The biggest op risks for 2019, as chosen by industry practitioners
We present annual ranking of the biggest op risks for the year ahead, based on a survey of operational risk practitioners across the globe and in-depth interviews with a selection of industry personnel. The risks are listed in order of magnitude of threat, with this year’s largest risk being data compromise.
#1: Data compromise
The threat of data loss through cyber attack, combined with an awareness among managers that defences are vulnerable, has made data compromise a perennial concern for op risk practitioners of all stripes. But the advent of strict new data protection regulation has intensified those fears, helping propel the category to the top of our annual survey for the first time.
Collecting multiple datasets and storing them in one place presents a single, tempting target for hackers. Companies have responded by compartmentalising data and storing it across several locations in an effort to reduce the potential loss from a single breach.
“You have to assume hackers will get through, and what do you do then? It can be just making sure you are storing data in several places, splitting your data so [hackers] getting into one file won’t get what they need,” says one senior risk practitioner.
The EU’s General Data Protection Regulation (GDPR), introduced in May 2018, aims to tighten consumer safeguards around data disclosure. No prosecution has yet used the full scope of penalties – the regulation allows a fine of up to 4% of global revenue – but companies are wary of a sizeable additional loss associated with, for example, a major data breach due to negligence.
Other areas of GDPR may have attracted less attention, but still pose significant potential sources of operational risk. Companies must provide customers with access to their own data, including the ability to correct or erase it in some cases; and they must report a data breach within 72 hours.
New regulations are also offering up enticing targets for hackers, though: their targets are broadening beyond financial services firms to encompass intermediaries and even the official sector. For example, the EU’s Mifid II markets regime requires trading platforms and investment firms to collect personal information on the counterparties to every trade – not just a potential privacy issue, but a new and worrying point of entry to would-be hackers. As the data is passed from firm to platform and from platform to regulator, it becomes exposed to attack.
Some banks are taking advantage of the new market in cyber crime to adopt a more proactive defence strategy. Cyber criminals use the unindexed “dark” web to offer stolen data for sale. By monitoring this black market, institutions may gain advance warning of attacks, or even discover stolen data whose theft had gone unnoticed.
An active defence should also include penetration testing, both online and physical. Often the critical weakness in a cyber security plan sits, as IT managers put it, between chair and keyboard.
In a landmark case in October 2018, US authorities fined fund manager Voya Financial $1 million after a security breach allowed hackers to steal the personal details of thousands of customers. The hackers gained access by making repeated phone requests for password changes, pretending to be Voya subcontractors. Resetting the passwords was explicitly banned by Voya’s policies, but its employees did it nonetheless.
#2: IT disruption
Cyber attacks conjure images of masked figures gaining access to the IT network of a company or government and making away with millions, yet the reality is often more prosaic. Malware designed merely for nuisance value can cripple firms’ operations, while the origin of attack is often not rogue criminal but state entity: the WannaCry and NotPetya ransomware events of 2017 were widely attributed to state-sponsored sources.
“Hackers are more organised and some countries have malicious, not criminal intent,” says an operational risk consultant. “They might not get anything out of it apart from bringing systems down and causing disruption.”
The past year has not seen as many high-profile disruptive cyber attacks as the previous one, which may go some way to explaining why IT disruption slips to second place in Risk.net’s 2019 survey.
However, risk experts still see cyber attacks as an ever-present menace.
Distributed denial of service (DDoS) is one of the most common forms of attack. DDoS data from two security specialists provides a conflicting picture: Kaspersky Lab reports a decline in overall attacks by 13% from 2017 to 2018. Corero says that among its customers, the number of events in 2018 was up 16% year-on-year.
Banks remain vulnerable, even the largest. In April 2018, it was revealed that a co-ordinated DDoS attack had disrupted services at seven major UK lenders, including Barclays, HSBC, Lloyds and RBS. The National Crime Agency and international partners responded by shutting down a website linked to the attacks that offered DDoS services for a small fee.
As banks shift more of their retail and commercial activity online, a growing fear is that a widespread cyber event could cripple an institution’s activity. Dwindling branch networks are reducing the “hard” infrastructure that lenders could previously rely on to maintain essential services.
“Banks may be taking channels offline as firms move away from the high street and close their branches,” says the head of operational risk at a bank. “So one route they have which offers them a certain type of resilience may not be there in a few years’ time and they may be wholly dependent on the digital side.”
#3: IT failure
Though usually overshadowed by its attention-grabbing cousin – the threat of a cyber attack – the risk of an internal IT failure is never far off risk managers’ minds. When such failures happen, their financial, reputational and regulatory consequences can easily rival the damage from high-profile data theft.
It is probably no coincidence that the danger of a self-imposed IT debacle is the third-largest operational risk in 2019’s survey: it follows a year in which a botched system migration cost UK bankTSB more than £300 million ($396 million) in related charges and an unknowable sum in lost customers.
And it’s a risk that is only likely to grow in importance, op risk managers acknowledge: “The more we interconnect, the more we have online banking and direct [digital] interaction between our clients and ourselves – the more IT structures can be disrupted,” says a senior op risk executive at a major European bank, summing up a view expressed by several risk managers.
The Basel Committee on Banking Supervision is co-ordinating various national and international efforts to improve cyber risk management. Last year it set up the Operational Resilience Working Group – its first goal has been “to identify the range of existing practice in cyber resilience, and assess gaps and possible policy measures to enhance banks’ broader operational resilience going forward”, the committee said in a November 2018 document.
On a national level, operational resilience – including against IT failures – is an area of focus for the Bank of England. The central bank defines it as “the ability of firms and the financial system as a whole to absorb and adapt to shocks”. In July, it published a joint discussion paper on operational resilience with the UK’s Prudential Regulation Authority and Financial Conduct Authority.
Speaking at the OpRisk Europe conference in June, the PRA’s deputy chief executive Lyndon Nelson said: “It is likely that the [BoE] will set a minimum level of service provision it expects for the delivery of key economic functions in the event of a severe but plausible operational disruption.”
#4: Organisational change
Organisational change – sometimes called ‘strategic execution risk’ – refers to the grab bag of things that can go sideways in the midst of any transition: switching to a new system from an old one, new strategic objectives, adjustments to new management edifices, errors or just bad decisions, etc.
The catalyst can come from any number of directions – mergers or acquisitions, divisional reorganisations, a strategic change in business mix. Unfortunately for financial firms, none of these are mutually exclusive – most are largely unavoidable.
Banks and buy-side firms are subject to the currents of consumer taste and the need to keep pace with rivals. Often, firms might be prompted into action by a shift in the nature of the threats they face: witness cyber risk’s long journey from the domain of IT to the risk team.
New regulation may also force change, requiring a company to divert resources, redeploy personnel or create new departments entirely – as in the case of the Fundamental Review of the Trading Book, for instance.
Problems arising during technology upgrades or changes are perhaps the most often mentioned risks in this threat category. But geopolitical rumblings can add to the difficulties in changes to a hierarchy or embarking on a new business strategy, says one risk professional. One senior op risk consultant says the atmosphere it produces can lead to dangerous operational mis-steps.
Brexit will soon probably provide many such examples. With a disorderly exit by the UK from the European Union this month almost a certainty, banks and brokers are setting up new entities on mainland Europe at a breakneck speed that almost guarantees problems – some as simple as staffing up and resource management.
“With political and economic risk increased, especially by Brexit, the time available to handle change is squeezed,” says the consultant. “That leads to potential errors in execution.”
#5: Theft and fraud
Despite slipping a place on this year’s list, theft and fraud is still many operational risk managers’ worst nightmare. The idea of a massive heist by enterprising hackers, mercenary employees or plain old bank robbers, possibly followed by fines and penalties, keeps the category near the top of the op risk survey year after year.
Inside jobs made up the top three of 2018’s biggest publicly reported op risk losses: Beijing-based Anbang Insurance lost a shattering $12 billion to embezzlement; in Ukraine, $5.5 billion vanished from PrivatBank in a ‘loan-recycling’ scheme; and in New Delhi, the Punjab National Bank lost $2.2 billion to wayward employees working with a fugitive diamond dealer.
These top losses were the result of old-fashioned crimes in the emerging world. At US and European banks though, it’s the cyber component of theft and fraud that looms large – despite the absence of even a single incident on the top 10 list.
“You can commit theft and fraud anonymously. You can go multicurrency, bitcoin,” comments a senior operational risk executive who says theft and fraud make up the biggest loss at the North American bank where he works. “You can be on the other side of the world, funds in hand, before anyone realises the money is missing.”
According to ORX News, the total of publicly reported losses attributable to cyber-related data breaches and instances of fraud and business disruption was $935 million worldwide in financial services last year. Over half those incidents involved fraud.
Cyber fraud comes generally in one of two sorts: one sows chaos, then grabs data en masse in the ensuing turmoil; the other zeros in on individuals to drain their accounts.
A large-scale attack could consist of millions of small transactions, like a $1 charge on a credit card, each likely unnoticed by the cardholder. In a targeted attack, thieves try to pry loose enough data from a customer’s social media persona to get access to their bank account. Other, more sophisticated schemes look for the weak points in authentication systems like biometrics. Some apps, for instance, can replicate a person’s voice patterns and fool voice ID systems.
“Equifax taught us that you need to move away from knowledge-based authentication to more activity-based identification,” says an op risk head at a second North American bank, for instance, something like asking people what their last two transactions were. In 2017, hackers stole data such as names, birthdates and Social Security numbers on nearly 148 million people from Equifax’s online systems.
#6: Outsourcing and third-party risk
Outsourcing key infrastructure or services to third parties is a tantalising prospect for many firms. The incentive is to harness the expertise of specialist providers, or to save costs. Or, ideally, a combination of the two.
The trade-off for many risk managers is a lingering concern about losing oversight of vital business functions. The prevalence of breaches via third parties and growing regulatory scrutiny of this area, not to mention the build-up of risk in certain systemically important platforms, are the focus of anxiety.
“If cloud platforms are correctly configured, they can enhance security, as well as creating efficiencies and reducing costs for customers,” says a UK cyber insurance executive. “However, if there was an incident that took down a cloud provider such as AWS or Azure, or a component part of the cloud infrastructure, this could cause an outage for thousands of individual companies.”
Regulators are zeroing in on outsourcing risk, too. The European Banking Authority (EBA) finalised outsourcing guidelines in February 2019, with a view to providing a single framework for financial firms’ contracts with third and fourth parties.
Financial institutions are also concerned about their reliance on crucial financial market infrastructuresuch as trading venues and clearing houses. Unlike IT or payroll systems, these are services that are difficult if not impossible to replicate in-house – as banks have tried to do with some troublesomevendor relationships.
Successful trading venues and clearing houses typically achieve a critical mass of liquidity that makes it very difficult for viable competitors to thrive. Without a credible threat to leave CCPs, banks lack the leverage to persuade the service providers to supply information on data or cyber security practices that might allow risk managers to properly assess threats.
#7: Regulatory risk
This year, the usual complement of regulation plus roiling new issues placed regulatory risk in seventh position on the list.
Chief among shifting regulatory expectations, anti-money laundering (AML) compliance has taken centre stage since the Danske Bank Estonian episode came to light in 2017. As much as €200 billion ($226.1 billion) in ‘non-resident’ money coursed through Danske’s modest Tallinn branch from 2007 to 2015.
Danske’s chief and chairman were ousted. The Danish financial regulator has imposed higher capital requirements, and the US Department of Justice has begun a criminal investigation. The EBA is looking into whether regulators in Denmark and Estonia were remiss. Estonia has ordered Danske to shut the branch.
“On AML, there are huge regulatory expectations there,” says one operational risk executive at an international bank. “We have a huge programme in the group to try and comply with their requirements.”
Elsewhere, changes to data protection legislation presents its own matrix of requirements for banks spanning continents, beginning with the EU’s GDPR.
“There are so many privacy regulations that raise issues from a regulatory risk standpoint. It’s a patchwork of regulations at the state and federal levels,” says an operational risk executive at one North American bank.
Banks are also warily eyeing further regulatory intervention from the Basel Committee on operational resilience – a broad initiative that sets out regulators’ expectations on a number of business continuity topics, including a minimum response time to return to normal operations after a platform outage.
#8: Data management
A conversation with any op risk manager will land, sooner or later, on the issue of data management. It could be concerns about data quality, particularly of historical data stored on legacy systems, which carries with it problems such as format and reliability. Or it could be the risk of missteps when handling customer data – inappropriate checks on storage, use or permissioning – that now come with the added threat of eye-watering fines from regulators.
Taken together, it’s no surprise that data management has made it into the top 10 op risks as a discrete risk category for the first time this year. It is considered separately from the threat of data compromise, where data breaches share the common driver of a malicious external threat.
Much of the impetus behind firms’ drive to beef up standards around the storage and transfer of personal data stems from the tightening of regulatory supervision on data privacy and security around the world – most obviously GDPR. Firms operating within the EU or holding data on EU citizens – which puts just about every firm around the world in scope, to some degree – may be heavily fined for falling foul of the regime, for instance, by failing to explicitly gain consent from individuals to retain and use their data.
As data management and compliance headaches multiply, the financial sector is pushing to use machine learning to augment the modelling of everything from loan approvals to suspicious transactions. In a sense, the methods offer a fix to downplay human errors. However, dealers have acknowledged machine learning models’ predictive power leaves them open to potentially unethical biases, such as inadvertently discriminating against certain customer groups because the bank’s data shows a higher risk of non-payment based on other customers historically served there.
Poor data management has consequences for everyday compliance exercises, such as filling in mandatory quarterly risk control self-assessment forms to the satisfaction of regulators. Banks “are missing robust data management processes to ensure that data is reliable, complete and up to date, and that reports can be generated [in a timely manner]”, the head of op risk at one Asian bank tells Risk.net.
Brexit covers such a wide range of possible risk events that some participants in this year’s survey disputed whether it should be included as a standalone chapter at all; but a significant number argued strongly that it should, with its collective drivers likely engendering a common set of specific risks for banks and financial firms for years to come.
At the time of writing, the UK is a fortnight away from leaving the EU, although speculation about a delay ranging from two months to two years is growing. Nor is there any clarity on the state of the UK–EU relationship after the March 29 deadline. Anything from a long delay or a cancellation to an abrupt “no-deal” crash exit remains possible; this may have changed by lunchtime on the day this article is published.
Many financial firms whose business is affected by Brexit have given up waiting for lawmakers to finalise negotiations over the terms of the split and are pushing ahead with contingency plans. Banks and brokers are setting up new entities in mainland Europe, a process that is fraught with operational risk, particularly given the accelerated timescale for its completion.
Third-party risk from new supplier relationships; legal risk from repapering numerous financial contracts; people risk from hiring and training new personnel; these and other effects of the relocation will put additional strain on the operational resilience of companies.
Particularly in the case of a Brexit with no deal, industry practitioners fear a general increase in stress on almost every aspect of operations. One survey respondent points out: “If you have a hard Brexit, how resilient are your operation processes in terms of new requirements? If you think about it, overnight you go into new tariff regimes. So you have a portfolio with every operational risk you’ve ever seen.”
Mis-selling drops a few places on this year’s top 10 op risks, a reflection – or perhaps a shared hope among risk managers – that the era of mega-fines for crisis-era misdeeds among US and European banks might finally be over. They would do well to check their optimism, however: as the recent public inquiry into Australia’s financial sector that has excoriated the reputation of the nation’s banks shows, another mis-selling scandal is never far away.
Firms have shelled out a scarcely credible $607 billion in fines for conduct-related misdemeanours since 2010, the bulk of them related to fines and redress over mis-selling claims. 2011 and 2012 saw the heaviest losses, with the bulk of the fines for residential mortgage to payment protection insurance (PPI) mis-selling concentrated here.
The cumulative impact of fines and settlements has taken a huge toll on bank capital: as a recent Risk Quantum analysis shows, op risk now accounts for a third of risk-weighted assets (RWAs) among the largest US banks, while UK lenders still face hefty Pillar 2 capital top-ups from the Bank of England, largely as a result of legacy conduct issues.
Under the advanced measurement approach to measuring op risk capital which most US banks use, sizeable op risk losses can heavily skew a model’s outputs. But from a capital point of view, there are hopeful signs that with the severity and frequency of losses decreasing, RWAs are starting to see agradual rolldown for most banks – though the US Federal Reserve has privately made clear it will not sign off any more changes to bank op risk models, leaving their methodologies frozen in time.
While Australia’s banks emerged relatively unscathed from the 2008 global financial crisis, they too are now feeling the sting of public ire following a series of mis-selling and conduct-related scandals, the first of which claimed the scalp of Commonwealth Bank Of Australia chief executive Ian Narev last year, dealing a severe blow to the bank’s reputation.
The Royal Commission enquiry it helped spark had far wider ramifications beyond the bank. The fallout is still being felt, with National Australia Bank announcing on February 7 that its chief executive Andrew Thorburn and chairman Ken Henry would both step down.