In the past decade the financial industry has rapidly changed and evolved leading to enhanced risk management practices. Operational risk is no different, as new and emerging risks enter the market it is often the strength of people, processes and systems which can enhance effective mitigation and management, but also pose the risk. The role and scope of operational risk is more diverse than ever as many strive for sustainable and long-lasting solutions. For many individuals working within risk management they are often faced with the difficult task of staying ahead in a fast-paced industry. 2018 has highlighted the importance of operational risk within financial institutions as regulators placed heightened emphasis on the need for worthwhile risk management practices, and more recently a much larger push for resilience. In addition, risk management is appearing more within the public arena as consumers are displaying an increased demand for security.
In light of this the Center for Financial Professionals has conducted extensive primary research into industry trends, themes, opportunities and challenges surrounding operational risk. Through various surveys, interviews and meetings with leading industry professionals we aimed to identify the critical issues keeping risk professionals awake at night. In addition, we also explored the future outlook of operational risk and where the industry may be heading. Below are the top three areas produced from this research:
Undoubtedly one of the largest areas raised during research was the latest release of the operational resilience paper. Over the past several months many industry professionals have been reviewing the paper and identifying the key themes which must be implemented within the business. From the initial review it seems the regulators are placing increased emphasis on areas such as non-financial risk, technology risk and vendor risk management. It would seem that most professionals are concerned about the technicalities from the paper and moving from review to implementation. Below are some of the main comments produced from research:
“The operational resiliency paper has now been released, and so far we have all been reviewing it, but how do we move from reviewing to operationalising it?”
“it seems operational resilience is covering lots of areas, you have technology, third parties, critical business services, security side, business continuity and contingency planning. The questions is how do you bring it all together to bring comfort to the board?”
“Now you have to operate in the market through market turbulence. And that relates to how you provide your services to your customers. If you rely on other people to provide your services then that’s a big part of your resilience capability”
“…what are your risks and tolerances if a service is down? it would be good if we could see some output and viewpoints on how the industry has approached the subject, what they found challenging and what they learnt from it.”
Vendor and third-party risk management
In recent years internal practices have come under scrutiny as scenarios within conduct and reputational risk have left some firms open to judgement. With this in mind ensuring that your business is managed effectively is not only important for risk management but also to satisfy consumers and stakeholders. One such area which has recently received a lot of attention is vendor and third-party risk management. As mentioned above this is also an area which is being addressed within operational resiliency. The need for increased controls and monitoring has become more apparent as failings within supply chain management can have detrimental consequences. It can be said that each firm will have their own appetite policy and controls over what is and is not acceptable from a supplier. As you can see from the below several industry professionals commented on the reasons behind this heightened risk and areas of focus, with a view beyond third parties, to fourth, fifth and beyond:
“I think the other big topic from a challenge perspective is supply chain. Your third parties and fourth parties, the suppliers you rely on, who do they rely on? That is a vulnerability so there is a lot of concern”
“More people are concerned about 4thparties, most people know 3rdparty risks and having assurance and procurement and practices. But as banks become much stronger at preventing vulnerabilities from threats, fraudsters are looking for other ways to get in and an easy way to do that is attack 4thparties.”
“What are the control objectives you have or what can you demand/expect from your suppliers? Are they managing data properly, complying with GDPR and meeting all the requirements? These are the things firms need to check”
And lastly, multiple industry experts commented on the changing environment within financial services with particular emphasis on technology. Of course, it’s no surprise that many financial institutions have now incorporated new technologies within their business plans. But the question remains of how does this impact risk management? Technology and cyber risks are an ever-expanding area as professional’s battle against a continual wave of attacks, fraudsters and criminals. In this changing landscape how can risk professionals ensure that technology brings enhancements to the business without compromising security? In a landscape where technology is driving businesses and consumers require increased digital advances, institutions run the risk of falling behind competition if they don’t continue to evolve. With advances in technology come weaknesses, but also advances in fraudsters efforts, meaning innovation must be managed effectively to balance risk vs reward. Below are just some of the points identified from our research pertaining to cyber and technology risk;
“There is a lot more innovation in the industry and new players coming into the market providing technology. Some might say that’s mitigating risk and others would say that’s introducing new risks”
“Fraudsters are finding new ways to infiltrate organisations and the volume of cyber-attacks is rapidly increasing. Banks are under pressure to mitigate that ongoing threat. So what controls do you have in place? Do you have function units and robust controls to push it back?”
“I think regulators are pretty sceptical about cyber security and infrastructure security perspective. They have given guidelines and provided instructions to how to secure it. But the problem is when you’re activities get outsourced it becomes difficult to understand and keep constant monitoring on how things will function. Especially ones that are not regulated or regulated in another region or country”
Our research allowed us to glimpse into the inner workings of multiple financial institutions and identify the main topics that were causing concern. The three topics outlined above were the top areas mentioned by a majority of industry professionals. In this generation of risk managers there is an essential need to keep ahead of the curve, keeping one eye on today’s risks whilst also looking to the potential threats of tomorrow. Understanding the current threats now could assist in accurate predictions of future issues and obstacles. Although in this rapidly changing environment figuring out impending and future risk is no easy venture.
To explore these themes further the Center for Financial Professionals will be hosting the 5th Annual New Generation Operational Risk: Europe on the 12-13 of March 2019 in London. The two-day summit will address the evolving role and scope of operational risk management in today’s expanding landscape. Hear from over 25 senior industry professionals as they discuss and debate the key opportunities and challenges surrounding operational risk.
For more details on the summit please visit our website at www.cefpro.com/oprisk, call 0207 164 6582, or, alternatively, feel free to email [email protected] to answer any questions or queries you may have about the agenda and / or speaker line-up.