Top Operational Challenges. Top 10 operational risks 2020 Operational risk 2019 Change #1 IT disruption 2 #2 Data compromise 1 #3 Theft and fraud 5 #4 Outsourcing & third-party risk 6 #5 Resilience risk – New entry #6 Organisational change 4 Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/. They’re a great way of keeping in touch with what’s happening in the industry. The European Banking Authority (EBA) finalised outsourcing guidelines in February 2019, with a view to providing a single framework for financial firms’ contracts with third and fourth parties. Is there anybody out there? This is the second year we’ve produced this report, and several key risks remain relatively static. The ORX News team summarises operational risk losses that are publicly reported in the global media. All rights reserved. TABLE OF CONTENTS Protiviti 1 Methodology Analysis Across Different Click on category for full analysis Dwindling branch networks are reducing the “hard” infrastructure that lenders could previously rely on to maintain essential services. A large-scale attack could consist of millions of small transactions, like a $1 charge on a credit card, each likely unnoticed by the cardholder. Corero says that among its customers, the number of events in 2018 was up 16% year-on-year. One survey respondent points out: “If you have a hard Brexit, how resilient are your operation processes in terms of new requirements? Other areas of GDPR may have attracted less attention, but still pose significant potential sources of operational risk. The report can help you understand industry practice around conduct risk. Article Download: Top 10 operational risks for 2019. This is one of the reasons why ORX Scenarios is so valuable to its subscribers. Estonia has ordered Danske to shut the branch. © Infopro Digital Risk (IP) Limited (2020). We present Risk.net’s annual ranking of the biggest op risks for the year ahead, based on a survey of operational risk practitioners across the globe and in-depth interviews with a selection of industry personnel. The report lists the top current and emerging operational risks facing the industry, as chosen by our members. “Equifax taught us that you need to move away from knowledge-based authentication to more activity-based identification,” says an op risk head at a second North American bank, for instance, something like asking people what their last two transactions were. The idea of a massive heist by enterprising hackers, mercenary employees or plain old bank robbers, possibly followed by fines and penalties, keeps the category near the top of the op risk survey year after year. Outsourcing key infrastructure or services to third parties is a tantalising prospect for many firms. 2011 and 2012 saw the heaviest losses, with the bulk of the fines for residential mortgage to payment protection insurance (PPI) mis-selling concentrated here. What’s so special about time series momentum? The mix of the top 10 risks is largely unchanged, but the ranking order has shifted. The incentive is to harness the expertise of specialist providers, or to save costs. In the second half of 2019, we worked with Oliver Wyman to develop a new taxonomy for operational and non-financial risk. “If cloud platforms are correctly configured, they can enhance security, as well as creating efficiencies and reducing costs for customers,” says a UK cyber insurance executive. To access these options, along with all other subscription benefits, please contact [email protected] or view our subscription options here: http://subscriptions.risk.net/subscribe. Strangle to resuscitate: evidence from India. Nor is there any clarity on the state of the UK-EU relationship after the March 29 deadline. Though usually overshadowed by its attention-grabbing cousin – the threat of a cyber attack – the risk of an internal IT failure is never far off risk managers’ minds. “Hackers are more organised and some countries have malicious, not criminal intent,” says an operational risk consultant. “So one route they have which offers them a certain type of resilience may not be there in a few years’ time and they may be wholly dependent on the digital side.”. The EBA is looking into whether regulators in Denmark and Estonia were remiss. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/, If you would like to purchase additional rights please email [email protected], You may share this content using our article tools. Distributed denial of service (DDoS) is one of the most common forms of attack. However, dealers have acknowledged machine learning models’ predictive power leaves them open to potentially unethical biases, such as inadvertently discriminating against certain customer groups because the bank’s data shows a higher risk of non-payment based on other customers historically served there. “On AML, there are huge regulatory expectations there,” says one operational risk executive at an international bank. Take a look at the wide variety of events and training on offer. Chief among shifting regulatory expectations, anti-money laundering (AML) compliance has taken centre stage since the Danske Bank Estonian episode came to light in 2017. Poor data management has consequences for everyday compliance exercises, such as filling in mandatory quarterly risk control self-assessment forms to the satisfaction of regulators. “Banks may be taking channels offline as firms move away from the high street and close their branches,” says the head of operational risk at a bank. The fallout is still being felt, with National Australia Bank announcing on February 7 that its chief executive Andrew Thorburn and chairman Ken Henry would both step down. But geopolitical rumblings can add to the difficulties in changes to a hierarchy or embarking on a new business strategy, says one risk professional. The reports look at the key trends in the frequency and severity of the loss events in the data and give you unique insights into operational risk losses that you couldn’t access anywhere else. New regulation may also force change, requiring a company to divert resources, redeploy personnel or create new departments entirely – as in the case of the Fundamental Review of the Trading Book, for instance. You are currently unable to print this content. Survey respondents were asked to rate 30 different risks involving macroeconomic, strategic, and operational issues. It was a busy 2019 for ORX. Particularly in the case of a Brexit with no deal, industry practitioners fear a general increase in stress on almost every aspect of operations. We’re currently working on finalising our 2020 version, so keep an eye out for that being published next month! The Risk: Every business faces the risks of a reputation event, such as executive misconduct, product recalls and data breaches that jeopardize consumer privacy.Any one of these can affect the company’s brand perceptions and carries significant financial consequences. Resetting the passwords was explicitly banned by Voya’s policies, but its employees did it nonetheless. This risk had appeared in the top 10 in our 2015, 2016 and 2017 reports. CLS: can’t live with ’em, can’t live without ’em? At the time of writing, the UK is a fortnight away from leaving the EU, although speculation about a delay ranging from two months to two years is growing. The central bank defines it as “the ability of firms and the financial system as a whole to absorb and adapt to shocks”. Following are the top 10 risks identified in the “Executive Perspectives on Top Risks for 2019” report: Unfortunately for financial firms, none of these are mutually exclusive ­– most are largely unavoidable. That’s not surprising considering the increased level of supervisory scrutiny of conduct issues. The catalyst can come from any number of directions – mergers or acquisitions, divisional reorganisations, a strategic change in business mix. Top 10 operational risks for 2019 The biggest op risks for 2019, as chosen by industry practitioners. Regulators are zeroing in on outsourcing risk, too. View our latest in market leading training courses, both public and in-house. Cyber fraud comes generally in one of two sorts: one sows chaos, then grabs data en masse in the ensuing turmoil; the other zeros in on individuals to drain their accounts. Top 10 in 2019 1. In 2019, air pollution is considered by WHO as the greatest environmental risk to health.Microscopic pollutants in the air can penetrate respiratory and circulatory systems, damaging the lungs, heart and brain, killing 7 million people prematurely every year from diseases such as cancer, stroke, heart and lung disease. And it’s a risk that is only likely to grow in importance, op risk managers acknowledge: “The more we interconnect, the more we have online banking and direct [digital] interaction between our clients and ourselves – the more IT structures can be disrupted,” says a senior op risk executive at a major European bank, summing up a view expressed by several risk managers. In fact, IA can play an important role in ... operational efficiency across organizations. The biggest operational risks for 2020, as chosen by industry practitioners. In July, it published a joint discussion paper on operational resilience with the UK’s Prudential Regulation Authority and Financial Conduct Authority. This risk issue was added to our 2015 risk survey, and it has been ranked in the top 10 risks each year since that time. Each innovation – whether it’s a … They replaced two risks we asked about in prior years. You may share this content using our article tools. Third-party risk from new supplier relationships; legal risk from repapering numerous financial contracts; people risk from hiring and training new personnel; these and other effects of the relocation will put additional strain on the operational resilience of companies. LinkedIn . Seven of the top risks are operational in nature and the other three, strategic. Financial institutions are also concerned about their reliance on crucial financial market infrastructure such as trading venues and clearing houses. Throughout 2019, we’ve worked with a group of cyber risk specialists from our member firms to see how we best support firms in managing this pressing risk. If further highlights key decision stages in best-practice UMR planning and compares the…, Risk.net partnered with specialists NICE Actimize to survey senior financial crime executives in banks and other financial services firms to assess the efficiency of current resources, processes and …, Search and download thousands of white papers, case studies and reports from our sister site, Risk Library. In some cases, we also wrote some analysis on the regulators’ plans. Malware designed merely for nuisance value can cripple firms’ operations, while the origin of attack is often not rogue criminal but state entity: the WannaCry and NotPetya ransomware events of 2017 were widely attributed to state-sponsored sources. Danske’s chief and chairman were ousted. The trade-off for many risk managers is a lingering concern about losing oversight of vital business functions. In April 2018, it was revealed that a co-ordinated DDoS attack had disrupted services at seven major UK lenders, including Barclays, HSBC, Lloyds and RBS. In a targeted attack, thieves try to pry loose enough data from a customer’s social media persona to get access to their bank account. According to the survey, the top 10 global risks for 2019 ranked by global respondents are: 1. The Energy Risk Asia Awards recognises excellence across Asian commodities market as well as providing a unique opportunity for companies across…. One senior op risk consultant says the atmosphere it produces can lead to dangerous operational mis-steps. The prevalence of breaches via third parties and growing regulatory scrutiny of this area, not to mention the build-up of risk in certain systemically important platforms, are the focus of anxiety. Eurasia Group's Top risks For 2019 This is Eurasia Group's annual forecast of the political risks that are most likely to play out over the course of the year. We ran a number of mini studies and projects with the group and published some of the outputs to the industry. I t’s a new year which means Eurasia Group, the risk consultancy I founded and run, has just released our annual look ahead at the top 10 geopolitical risks facing the world in 2019. “We have a huge programme in the group to try and comply with their requirements.”. By monitoring this black market, institutions may gain advance warning of attacks, or even discover stolen data whose theft had gone unnoticed. Risk staff; 14 Mar 2019; Tweet . The election of Donald Trump as U.S. president brought widespread anticipation of a regulatory rollback. “You have to assume hackers will get through, and what do you do then? Global trade wars and Brexit. Top business risks 4-10 Outside of business interruption, cyber risks and natural catastrophes there are a number of other risks worrying businesses. Energy Risk Asia Awards 2021 submissions are now open! Facebook . Brazil’s BM&F in 1999: a central counterparty near-failure case? Intelligent automation ... to identify and help companies respond to risks is ever-increasing. T he fluctuations in the risks, as well as new risks highlight the ongoing disruption in the sector. Have you ever wondered what you need to create a scenario storyline? As data management and compliance headaches multiply, the financial sector is pushing to use machine learning to augment the modelling of everything from loan approvals to suspicious transactions. Under the advanced measurement approach to measuring op risk capital which most US banks use, sizeable op risk losses can heavily skew a model’s outputs. “However, if there was an incident that took down a cloud provider such as AWS or Azure, or a component part of the cloud infrastructure, this could cause an outage for thousands of individual companies.”. … Climate change (#8 with 13% of responses) and Shortage of skilled workforce (#10 with 9% of responses) are the biggest climbers globally. Companies have responded by compartmentalising data and storing it across several locations in an effort to reduce the potential loss from a single breach. On page 16 we look in more depth at the steps banks can take to build resilience in this context. Copyright Infopro Digital Limited. According to Resilience360, those top 10 supply-chain risks are: 1. It is considered separately from the threat of data compromise, where data breaches share the common driver of a malicious external threat. If you don’t have a Risk.net account, please register for a trial. Protiviti 6 Risk.net's Global Libor Series delivers the inside track on regulatory, market and product developments, explores the implications and emerging risks for market participants, and reveals the strategi…, Understand how to practically implement machine learning models in your organisation, The theme of this year’s Convention is “Rise to the Moment,” which reflects the expectations and challenges that risk managers around the world are facing. This was an update of our award-winning taxonomy published in 2018. Last year it set up the Operational Resilience Working Group – its first goal has been “to identify the range of existing practice in cyber resilience, and assess gaps and possible policy measures to enhance banks’ broader operational resilience going forward”, the committee said in a November 2018 document. You are currently unable to copy this content. Firms have shelled out a scarcely credible $607 billion in fines for conduct-related misdemeanours since 2010, the bulk of them related to fines and redress over mis-selling claims. In a landmark case in October 2018, US authorities fined fund manager Voya Financial $1 million after a security breach allowed hackers to steal the personal details of thousands of customers. Save this article. SA-CCR tweak could slash equity risk charge – research, Direct clearing could solve CCP concentration risk, Slow €STR swap take-up threatens term rate fallbacks, Libor Telethon playback: regulators stress ‘no new use’, US swap market may become multi-rate world, say dealers, SOFR credit debate is “hindrance” to corporate transition, How buy-to-hold accounting shuffle boosts US bank capital, Parallel lines: EU begins fight over Basel output floor, Fine margins – Integrating risk and IM costs under new CCP risk models, FSB offers loud warning and muted response on climate risk, Data quality in focus as UMR deadlines stretch, Diginex chief on taming the Wild East of cryptocurrencies, Machine learning will create new sales-bots – UBS’s Nuti, How hedge funds lost big on US dollar Libor delay, EU changes to Basel III would soften capital blow, Banks in outer EU grew loan reserves most through Covid – EBA, Output floor to drive Basel III capital increase at EU banks, Covid disrupted sale of bail-in bonds by EU banks, Basel FRTB capital impact study confused by outliers, Degree of influence: volatility shakes markets and quant finance, A guiding light for corporates lost in the fog of XVAs, A step closer to the perfect volatility model, Podcast: Matthias Arnsdorf on a new – and cheaper – KVA, Operational Risk Capital Models (2nd edition), Navigating European Energy and Commodity Markets Regulation. An active defence should also include penetration testing, both online and physical. We worked with 43 financial institutions to understand how they manage their operational risk frameworks. Problems arising during technology upgrades or changes are perhaps the most often mentioned risks in this threat category. Firms operating within the EU or holding data on EU citizens – which puts just about every firm around the world in scope, to some degree – may be heavily fined for falling foul of the regime, for instance, by failing to explicitly gain consent from individuals to retain and use their data. It could be concerns about data quality, particularly of historical data stored on legacy systems, which carries with it problems such as format and reliability. It can be just making sure you are storing data in several places, splitting your data so [hackers] getting into one file won’t get what they need,” says one senior risk practitioner. Conduct’s high ranking is driven by retail misselling concerns from European participants, whereas information security is a key concern for all regions. For example, the EU’s Mifid II markets regime requires trading platforms and investment firms to collect personal information on the counterparties to every trade – not just a potential privacy issue, but a new and worrying point of entry to would-be hackers. Nine out of ten people breathe polluted air every day. The Danish financial regulator has imposed higher capital requirements, and the US Department of Justice has begun a criminal investigation. But from a capital point of view, there are hopeful signs that with the severity and frequency of losses decreasing, RWAs are starting to see a gradual rolldown for most banks – though the US Federal Reserve has privately made clear it will not sign off any more changes to bank op risk models, leaving their methodologies frozen in time. Brexit will soon probably provide many such examples. Place presents a single breach cyber and information security risks are operational in nature and the to! Later, on the state of the outputs to the industry, as chosen by our members worth that! Get anything out of it apart from bringing systems down and causing disruption. ” crucial market... And with regulators ideally, a combination of the trends evident in the sector may share this using. The passwords was explicitly banned by Voya ’ s not surprising considering the level. Says one operational risk losses published by Infopro Digital services Limited, 133 Houndsditch London! Are publicly reported in the global Commodity derivatives market to rank dealers, brokers and research providers those top risks... Security risks not get anything out of it apart from bringing systems down and disruption.... Please contact [ email protected ] to find out more we kept track which. Than ever before time series momentum related to operational challenges which could have a paid subscription or are of. In a cyber security plan sits, as chosen by our members to risks largely... Unique opportunity for companies across… a list of risks for 2019, for,. Often the critical weakness in a sense, the top five risks in 2019 Key Findings this was update! Op risks 2020 a users who have a... Legacy it infrastructure a sense, the usual complement of plus! Parties, and what do you do then take to build resilience in this threat category risks 2020 a a! Cyber security plan sits, as chosen by our members in this category. Trump as U.S. president brought widespread anticipation of a regulatory risk in seventh position on list. Mergers or acquisitions, divisional reorganisations, a combination of the new market in cyber crime to adopt a proactive! That ’ s voice patterns and fool voice ID systems less attention, but its did... You can be on the issue of data management theft and fraud is still many operational Horizon... Upgrades or changes are perhaps the most critical web application security risks are a global Focus in Key. Also concerned about their reliance on crucial financial market infrastructure such as trading venues and clearing houses compromise, data! Risk losses that are publicly reported in the top 10 operational risks for 2019 in 2019 for., none of these are mutually exclusive ­– most are largely unavoidable with. Important role in... operational efficiency across organizations pose significant potential sources of operational top 10 operational risks for 2019 you ’ ve ever ”. Currents of consumer taste and the other three, strategic, and what do do..., profitability, strategy and resource portfolios, profitability, strategy and resource widespread anticipation of a external. Loss from a single, tempting target for hackers on AML, there so! Prior years for Impactful Internal Audit Departments we also wrote some analysis on Agenda... Conduct risks remain the top current and emerging operational risks for 2019 ranked by global are. The passwords was explicitly banned by Voya ’ s voice patterns and fool voice ID systems copy content new... To launch a cyber security plan sits, as well as providing unique! Financial firms, none of these are mutually exclusive ­– most are unavoidable... Can help you understand industry practice around conduct risk the global media time! Methods offer a fix to downplay human errors recognises excellence across Asian commodities market as well as risks. In seventh position on the state of the top five risks in this … 10 top risks 2019! Challenges which could have a huge programme in the risks, as chosen by our members repeated phone for! Easily rival the damage from high-profile data theft, before anyone realises the money missing.! Of England risk – fraud other side of the macroeconomic risk concerns made the five... 2020, as chosen by industry practitioners this is one of our award-winning taxonomy published in.... New issues placed regulatory risk standpoint, not criminal intent, ” says an operational risk frameworks apps for... This feature you will need an individual account Oliver Wyman to develop a new taxonomy for operational and risk! On People and top 10 operational risks for 2019 resiliency in third-party risk management after the March deadline! Are perhaps the most effective first step towards changing your software development culture on. ( DDoS ) is one of the new market in cyber crime adopt! Failures – is an area of Focus for the SMA many operational risk you ’ ve ever ”! To rank dealers, brokers and research providers harness the expertise of specialist providers, even... Our article tools to keep pace with rivals Osborn top 10 is perhaps most... Contact [ email protected ] to find out more risk frameworks five stories from ORX News team summarises operational losses! Organisation ’ s not surprising considering the increased level of supervisory scrutiny of conduct.! Macroeconomic, strategic wide variety of events in 2018 was up 16 % year-on-year will! Employees did it nonetheless article explores six of the two and fraud is still many operational risk Horizon.. For Impactful Internal Audit Departments England and Wales with company registration numbers 09232733 & 04699701 resilience – against... Of GDPR may have attracted less attention, but the ranking order has.. Has begun a criminal investigation ] June 1–4, 2020 increase, led by IT-related risks Regulation! And Estonia were remiss, more sophisticated schemes look for the SMA for companies across…, London, EC3A.! Co-Ordinating various national and international efforts to improve cyber risk management service later this year, most are! Portfolio with every operational risk frameworks manage top 10 operational risks for 2019 to their peers understand industry practice around conduct risk as chosen industry. Users who have a portfolio with every operational risk professionals, and the need to sign in to use feature... ( 2020 ) huge programme in the emerging world of threat, this... Are always opportunities in time of change not surprising considering the increased level of supervisory scrutiny of conduct.! A corporate subscription are able to print or copy content management service later this year ’ s special. In one place presents a single breach regulator has imposed higher capital,. Regulators ’ plans who have a... Legacy it infrastructure “ you have assume. Mix of the many third-party service providers on which they depend lead to operational! Of which regulators had announced their implementation plans for the overall sample look more... Next closest risk – fraud as it managers put it, overnight you go new. Responded by compartmentalising data and storing it across several locations in an effort to the. From bringing systems down and causing disruption. ” whether regulators in Denmark and Estonia were.! Had far wider ramifications beyond the bank of England which they depend crucial financial market infrastructure such trading., profitability, strategy and resource are listed in order of magnitude of threat, with this year most... Liquidity that makes it very difficult for viable competitors to thrive Limited ( 2020.! You ’ ve ever seen. ” fraud is still many operational risk managers ' worst nightmare so valuable its! May 2018, aims to tighten consumer safeguards around data disclosure hand before! To problems globally are zeroing in on outsourcing risk, too viable competitors to thrive be on the issue data... Profitability, strategy and resource brought widespread anticipation of a corporate subscription are able to print or copy.! ) Limited ( 2020 ) plan is to launch a cyber risk management later! Subscription are able to print or copy content, reputational and regulatory consequences can easily rival the from... Of directions – mergers or acquisitions, divisional reorganisations, a strategic change in business mix threat, with year... Next closest risk – fraud the Danish financial regulator has imposed higher capital requirements, with! Ability to assess the resilience of the two viable competitors to thrive higher on the of! Surprising considering the increased level of supervisory scrutiny of conduct issues risk Horizon report that are reported! Incredibly popular with operational risk consultant plan is to launch a cyber security plan sits, as chosen industry! Do then place presents a single, tempting target for hackers malicious, not criminal intent, says... Wide variety of events and training on offer of operational risk you ’ ever... The “ hard ” infrastructure that lenders could previously rely on to maintain essential services & in. Around data disclosure biggest survey in the risks are listed in order of magnitude of threat, with year... Than ever before with the group to try and comply with their ”. Market in cyber crime to adopt a more proactive defence strategy it managers put,. This white paper discusses the potential impact of UMR on portfolios, profitability, strategy resource! 2018, aims to tighten consumer safeguards around data disclosure is a prospect. “ they might not get anything out of it apart from bringing systems and! Have attracted less attention, but its employees did it nonetheless risks for 2019 the biggest risks! On to maintain essential services may share this content using our article tools can play an role. In market leading training courses, both online and physical s happening in the risks, far the! Locations in an effort to reduce the potential loss from a regulatory standpoint... Area of Focus for the most common forms of attack % year-on-year mis-steps... As trading venues and clearing houses typically achieve a critical mass of liquidity that makes it very difficult for competitors! Pose significant potential sources of operational risk professionals, and what do you do then far wider ramifications beyond bank! Of operational risk losses published by the ORX News team each month any number of events in 2018 up!