Roland Kennett Head of Membership and Services Development ORX Association, provides insights into the top risks in 2018 and beyond. ORX aims to develop operational risk as a discipline, with members from over 90 institutions from around the world.
Learning from the knowledge and experiences of others to enhance operational risk management makes sense from both an efficiency and effectiveness perspective and is actively encouraged within regulatory frameworks.
It is standard practice for financial institutions to evaluate significant external operational events, to better understand their own exposure and to help identify control deficiencies (for example, those reported by ORX News).
This diversified view, built on the wisdom of crowds, is also particularly suited to emergent operational risks.
To support this ORX operates an annual benchmark of top (these are deemed to be current risks that are being faced now) and emerging (these are risks that are expected in the next 18-36 months). The below findings are based on the most recent 2017 exercise which usedmore than 600 individual assessments, submitted by 44 global financial institutions.
Not surprisingly given the large number of extreme events reported across the world in the last few years, risks associated with misconduct are the most significant current industry concern (75% of participants identify at least one misconduct issue in their top ten operational risks).
Conduct was closely followed by information security and cyber risk (84% included an IT security risk in their top ten). These risks are elevated by two trends – the complexity of the digital landscape, and financial services firms' increasing dependence on systems and data.
Theft and fraud remained the third most highly ranked category, while IT infrastructure and regulatory compliance took fourth and fifth place, respectively
Considering the future, digital disruption ranked as the highest emerging risk. This can be described as the operational risk which arises because of the changes driven by emerging digital technologies and digital business models.
Information security and cyber risk came second on both the current and emerging risk lists, showing that risks from hacking, data breaches and other cyber threats are expected to remain high.
Global uncertainty is also believed to pose a significant challenge. Chief concerns include the policy direction in the US and the uncertain consequences of Brexit, as well as ongoing tensions across Asia and the Middle East.
The study concluded that almost every risk category is expected to increase in the next three years. Persistent regulatory attention is set to increase as is technological change, with risks associated with digital disruption expected to increase the most. On a positive note, risk managers should be able to take advantage of many of the technological advances to improve risk management.
Interestingly, despite being the highest ranked current operational risk, only half of participants judged that conduct risks are expected to increase over the next three years. There is however some regional variation with conduct considered stable or declining in Europe, but growing in the US following the Wells Fargo event and a focus on employee misconduct (for example, the ‘me too’ movements).
Another key observation is that as internally driven risks, such as misconduct, IT infrastructure and internal fraud appear to decrease – the external threat increases. As well as cyber, digital disruption and geopolitical risks, third party risks, typically outside of the internal control environment, are set to increase.
Alongside the list of current and emerging threats lies a more basic risk management issue: being able to compare apples with apples. It is essential that operational risk frameworks support management effort to focus on the most important areas of risk. Central to any framework is the operational risk taxonomy, which underpins a wide range of risk measurement and management processes, including risk control self-assessments, reporting, event management, scenario analysis benchmarking and key risk indicators.
The event-driven taxonomies, initially developed as part of Basel II, do not necessarily align well with either the language of the business or more contemporary risk areas. For some, a solution to this has been a fundamental re-orientation of internal risk taxonomies to better support risk management.
A recent ORX study which assessed these operational risk taxonomies across the industry, showed many are starting to contain some of the emerging risks listed above. As the threat evolves, the frameworks follow. Some of the more emergent themes seen in the taxonomies are listed below.
Information security (including cyber)
Financial reporting and tax
Although at a fundamental level many of the operational risks remain the same, the threat vectors are constantly evolving. This means to best manage them, frameworks, controls and mitigations need to remain relevant.
Join our webinar, live or on-demand. Find out how you can improve your operational risk management process before it costs your business.
Who should attend?
Asset managers, private bankers, compliance managers and anyone looking to understand the operational risk landscape.