change
haunts many companies. From Kodak and Blockbuster to Blackberry, many once-
prosperous firms have been sidelined by more tech-savvy and customer-focused
competitors.
The past year in finance has seen technological innovations that present big
opportunities as well as threats to many of the existing financial organisations. A
2016 report from Capgemini showed that, although 96% of banking executives
agree that the industry is moving towards a digital banking ecosystem, only 13%
have the systems in place to keep up with it.
Industry view
#7: IT failure
Unlike cyber crime, IT failure involves fewer unknown variables. For that reason, it
is perhaps perceived as more manageable by op risk practitioners; but its impact
can be just as debilitating.
Cloud computing was flagged by many respondents to this year's survey as one
of the most important technological trends in 2017. But as well as its advantages
in terms of flexibility and cost-effectiveness, it is prone to outages, with
undesirable consequences potentially including financial losses and damaged
relationships with clients.
Amazon Web Services – now used by many banks for additional processing
capacity, as well as for data storage – experienced a disruption in services in
Sydney in June 2016, causing multiple websites and online services reliant on the
platform to shut down, affecting everything from banking services to pizza
deliveries.
At the beginning of 2016, HSBC suffered a two-day service outage during which
millions of retail customers were unable to access their accounts. That wasn't the
only IT failure to hit the bank in the last couple of years: in 2015 its electronic
payment system experienced disruptions affecting thousands of clients just before
a UK bank holiday weekend.
Industry view
For lenders that provide banking services across multiple jurisdictions, that's
easier said than done, say practitioners.
"Increasing global cross-border banking activities, real-time speed of financial
transactions, and sophistication of technology provide alternative means and
opportunity for various manifestations of financial crimes, including AML," says the
head of op risk at a US financial institution.
Industry view
#9: Fraud
The threat from internal fraud can be as pernicious as that from external actors, as
Wells Fargo found out the hard way last year. Though the $187.5 million in
penalties and restitution the bank incurred for fabricating customer approval to
open checking and credit card accounts in order to meet sales targets might
barely dent its bottom line, the blow to its reputation was far more serious.
The US Office of the Comptroller of the Currency (OCC) has identified internal
control weaknesses, such as the lack of an effective audit programme, as
common deficiencies in many banks. Even though reliance on strong internal
controls has never been more critical, its supervisory examinations indicate
weakness in audit coverage and other internal controls in some banks.
"Internal and external fraud, which the OCC views as increasing, generally results
in operational losses," says Beth Dugan, deputy comptroller for operational risk at
the OCC in Washington, DC. "A strong internal control system can help a bank
avoid fraud and unintentional errors. Industry trends show that internal control
weakness can lead to increased levels of fraud related losses and longer times for
fraud identification."
The threat from external actors – some sophisticated, some dull but malignant – is
a growing threat too, say risk managers.
"We continue to see bad actors developing new schemes and fraudulent
techniques," says the head of operational risk at a US bank. "We've seen
widespread fraud targeting credit card accounts; now we're seeing the same thing
happen in payments. It's a matter of trying to remain a step ahead of bad actors.
When the fraud event happens at another entity, like a store or a hotel chain, it's a
fraud event at our bank, because now the criminals have access to credit card
data and account numbers."
Industry view
Physical attack, often in the form of terrorism, has fallen one place in our annual
survey, from #9 to #10, possibly reflecting a modest reduction in the global
incidence of terrorist activity since 2015, according to research. Despite this, the
risk to financial services companies of terrorist attack is an ongoing concern for op
risk professionals, making protection of employees, customers and buildings a
high priority.
As the incidents in the European cities of Nice and Berlin last year demonstrate,
the threat from attacks carried out by a few individuals and requiring little planning
can be as devastating as well-financed, state-sponsored acts of terrorism.
Lenders are taking action: US Bank plans to introduce a new mobile app to aid
crisis communication, and more frequent compulsory staff training programmes.
As well as terrorism, the effort will help it prepare for other violent disruptions – for
instance, the possibility of sabotage by disgruntled employees, or widespread civil
disobedience.
"We are assessing physical security of our people and our buildings in response
to domestic and international terrorist attacks. The risk of increasing terrorist
attacks impacts our physical security preparedness as well as our business
continuity preparedness," says Jodi Richard, head of op risk at US Bank in
Minneapolis.
A recent study from the Institute for Economics and Peace put the cost of
terrorism to the global economy at $89.6 billion in 2015 – the second-highest level
since 2000. Over the last 15 years, the economic and opportunity costs arising
from terrorism have increased roughly eleven-fold, it estimates.
Industry view