RISK MANAGEMENT • DERIVATIVES • REGULATION

Risk.net March 2021

Top 10
Supported by

op risks 2021
 Top 10 op risks
Contents

2 Introduction 3 Sponsored feature 5 Top 10 op risks 2021

Op risk managers could The importance of getting technology change right The biggest operational
be Covid long haulers risks for 2021, as chosen by
industry practitioners
New threats sprang from old Christoph Kurth, partner and member of the global financial institutions
sources in this year’s Top 10 op leadership team at Baker McKenzie, covers some of the rapid
risks, belying a big drop in losses technological changes under way brought about by, and in the wake of,
the Covid-19 pandemic

#
01 02
# #
03 #
04

5 IT disruption 6 Data compromise 7 Resilience risk 8 Theft and fraud

Integrity of core systems Remote working elevates fears Industry survives biggest real- Changes in working practices
paramount as risk managers of data theft, misuse and abuse world stress test, but challenges since Covid shift angle of
battle outages and hacks in remain for firms and regulators criminal attack on financial
work from home era institutions

05
#
06
# #
07 #
08

9 Third-party risk 10 Conduct risk 11 Regulatory risk 12 Organisational

change
Pandemic and shift to cloud Remote working vastly Big dip in fines belies lingering
computing inflame concerns for complicates the job of conduct fears over Covid loan mis-selling Change the sole constant as
banks and regulators risk supervisors and sanctions risk industry ponders its post-
Covid future

09
# #
10 15 Sponsored feature
Heightened operational risks in a changing world

Christoph Kurth, partner and member of the global financial institutions

13 Geopolitical risk 14 Employee wellbeing leadership team at Baker McKenzie, discusses the growth of conduct
and operational risks in the light of the pandemic, including those
Stimulus unwind, Covid All-encompassing impact of caused by mass home-working, the enhanced technological ability to
nationalism and regime Covid leaves employees with address them, and why we should design a new type of workplace
changes spell volatile the feeling of ‘living from work’ culture or risk losing one altogether
operating environment​

1 risk.net March 2021

 TopIntroduction
10 op risks

In depth
Monthly special features:
Top 10 operational risks 2021
Illustration: Mark Long, nbillustration.co.uk

Supported by:

Op risk managers could be Covid long haulers

L
ike many, operational risk managers losses, firms tend to divide events between
were glad to see the back of 2020. those stemming from conduct related issues,
Unlike most, their worries show few and everything else. In part this is due to the
signs of easing. The giant sources of difficulty of modelling the former, given it is
op risk engendered by the coronavirus – oppor- skewed by infrequent, but catastrophically large
tunistic cyber attacks, creative money laundering losses.
and vast new possibilities for internal fraud – But conduct losses are also a slow burn: fines
aren’t going anywhere, even as the world charts a for mis-selling, market manipulation and most
“Quote me” course out of lockdown. forms of internal fraud take a long time to
Among broad categories of concern, this year’s come to light, then hang around for far longer
“The consequences of IT disruption Top 10 operational risks look superficially similar – perhaps forever, in r­ eputational terms. “When
are likely to be higher, because to previous years, with movement between them we model, we assume most conduct losses will
of our increasing dependency as expected: conduct and resilience risk have show a three-to-five year lag – whereas normal,
on technology” both risen up firms’ agendas, with more esoteric transaction-style losses will appear within a
Operational risk consultant concerns like organisational change and talent one-year window. One year into Covid, we’ve
risk dropping. Employee wellbeing was the sole not seen any transaction losses of any real note
“Two years ago, resilience sounded new entry – both a welcome sign that managers – so I don’t know whether we will now. But who
like an academic concept: ‘you’re are taking the human element seriously, and a knows what conduct looks like,” says the head
only as strong as your weakest worrying one that the scale of the problem is big of op risk capital at one E ­ uropean bank.
link’. But it’s so true – this year has enough to be top of mind. Covid has also exposed the limitations of
proved that in spades” Yet within each category, risk profiles have point-in-time year-ahead forecasts, including
Head of strategic risk, US asset manager changed dramatically in ways that are difficult to our Top 10 op risks survey. Few risk manag-
predict and impossible to fully track. The threat ers reported pandemic risk among their top
“By working in the office, you can of IT disruption remains the top collective con- concerns last year – one honest bank admitted it
pick up informal signals and signs cern, for instance, but conversations suggest that drew up a pandemic scenario, before dismissing
that may point to issues” owes as much to insider threats from disgruntled it as unrealistic. It last appeared in 2013’s Top
Head of op risk at a large international bank employees – those on notice or paid leave who 10, in the wake of the Asian swine flu epidemic.
still have access to systems and controls, for So, Risk.net is considering ways to shake up the
“I feel that we are seeing increased instance, or sensitive data – as it does longstand- format of the Top 10 op risks, to make it more
volatility in previously stable ing worries over outages and overloads. And per- dynamic and informative for readers. What might
regions. This could, for example, haps counterintuitively, the trend in op risk losses that look like? A quarterly poll, to see how the
be demonstrated by the recent has been falling during the pandemic, along with main areas of concern for op risk managers evolve
storming of the US Capitol: an attendant capital numbers – 2020 marked a over the course of a year? Or a free-form exercise
event in a country that I would have post-crisis low in both frequency and severity of designed to identify emerging risks? 
always considered to be among one losses, according to data from ORX News.
of the most stable in the world” When might the increased array of threats Tom Osborn, Editor, Risk Management
Non-financial risk consultant firms face in the work-from-home era crystallise Let us know your thoughts: send
as loss events? That all depends. When modelling suggestions to [email protected]

risk.net 2
 SPONSORED FEATURE

The importance of getting

technology change right
Christoph Kurth, partner and member of the global financial institutions leadership team at Baker McKenzie, covers some of the
rapid technological changes under way brought about by, and in the wake of, the Covid-19 pandemic

Technology change on steroids

Technology in financial services is no longer limited to fintechs. Its adoption is a
Key takeaways
vital component of every financial institution’s business model in responding to
disruptive competitors, meeting higher customer expectations and reducing costs. • C ovid-19-propelled digitisation is increasing the number of technology
We have been living in the fourth industrial revolution for some time, but Covid-19 change projects.
has further accelerated the digitisation of financial services – some commentators • Failed technology changes are more serious than other change
consider parts of the industry have advanced five years within the space of just management failures and they are likely to impact customers.
one year – and, inevitably, installing new IT brings new opportunities, but also • Identifying why projects fail, continuing investment and change, using
risks. Given the intensity of technology changes being put through at a fast pace cloud technology and having robust governance arrangements are all
with stretched resources, the usual risks may be elevated, particularly where there vital to reducing the number of incidents and their impact.
are new technologies. Operational risk managers must design and put in place • Having in place a robust IT or cyber risk incident response plan,
effective processes to identify, manage and monitor them – during and after including required third-party support, is essential to mitigate fallout
change. The increased expectations of financial institutions in this respect are from failed IT change management or other IT and cyber risk incidents.
growing, as reflected in an increasing number of regulatory requirements.

Technology change management review The FCA review confirms that there is no one-size-fits-all solution to successful
The recent publication by the UK Financial Conduct Authority (FCA) of a cross- change management. Nevertheless, it confirms that robust governance
financial services review into technology change management is timely and arrangements and ongoing investment into technology beyond any given change
welcome.1 While the organisations surveyed are UK licensed, the findings are life cycle are central to reducing the number of incidents and their impact.
relevant to all financial institutions wherever they are regulated. The review
considers how financial institutions manage IT change, the impact when Drivers of change
changes fail, and how to reduce their number and seriousness. It aims to identify What are the drivers of change? The review found the most common reasons
ways in which related operational risk can be reduced. for technology change were maintenance and upkeep, satisfying regulatory and
With increased dependency on digital services, even short-lived incidents, legal requirements, followed by improvements for customers – for example,
such as a denial of service, can cause significant disruption, reputational fallout to improve their experience of a service with new interfaces and additional
and regulatory exposure. According to the FCA survey, failed IT changes are functionality. Other drivers include costs and company growth, which is
generally more serious than other change management failures, and even especially relevant for fintech entrants as they begin to scale up their operations
low-level incidents – especially when they are customer-facing – can trigger and customer base.
potential regulatory investigations and public enforcement action. Most financial
institutions, other than fintechs, still rely on legacy infrastructures, and replacing Risk characteristics
them is associated with the highest failure rate in change management. It Where should financial institutions focus their efforts to reduce the risks associated
is for this reason many institutions are reluctant to migrate to new systems with change management projects? The evidence shows there are a number of
when, despite much planning and preparation, there are too many examples of key characteristics shared by all high-risk projects. Some of those identified by the
problematic outcomes. On the other hand, more promisingly, cloud technology is FCA review are unsurprising. These are projects with external dependencies, where
being rapidly adopted. While it has advantages and disadvantages, it can reduce there are tight deadlines or poorly defined goals, as well as matters characterised
the risks involved with technology change. as ‘major’ projects, where complexity and a failure to break them up into more

3 risk.net March 2021

 SPONSORED FEATURE

manageably sized projects increases the risk profile. Hence, a reluctance to invest in IT is a false economy.
Of special interest are projects that involve replacing The review data shows that financial institutions
legacy technologies. These have been ‘patched investing a high percentage of their IT budget in
over’ for many years and work alongside newer change activities tend to make fewer changes that
applications – a particular issue with traditional banks give rise to issues. The principle of ‘little but often’
and insurers – and those involving unused technology has its rewards. The concept of regular updates is a
within an organisation or employing emerging reminder that managing the risks of change as part
technologies, such as blockchain, artificial intelligence of everyday project management is more likely to be
and machine learning. successful in comparison to using risk management
Another category bearing elevated levels of risk on a one-off basis.
are those projects with substantial numbers of staff
located offshore. In this regard, the role of third Cloud-based infrastructure
parties is not always factored in sufficiently and Public cloud service providers are fast becoming
clearer communication on their responsibilities is part of the financial infrastructure. They provide
needed. Increasingly, and more so in sectors such on-demand computing services and infrastructure
as payments, reliance is on unregulated companies managed by third parties shared with multiple
providing technology or technical services to the entities. Financial institutions are becoming
financial sector, another important risk factor. Christoph Kurth progressively more dependent on cloud because of
its ability to reduce costs, enable businesses to adopt
The importance of governance and scale new technology on demand, accelerate digital transformation and
Many financial institutions use governance bodies (change advisory boards) facilitate mandatory data analytics. Although they can result in a lower level of
to support the assessment, prioritisation, authorisation and scheduling of oversight and direct control, an additional benefit of change management with
changes. The use of change management by financial institutions is also not cloud is that it allows for more frequent change cycles and greater automation,
new. In fact, the review found that most entities surveyed actually had in place as in repetition and consistency. This not only reduces the need for ‘big bang’
“rigorous governance arrangements”. A key takeaway is that, while less than changes and lowers the manual risks around technology change, but also
2% of technology changes go wrong, due to their sheer number their impact is improves the ability to respond when something goes wrong.
significant, with 14% of these resulting in customer impacts.
As organisations speed up digitisation to enable remote working, the The importance of incident readiness
shift of customer preferences to digital channels and investing to improve Even the best-managed change project does not guarantee frictionless
efficiency, boost productivity and profitability, senior management must plan implementation, and even frictionless implementation of change is no guarantee
the implementation and risk management of change projects with extra care. for ongoing operations without friction. Because of these realities and the ever-
The effective use of project management is also critical to achieve a high rate of wider use of technology, it is recognised that the management of operational
success with change management, not least in ensuring that strategic objectives IT risk and its counterpart, operational IT resilience, are increasingly important.
are met, ensuring high standards of risk management and quality control. This is reflected by the emphasis regulators place on adequate systems and
Effective governance starts with senior managers who should take steps to controls, management reporting and clarity over senior manager responsibilities.
secure an effective operational environment. Here, governance arrangements This is against a background of recent high-profile failures in technology change
that have been in place longer tend to enjoy a higher rate of success. A caveat is management that have led to significant levels of disruption and customer
that such arrangements should not be left to themselves. As opposed to ad hoc detriment. Accordingly, it is essential that, during the change process and
reviews, best practice means regular reviews to ensure they remain adequate beyond, financial institutions have robust IT and cyber incident response plans in
for the task, which may itself evolve when technology and business models place. As a starting point, financial institutions should identify their key business
continue to adapt as quickly as they are currently. Besides senior management, services, including people, processes, facilities, information and, in particular, the
non-executive directors should bolster governance by challenging change plans. technology that support these services. They must have clear governance around
While the board is ultimately responsible, the chief operating officer or another each technology, a clear understanding of the data these technologies process
member of senior management should have direct and specific responsibility and how the process can be controlled or control recovered. Part and parcel of
for managing technology change. Of course, some jurisdictions such as the UK a robust incident response plan are also unambiguous escalation and reporting
impose prescribed responsibilities on senior management function holders, who procedures, a solid understanding of reporting obligations and the instantaneous
will be liable when things go wrong if they have failed to take reasonable steps. availability of trusted partners that can be brought in to help manage an incident
whenever and wherever it materialises, including forensic firms and law firms.
The importance of continued investment and change While customers might benefit from a stronger operating platform in the
The FCA review also reveals a direct correlation between lower levels of legacy future, if technology change results in service disruption, or an increased
infrastructure and the success rate when implementing technology change. technology risk profile post-change is not managed properly, regulatory and
Moreover, financial institutions with less legacy infrastructure are less likely to reputational fallout from technology failure or vulnerabilities will obscure the
have to install IT changes in an emergency, and those changes tend to be more benefits to the business for some time. The opportunities that new technology
successful – a virtuous circle. By their nature, emergency changes are carried out brings requires improved operational risk management capabilities and practices.
with speed, increasing the margin for error and risk, exacerbating any existing This is particularly true during this current time of rapid change.
weaknesses. Clearly, therefore, investment in renewing and deploying up-to-date
technology brings advantages beyond its inherent efficiencies and capabilities. 1
FCA (February 2021), Implementing technology change, https://bit.ly/3upCCPW

risk.net 4
 Top 10 op risks

Top 10 op risks 2021

W
elcome to Risk.net’s annual presented in brief below and analysed in
ranking of the top op risks for depth in 10 accompanying articles. A. Top 10 operational risks 2021
2021, based on a survey of The survey focuses on broad categories of risk Position Op risk 2020 position
operational risk practitioners concern, rather than specific potential loss 1 IT disruption 1
across the globe and in-depth interviews events. The survey is inherently qualitative and 2 Data compromise 2
with respondents. subjective; the weighted list of concerns it
3 Resilience risk 5
As in years past, there is no great secret to the produces should be read as an industrywide
4 Theft and fraud 3
methodology: Risk.net’s editorial team gets in attempt to relay and share worries anonymously,
touch with 100 chief risk officers, heads of not as a how-to guide. As ever, Risk.net invites 5 Third-party risk 4

operational risk and senior practitioners at feedback on the guide and its contents – please 6 Conduct risk 7
financial services firms, including banks, insurers, send all views to [email protected]. Thank 7 Regulatory risk 8
asset managers and infrastructure providers, and you for reading. ■ 8 Organisational change 6
asks them to list their five most pressing op risk
9 Geopolitical risk 9
concerns for the year ahead. The results are Profiles by Steve Marlin, James Ryder,
10 Employee wellbeing -
then weighted and aggregated, and are Costas Mourselas, Karen Lai and Tom Osborn.

#1 IT disruption the system they are trying to remote into falling

over under the sheer weight of traffic.
2020, the BoE found
that the largest banks
Meanwhile, threats such as ransomware and insurers were
attempts, which might be easy to manage together highly reliant on the
Integrity of core systems paramount as and dismiss in the office, took on a new, lethal two largest cloud
risk managers battle outages and hacks credibility outside the office. providers. In late
“The threat landscape from ransomware 2020, the Federal
in work from home era
remains on the rise with threat actors looking for Reserve Bank of New
new ways to facilitate ransom payments, such as York warned that problems at one of the large
Risk managers might look back on 2020 as the targeting senior management mail inboxes,” says cloud providers could “plague multiple institu-
year in which the threat of IT disruption – an an operational risk head at one global bank. tions at once”, causing a large-scale shock that
already broad remit encompassing everything Regulators are paying close attention. Last “wouldn’t be possible if we had a more diverse
from accidental systems blackouts to deliberate October, Nick Strange, senior technical adviser for ecosystem”.
attacks by outside actors – exploded into millions operational risk and resilience at the Prudential Regulators weren’t immune to high-profile tech
of home offices around the globe. Regulation Authority, said supervisors were failures last year: the European Central Bank
The shift to remote working left financial firms considering whether “regularised” remote working suffered an outage of nearly 10 hours on October
more exposed than ever to cyber attacks by would improve resilience or “increase technology 23, 2020 to its Target2 real-time gross settlement
high-tech adversaries, backdoor threats introduced risk as a single point of failure”. The Bank of system caused by a software defect on a device
via newly critical third-party suppliers, or hackers England is in the midst of putting together its used in the internal network of the central banks
intent on causing chaos. long-awaited operational resilience framework, operating the service on behalf of the Eurosystem.
Small wonder then that industry respondents and recent events may factor into that equation.  A review by the ECB, the findings of which will
ranked IT disruption their top concern once again Perhaps more surprisingly, there were fewer be released in the second quarter of 2021, is
in this year’s Top 10 op risks, and by a greater operational loss events attributable to outages in investigating this incident as well as others that
margin than previously. While the industry 2020 compared with previous years. But took place during 2020, including those affecting
surprised itself with its ability to function so high-profile tech failures at a number of banks Target2-Securities, the Eurosystem’s securities
effectively from home, some teething problems and technology vendors and trading platforms settlement platform.
were inevitable. Housebound employees are still led to chaos in key markets such as futures The introduction of new systems and platforms
intimately familiar with the turmoil created by and foreign exchange trading during March’s products always carries risks, some of them harder
dodgy Wi-Fi connections, a virtual private unprecedented cross-market volatility. to quantify than others. Fines for systems outages
network going down at the worst possible time, or In a prescient report published in January are getting bigger, though – and are a clear driver

5 risk.net March 2021

 Top 10 op risks

of regulators’ recent operational resilience efforts.   bespoke way they have been adapted over a tasked with maintaining and upgrading systems
“If we put a new system, and it doesn’t work, number of years,” the op risk head says. caused by the long-term uncertainties of
regulators will come down on us like a ton of Of course, clients and other stakeholders rarely Covid-19 could compound the legacy problem.
bricks. But the biggest damage will be reputa- care what causes an outage, meaning any “There is also the exposure aspect: the
tional damage. And that is difficult to put a dollar operational failure can also have serious reputa- consequences of IT disruption are likely to be
value on. [But] there will be an economic loss tional consequences, particularly where customer- higher, because of our increasing dependency on
financially as well,” says a senior risk manager at facing systems – like banking apps or payments technology,” they add.
one financial market intermediary. services – are affected. While the risk of IT disruption during legacy
Keeping cyber security up to date is a constant “Say we’re putting in a bug or enhancement tech overhauls predates Covid-19, the consultant
battle, and some industry figures see breaches as and it goes wrong, and as a result your systems go points out that, as firms grow ever larger – which
an inevitability. Systems revamps remain a critical down. We experienced that when we imple- in itself boosts concentration risk – the likelihood
– and familiar – source of IT risk; the same mented a new online platform a couple of years of such mistakes also increases; more systems
individual points to the potential for outages ago where it was up and down the first couple of requiring adjustment means more labour, and a
during tech overhauls, adding that, “reliance” on days. You have to understand the criticality and greater chance that mistakes will be made in the
old or legacy systems, “developed using outdated the customer impact of any type of service process.
coding language [and] combined with a shortage disruption, whether it is fraud or cyber related or “The older and bigger firms I work with have
of knowledgeable IT staff” is a continued normal change management,” says an operational more problems,” the consultant says. “Firms that
problem. risk executive at a North American bank. grow by acquisitions often have unintegrated and
“Legacy systems are particularly prone to issues An operational risk consultant shares those fragmented systems; they need to be updated
arising from change management, due to the concerns, adding that “burnout” of key employees and modified.” ■

#2 Data compromise faulty processes and procedures. Human error can

also be a factor – or, in an era when many staff are
Administration’s test
application platform
at risk of job cuts or placed on reduced hours, for the Paycheck
malfeasance. Protection Program,
Remote working elevates fears of data While financial firms publicly reported fewer the bank revealed in
theft, misuse and abuse losses from breaches than in previous years, 2020 a regulatory filing. It
brought some high-profile examples. Many firms became apparent that
say they are closely monitoring the ongoing other lenders and
For those tasked with keeping track of their fallout of the 2020 hack of SolarWinds, fearing their vendors may have been able to view
organisations’ sensitive data, 2021 is shaping they haven’t heard the last of the giant breach at applicant information, such as business address
up to be a tough year. Large numbers of staff at the US software company. and tax identification number, as well as personal
financial firms are working remotely, due to the At the advent of the Covid crisis last March, information.
lingering effects of the coronavirus pandemic. SolarWinds’ Orion software – employed Breaches such as these have a range of effects
Many users are having to access systems via somewhat ironically by a number of US on financial institutions, including legal costs,
VPN, often over home Wi-Fi networks, which government agencies for network outage payments for customer redress and regulatory
increases the opportunity for cyber breaches. monitoring, as well as other companies – was penalties. There is a potentially longer-lasting
With staff scattered to the four winds, managers breached. SolarWinds’ general clients list, which impact from reputational damage, in loss of
also lack physical oversight of potential bad has recently been removed from the firm’s business.
actors. website, included companies like Credit Suisse, A typical breach involves a perpetrator finding
Throw in a steep rise in ransomware attacks MasterCard, and Ameritrade. Various US weaknesses in an institution’s IT infrastructure in
and phishing reported by most respondents to officials have stated that a hacking group backed order to gain access to confidential information.
this year’s survey, and it’s not hard to see why by Russia is behind the attack. This can be accomplished by using malware via
threats to information security rank a narrow On February 1, 2021, the Office of the tactics such as phishing. However, breaches can
second in the Top 10 op risks 2021, behind only Washington State Auditor revealed that personal also occur from the inside, for example when
the basic functioning of systems. information from about 1.6 million unemploy- firms install faulty software.
“Information security is one area where ment claims made in 2020 may have been A further area of weakness can be at the point
requests and demands on proving our capability exposed to unauthorised access. The compromise of contact with third-party service providers. The
is taking far more work than I thought. The took place at a third-party software services increasing reliance of many banks on cloud
rapid adoption of cloud because of Covid means provider, Accellion, when records were in providers is a concern for many IT risk
you have to double down on governance and temporary storage awaiting file transfer. professionals.
monitoring,” says the head of cyber risk at a large Bank of America suffered a data breach on “When you’re utilising cloud providers, you’re at
US bank. April 22, 2020, while it was uploading client loan their mercy. One small hiccup and it’s a headline
At the root of most data compromise events are application data to the Small Business risk,” says the head of cyber risk at the US bank.

risk.net 6
 Top 10 op risks

The country-level chief risk officer at an an in-house system, because you can have authentication, and implement controls that limit
international bank sees it differently. In his eyes, multiple copies of your overall environment ready user privileges to enter and change critical
while increased use of cloud providers does limit a to be rolled out. As soon as one of them gets business data, and regularly review levels of
bank’s surveillance capabilities versus using hacked, you can have teams monitoring the assigned access.
internal systems, this is partially mitigated by network for instability,” he adds. Institutions are urged to practice good
increased resilience from more sophisticated cloud A joint statement on sound cyber security risk “cyber hygiene” by securely configuring networks,
providers’ defence systems. practices issued by US regulators in 2020 documenting security standards, performing
“You will have an attack, and they’re highlights three critical areas: response and vulnerability scans of all network and hardware
going to get everything they want. All you resilience capabilities, authentication and system components, and rolling out
have to do is check the phishing results, to realise configuration. anti-malware software.
there’s always 1%–5% of your staff that are Identity and access management are important Education is also a key part of an institution’s
going to give their password, their code name, controls in securing the IT environment, defences. Firms should implement ongoing
their email, everything,” he says. regulators noted. Institutions should establish training on recognising cyber threats, phishing
“But the cloud is a lot more resilient than authentication controls such as multifactor and suspicious links. ■

#3 Resilience risk Resilience planning – which the head of

strategic risk at one large US asset manager
stance on hard-and-
fast targets on
distinguishes from operational risk management minimum service
as the ability to bounce back from failures, provision after
Industry survives biggest real-world rather than trying to prevent them from outages, to see
stress test, but challenges remain for happening – was a new entrant in last year’s Top whether they were
10, sitting awkwardly among more familiar “still appropriate”
firms and regulators
threat categories like technological disruption, following the
fraud and conduct risk. Back then, its appear- coronavirus – an issue global supervisors have
Two years ago, in the course of routine ance owed more to a renewed regulatory focus not always seen eye to eye on.
business continuity planning, one of the world’s on both sides of the Atlantic; this year, as the op On October 30, the US Federal Reserve
largest banks drew up a scenario in which a third risk head puts it, it has become a daily reality. published its own sound practices to strengthen
of its global workforce was locked out of their “Two years ago, resilience sounded like an operational resilience proposals, in a short
offices without warning due to a pandemic. academic concept: ‘you’re only as strong as your discussion paper. Prior to publication, Fed
It tore it up, dismissing it as unrealistic. weakest link’. But it’s so true – this year has deputy director for policy Arthur Lindo – who
“Our planning wasn’t good enough,” says a proved that in spades,” he says. also leads the Basel Committee on Banking
senior executive at the bank, reflecting on the Interconnectivity and concentration risk are Supervision’s working group on operational
real-world stress test of the financial industry’s familiar to the financial sector; third-party resilience issues – said that the Fed’s stance had
resilience that was 2020. “I’ll be candid: we never concentration risk was foregrounded sharply been strongly influenced by the responses of
thought about the global non-availability of staff over 2020, with numerous industry voices financial companies to the pandemic.
to anything like this degree. We talked about it calling attention to the increasing reliance of “The importance of design[ing] resilient
– we even looked at pandemic modelling based financial firms on a small group of cloud systems and operations, along with incident
on World Health Organization data – but we providers. The resilience of such entities is response programmes, has been highlighted as
said ‘this couldn’t happen’. We only considered critical, regulators said, with systemic banks have needed to respond to Covid-19
the impact in very localised contexts.” implications; while cloud platform behemoths related impacts,” says one US op risk supervisor.
He is far from alone, of course: financial firms Amazon, Google and Microsoft have enabled The individual adds that the prevalence of other
of all stripes and in every corner of the globe employees to keep working as offices closed, threats, like natural disasters and the use of
have weathered coronavirus-related tumult this even a short outage at any one of them could ransomware, also make the need for such
year, testing their capacity to deal with chal- have huge consequences for the sector at large. resilience clear.
lenges such as unprecedented market volatility, Given global watchdogs are still drafting their The Basel Committee also published its own
back-office bottlenecks and trade breaks, all supervisory frameworks around resilience, the high-level operational resilience proposals in
while rushing to properly equip employees for regulatory context is still vitally important – and 2020, issuing a consultation paper in August.
long-term remote working. in a case of practice rapidly overtaking theory, The Basel paper takes the view that the work of
Risk managers cited threats to their opera- watchdogs are amending their proposed resilience must be multidisciplinary, involving
tional resilience so frequently, in fact, that it requirements in response to the pandemic. concerted efforts from a number of functions
appears at third place in this year’s Top 10, In October, Nick Strange, senior technical including continuity planners, risk management
behind only risks specifically threatening the adviser for operational risk and resilience at the and governance – while leaving national
basic functioning of systems and the security UK’s Prudential Regulation Authority, told a supervisors a fair amount of latitude to tailor
of data. Risk.net conference the UK could revisit its requirements for their own jurisdictions.

7 risk.net March 2021

 Top 10 op risks

One senior risk manager at a large financial resilience cannot be understood in a vacuum, practices is “partially mitigated” by the
service firm, himself a former supervisor, points given the sheer volume and variety of events that resilience of the cloud providers themselves.
out that defining resilience is in practice difficult can put pressure on a firm’s day-to-day The ex-regulator argues that supervisors
for some supervisors. Operational resilience is performance. It is a meta-category of sorts, given themselves – subject to the same social
defined by the Bank of England and the almost all threats can, in their own way, upset distancing and remote working guidelines as
Financial Conduct Authority (FCA) as the the usual course of business at dense and highly financial companies – were equally ill-prepared
ability of firms to resist and respond to interconnected financial companies. for the coronavirus, and are also struggling to
operational disruption. “Business continuity and operational perform certain duties.
“What do you define as, ‘It’s still working?’” resilience [are] consequential, and pivot off from “They were nowhere near ready,” the
the individual asks. “People have different other operational risk types like information individual says. Having worked for a well-
standards, and tolerances are massively security, third-party and IT risk,” says one op known regulator, they say that the body does
different… How do you capture the diverse risk manager. have some equipment for remote operations,
topography of what people think works for Some risk managers take a sunnier view of the but that the “serious calculatory work”
them? That’s conceptually very hard: it’s easier cloud provision issue. One professional, a chief regulators conduct is not possible without a
for the Fed, the PRA and the SEC, because they risk officer at a global bank, argues that while desktop or high-powered laptop. “You can
deal with major banks; the FCA looks at 56,000 heightened use of such providers and basically write a few scathing letters and email
firms with all sorts of business models.” outsourcing in general increases the risk of IT people,” they add – something which could
Industry professionals agree that operational disruption, the potential danger of such explain the big drop in fines. ■

#4 T heft and fraud US government under its Economic Injury

Disaster Loan programme. A small number of
information or
login credentials,
staff were subsequently fired, according to which criminals can
media reports. use for financial
Changes in working practices since Brazil’s Caixa Bank was forced to block fraud. Finra noted
Covid shift angle of criminal attack on thousands of accounts in July, after hackers that the prevalence
attempted to steal coronavirus relief payments. of remote working
financial institutions
“Any time you have government handouts, may increase the
there’s always the possibility of fraud,” says an likelihood of this type of activity.
Even in normal times, the risk of theft and operational risk executive at a North American Meanwhile, banks’ own defences against fraud
fraud is high on the priority list for banks. In bank. “You have another round of stimulus have been wrong-footed by changes in
the post-Covid age, the risk has intensified as it handouts so you may see fraud related to that.” consumer habits since the onset of the pan-
morphs into new, dangerous forms. US lawmakers approved a third wave of stimulus demic. Artificial intelligence-based systems that
Pandemic-related changes to business practices payments to eligible individuals in late February. were trained on past patterns of behaviour began
and consumer habits have opened or exacerbated A bulletin by the Financial Industry churning out large numbers of false positives as
at least four areas of vulnerability for banks. Regulatory Authority, issued last May, noted an online transactions soared. The bank bots, in
Government stimulus programmes have increase in the use of stolen information to effect, saw breaches when there were none,
dangled juicy morsels of cash for fraudsters to establish accounts to divert congressional increasing the likelihood that real cases of fraud
target. Banks’ own fraud detection systems have stimulus funds and unemployment payments. go undetected amid the noise.
been thrown off kilter by the sudden shift to Op risk managers are right to be worried about In response, banks have had to supplement
online banking. Criminals are also taking fraud. Losses attributable to internal and external machine learning models with more traditional
advantage of the rise in home-working to trick fraud made up the largest single loss category for rules-based systems that classify transactions
consumers into transferring money to fake banks and financial institutions in 2020, according to pre-set criteria such as age,
destinations. And with more bank staff them- according to publicly reported loss data collected occupation and income.
selves working remotely, the potential for internal by ORX News, an op risk data service. Fraud Changes in working patterns have affected
misdeeds is growing. losses totalled $17.9 billion last year, versus $13.8 bank staff too. With many employees either
As the head of operational risk at a North billion for the second-largest category, ‘clients, working from home or remote trading floors,
American dealer says: “The risk of internal fraud products and business practices’. financial institutions have seen an increased
such as rogue trading is amplified by people Another type of scam, according to Finra, potential for internal fraud. As the head of a risk
working remotely.” involves impersonating firms and creating fake control firm described last year, it’s not unusual
US banking giant JP Morgan fell victim to its websites to trick customers into revealing for young traders to co-habit. How can firms
own, home-grown fraud when it discovered last personal information or transferring funds. guard against collusion by housemates who may
September that staff had siphoned off funds Imposter websites typically mimic a firm’s actual work for rival institutions?
intended for pandemic-hit businesses into their website by creating genuine-looking email Banks have reacted by upping their surveillance.
own accounts. The funds were provided by the domains and accounts to obtain personal They are analysing voice communication records,

risk.net 8
 Top 10 op risks

trade data and employee behaviour to determine

whether a transaction is suspicious. The head of op 1. Losses by event type
risk at the North American dealer says the firm is 28
tightening controls over what people can receive 24 2020 2019 2018
and send in their email systems. 20
Fraud losses haven’t yet trickled through into a
16
material increase in operational risk capital, says
12
the operational risk executive, but that could

$ billion
change once a full year’s worth of data becomes 8
available. “We are working on data which is six 4
months old. So the actual effects of what has been 0
happening recently aren’t apparent yet.” Internal External Employee Clients, Natural Technology Execution,
Ransomware attacks also have seen an increase fraud fraud practices and products and disasters and and delivery and
workplace business public safety infrastructure process
since the start of the pandemic. The number of safety practices failure management
ransomware attacks against the financial sector Source: ORX News
grew by nine times from the beginning of
February 2020 to the end of April 2020,
according to a survey of chief information security Under anti-money laundering rules in the US, that leaves authorities swamped with reports,
officers by tech vendor VMware Carbon Black. Europe and elsewhere, banks must file suspicious many of which are not an enforcement priority.
The Financial Crimes Enforcement Network, activity reports (SARs) for questionable transac- A proposed rulemaking in the US would
a unit of the US Treasury, in 2020 warned of a tions. However, regulators only have the resources encourage banks to boil down the content of
sharp increase in the use of virtual currencies by to investigate a small percentage of these reports. SARs so that the reports only contain
cyber insurance companies, which could Banks have been seeking more clarity on what information with a “high degree of usefulness”
indicate that a business covered by cyber information to include in SARs in the hopes of for enforcement agencies. In other words, the
insurance has been targeted by ransomware. Any cutting down on needless paperwork and being onus shifts from the regulator to the bank in
rise in the flow of criminal money through the able to focus on truly fraudulent activity. deciding what is or isn’t relevant.
financial system could leave banks at greater risk Forthcoming rule changes in the US and Europe In general, experts say institutions can help
of breaching anti-money laundering rules. will introduce what’s hoped to be a more targeted combat the threat of fraud by maintaining good
Despite plummeting cash use in many approach to detecting dirty money. Firms will be cyber hygiene, which is network management
countries facing strict lockdown, money required to identify specific risks and address and configuration and strong authentication,
laundering continues to be a major fraud concern. them directly, instead of the current approach combined with effective security monitoring. ■

#5 Third-party risk Among the concerns of financial institutions is

to assess security weaknesses of their critical
dependency and
we looked at critical
service providers – or for smaller outsourced processes. Are they
firms, even their basic financial viability. being supported
Pandemic and shift to cloud computing “It has never been more crucial for operational domestically or by a
inflame concerns for banks and risk managers to take account of their company’s vendor? If so, we had
critical and core third-party service providers,” to go to service
regulators
says an operational risk executive at a North providers and
American bank. “The risk they can expose to a manage them,” says another operational risk
Creaking middleware vendors; the inability company and its potential impact to daily business executive.
to pen-test data centres; critical support locations operations has never been greater.” Firms have also been fielding enquiries from
locked shut without warning: 2020 stress-tested Once the pandemic took hold, financial regulators, who have expressed keen interest in the
organisations’ reliance on outsourcing beyond any institutions carried out evaluations of critical resilience of organisations. The pandemic has
op risks manager’s worst nightmares. processes to determine whether they were being spurred banks to investigate the controls their
And with multinationals facing another year of handled internally or by third parties. With many vendors have put in place for managing sensitive
uncertainty, in which employees and suppliers are third-party vendors located in far-flung locations data, given the possibility of hackers or rogue
part-exiled from their offices – another year in such as the Philippines, India, Mexico and eastern employees exploiting network vulnerabilities.
which most firms will be dependent on a handful Europe, users have extended their oversight of key Lapses in third-party risk management were a
of vendors to provide video conferencing, remote suppliers. Potential disruption to the third party’s factor in several high-profile legal settlements
access to servers, or cloud storage – third-party risk business from Covid has reinforced the need for during 2020. Deutsche Bank, in settling a case
is set to remain top of mind for many managers extra scrutiny. involving the Foreign Corrupt Practices Act, was
through 2021. “During Covid, we knew this was a big flagged for inadequate due diligence over the risks

9 risk.net March 2021

 Top 10 op risks

posed by third-party partners, such as the partner’s brokerage website go down due to high demand. Google Cloud sharing most of the market between
reputation and relationships with foreign officials. Financial firms are keeping a close eye on the them. An outage or failure for one of this trio
As part of the settlement, Deutsche must take financial stability of their critical service providers, would create “a mess of awesome proportions”, the
steps to ensure the third party is performing the including scrutinising audited statements to individual says.
work described in the contract, and that its determine their credit standing, sources of As the pandemic has accelerated the move to the
compensation is commensurate with the work liquidity and available capital. cloud, the work to assess the importance of
being provided. The bank must also monitor And regulators are stepping up their oversight of applications being ported becomes more crucial.
third-party relationships through updated due third-party relationships, especially in the area of “We have seen cases where processes associated
diligence, training, audits and compliance cloud computing. In a joint statement in April 2020, with applications are incorrect. Do we know what
certifications by the third party. US regulators warned that firms need to be able to we’re putting into the cloud and making sure it’s
In January 2021, ORX News reported that the identify and control the risks associated with cloud accurate,” says the second operational risk executive.
Australian Securities and Investments Commis- computing, contracts between cloud service providers Controls management is particularly tricky for
sion and the Reserve Bank of New Zealand experi- and financial institutions need to be carefully hybrid cloud environments, say banks, in which
enced data breaches in which a server used for file reviewed and appropriate controls implemented to public and private clouds are combined so that
transfer was hacked. Access to the server prevent operational failures or breaches. data can be shared between them. IT risk
was related to third-party file-sharing software that In general, regulators are neutral to the professionals note that hybrid clouds are more
the two regulators were using. technology or to whether a bank operates in-house, difficult to secure than private clouds, because it’s
Smaller banks that might have a greater reliance outsources to a more traditional network service harder to delineate data flows, which apps are
on outsourcing also found themselves exposed. In provider, or outsources to a cloud provider. Their talking to which, and who has access, especially for
2020 ORX News reported two cases of third- focus is on whether the institution is engaging that organisations with large legacy systems.
party IT suppliers experiencing issues with third-party service in a safe and sound manner. The The UK Prudential Regulation Authority, in
demand during the pandemic: Investitionsbank responsibility for the third-party operation falls to 2019 guidance on third-party risk management,
Berlin experienced a data breach caused by the bank. noted that when testing exit strategies from cloud
overcapacity in a third-party website processing One industry professional points out that cloud service providers, firms with hybrid cloud
grant applications, and Deutsche Kreditbank saw service provision is currently a triopoly, with environments needed to take into account the
its externally hosted mobile banking app and Amazon Web Services, Microsoft Azure and back-up functions located in their private cloud. ■

#6 Conduct risk misconduct has gone up, notes a regional chief

risk officer at another large international bank.
clearly defined to
improve over-
For instance, several sources have pointed to sight. “[These] are
situations where young traders share a house with even more
Remote working vastly complicates the bankers from other organisations, raising the risk important when you
job of conduct risk supervisors that proprietary information will be leaked, don’t see staff
whether by accident or intentionally. Similarly, members every day,”
when working from home, it is much easier to he says. 
For operational risk managers, circling the make a call on a personal mobile phone – some- In other cases, traders police themselves – by
trading floor, happening upon colleagues in thing that is prohibited on many trading floors – keeping open through the day a video chat with
corridors or at the coffee machine and going though working in the office is not a panacea either. other traders at their firm, according to a source at
to meetings have long been vital ways to spot “There is nothing to stop staff from doing that a large Asian investment bank.
­hidden behaviours. when working from the office,” says the head of But op risk managers also have to simply trust
“By working in the office, you can pick up op risk at the first bank. “They could just as easily staff more than they used to and rely on a good
informal signals and signs that may point to walk out and have a coffee with a client.” corporate culture, sources say. Although culture is
issues,” says the head of op risk at a large Remote working may have also increased a nebulous concept and proved challenging to
international bank. psychological pressures on traders. But, without maintain even in the pre-Covid era, the
With many professionals confined to their regularly seeing them in the office, it is much consequences of an unhealthy culture can be
homes since the early part of 2020, that source of harder to identify those who are not in the right painful and long-lasting.
intelligence has been lost. So it is not surprising state of mind to be taking big risks and making a For example, in January 2021, Deutsche Bank
that in the latest Risk.net ranking of Top 10 op market for clients. agreed to pay US authorities almost $125 million
risks, conduct risk has moved up from the In response, some banks have enhanced formal to settle charges related to actions that took place
seventh-most concerning risk for op risk controls on employees. One example is the during 2008–17. And in one of the largest recent
managers to the sixth. introduction of 24-hour monitoring of the fines for misconduct, Goldman Sachs shelled out a
While informal controls on improper computers of traders who work from home.  combined $5 billion in fines and settlements to
behaviour – such as rogue trading and mis-selling The regional chief risk officer at the interna- various parties for its involvement in extensive
– have been eroded, at the same time the risk of tional bank adds that goals for staff need to be fraud at Malaysian sovereign wealth fund 1MDB.

risk.net 10
 Top 10 op risks

Before a corporate culture can be improved, makes use of machine learning bots across various opportunity for fraud. For instance, in September,
its quality and weak spots need to be channels of staff communication, to identify JP Morgan said in a memo to staff that it was
pinned down. untoward activities. investigating some employees for misuse of the
A novel way of doing that was proposed in But establishing a good culture is not enough. Paycheck Protection Program loans and other
November by a senior executive at HSBC. Firms then need to make sure it is resilient in the government programmes.
Georges Elhedery said firms could draw on the face of unexpected pressures and temptations. With or without the pandemic, ensuring good
vast amounts of employee surveillance data, One such test came during the early stage of the conduct by staff is a perennial job for op risk
currently being gathered by dealers, to capture Covid-19 pandemic, when the US government managers. The danger is that the distance from
positive signals as well as negative on the bank’s launched sweeping economic support measures, colleagues and the potential feeling of alienation
culture. The data could be analysed by machine including loans to be routed to businesses through as many workers remain at home have made that
learning algorithms, he suggested. HSBC already banks. The emergency package provided ample job even harder. ■

#7 Regulatory risk for its decision to extend the economic forecast

horizon on its loan-loss provisioning model
loan proceeds for up
to two-and-a-half
out to three years – even though it argued its times an owner’s
move was designed to free up liquidity monthly payroll.
Big dip in fines belies lingering fears over provision to the real economy in line with As the speed of
Covid loan mis-selling and sanctions risk official sector requests – a decision that was change accelerates,
subsequently vindicated. organisations need to
The speed with which emergency loans to have appropriate pro-
When supervisors intervened in markets over stricken businesses were rolled out meant banks cesses in place to manage the changes. Covid has
the past 12 months, it was more often to protect were forced to expedite some of the usual key clearly pushed the pace of change to the limit.
lenders than slap firms with fines: with a couple processes that safeguard against accusations of “As an example, when we implemented the
of notable exceptions, regulatory penalties in mis-selling by failing to rigorously assess whether PPP programme, the rules came out on a Friday
2020 plummeted as Covid-19 spread across new loan products meet client suitability criteria and we were up and running on a Monday. That
the globe. – chiefly, whether a customer actually needs the doesn’t happen normally,” the senior op risk
Still, regulatory risk – the fear that changes to product, can afford it and that it is offered on a executive says, grimacing with understatement.
rulesets and supervisory expectations create non-discriminatory basis. “We were never [before] forced to operate at
openings for operational mis-steps, disclosure In the US, the Paycheck Protection Program, such speed.”
challenges, restrictions on activity or straightfor- designed to provide financial assistance to small Another senior op risk manager at a large
ward financial penalties – is never far from businesses, resulted in allegations that large European bank says the dynamic holds true for
thought for banks, stung by fines and penalties banks employed deceptive lending practices that their country’s Covid loan programme rollout
totalling almost $1 trillion over the last decade. favoured large clients by providing forgiveness of too – and foresees trouble down the line if the
Those changes do not have to take the form
of regulators wielding a big stick, or even be
aimed at banks themselves; last year’s huge 2. Annual loss summary
government intervention programmes are a case
60 900
in point. Like many official sector initiatives put 55 825
together in a hurry, lenders fear the government 50 750
support packages could become a major source 45 675
Number of loss events
Loss amount ($ billion)

of operational risk. 40 600

Any rapid deviation from stated regulatory 35 525
30 450
policy carries its own risks, many argued at the 25 375
time: “We were having to implement new 20 300
government programmes at lightning speed,” 15 225
says a senior op risk executive at a large North 10 150
American bank. 5 75
0 0
Regulators’ swift attempts during the
2016 2017 2018 2019 2020
springtime to help banks free up liquidity to
support the economy created difficulties from a Number of loss events Loss amount
nuts-and-bolts modelling perspective – as well as
a potential source of reputational risk for those Data refers to financial services firms only. ORX maintains running totals of historical loss events, which it updates periodically – to take
account of fines or settlement amounts subsequently increasing or decreasing, for instance, and to add previously unreported losses to
firms that rapidly became seen as outliers. its database. This means the loss totals reported here may differ from static prior year totals reported by Risk.net.
Source: ORX News
Deutsche Bank, for instance, attracted scrutiny

11 risk.net March 2021

 Top 10 op risks

political landscape shifts decisively against banks, was involved in a lending dispute with. The The CRO argues that, in the coming years,
as it did after the financial crisis. bank’s chief risk officer, Brad Hu, subsequently financial companies will need to tread cautiously
“I think everybody’s a bit nervous. We were departed. when it comes to investment. “I expect you will
asked to essentially execute against a govern- Sea-changes in the political landscape can also have to be very careful [about] which types of
ment mandate at a speed that wasn’t consistent lead to shifting supervisory attitudes to areas of exposures you put on; you’ll want to think twice
with normal processes. We weren’t asked to do emerging risk too – and plenty of opportunities about lending to a client with a negative
much about checking affordability, and those for compliance mis-steps. In the US, for environmental profile.”
sort of elements. You’re taking a leap of faith instance, regulators have thus far moved with far That is certainly true for European asset
you got things right, and that the regulators less speed on climate change. But recent signals managers, who will be required to comply with
and politicians won’t change [their attitude]. suggest that this could change in the near term. the ‘level one’ requirements of the European
Because in five years’ time, if we have a In an interview in February, acting Commodity Union’s flagship Sustainable Finance Disclosure
government that says ‘no, we won’t [honour] Futures Trading Commission chair Rostin Regulation (SFDR) from next month, a
any of the loan guarantees – the whole thing Behnam indicated a more interventionist painstaking new set of disclosure requirements
was your fault’ – then everyone is sitting on attitude to climate-financial risk within the for ESG-labelled investments. Full
billions in unprotected credit risk. I don’t think Biden administration. implementation of the regulatory technical
that’ll happen – but there’s bound to be some Though government policy can be slow standards will be required in January next year.
ugly things that crawl out from under the moving, professionals in the financial sector Finally, the insidious influence of Brexit
woodwork, because it was so hard to do,” he know where their industry is heading. One continues to pull attention towards diverging
says. country-level chief risk officer says that the regulatory frameworks. Earlier this year Risk.net
While 2020 brought fewer losses overall from “most impactful” impetus for regulatory change reported on swaps trading drifting to the US, as a
fines and penalties, there were notable excep- is increasing awareness among supervisors of result of the lack of equivalence arrangements
tions: Goldman Sachs’ mega $5 billion in environmental risk factors. between the UK and EU; more recently, the UK
penalties, settlements and disgorgements for its “We’re entering a new phase for [the Treasury has suggested it may walk away from the
role in the 1MDB fraud being by far the largest category], which is the quantification of ‘open access’ Mifid II rule, with some
of these. Citi was also fined over control failures environmental risks,” the CRO says. “Regulators commentators asserting that the move will allow
that led to the bank inadvertently wiring more have been kind, in a way, and the market is still exchanges to extract higher profits
than $900 million to a group of hedge funds it being kind” – but the industry knows. from customers. ■

#8 Organisational operating environments well before the

pandemic struck: climate change, the Libor
attitudes to emerging
risks such as climate
change transition, Brexit, and digitalisation, to name a change – are also
few. But Covid has accelerated the pace of cited as factors driving
change while proving that large organisations can organisational change.
Change the sole constant as industry be surprisingly nimble at weathering crises. “Our industry and
ponders its post-Covid future The rapid shift from on-site to work from infrastructures are
home is an example of the need for effective changing how we do
change management for processes and services if things. All the banks are dealing with negative [real
When HSBC, Europe’s largest bank, it is to become permanent. interest] rates, and how are they are going to
announced late last month that it planned to “Although the impact of Covid on operations change from a Libor perspective,” says an
reduce office space by 40%, it encapsulated what has been well managed to date, there are risks operational risk executive at a large North
the long months since the start of the coronavirus associated with working practices over the coming American bank.
crisis have driven home to many banks: plenty of year,” says an operational risk executive at a large The speed of change and the need to innovate
the changes to operating environments wrought global bank, pointing to changes in firms’ control has spurred the introduction of technologies whose
by Covid will be permanent.  environments that have only been patched so far deployment needs careful management: machine
In an era when many customers have learned to as one area needing attention. learning, for instance, and robotic process
live without being able to visit their lender’s Still, as the pandemic enters its second year, automation. Banks need to have effective change
branches, many are openly contemplating a future companies will need to adapt to further changes management programmes to implement those in a
in which the idea of a bank looks very different down the road. Survey respondents cite change safe and sound manner. Risks associated with
– one in which it could be leaner, cheaper and management as a perennial concern: the volume of organisational change can also take the form of
more resilient. That’s the plan, anyway: getting change, ensuring appropriate budget prioritisation mandatory regulatory requirements, project and
there will mean an immense amount of upheaval and executing shifting organisational mandates are programme management, legacy processes and
– and plenty of opportunities for mis-steps.  raised frequently by firms of all stripes. Responses systems and new third-party suppliers.
Op risk managers were fretting over their firms’ to the macro environment – such as Brexit, credit Managing change, and the potential overlap
responses to epochal changes impacting their stress and changing regulator, investor and client and interplay of these changes, can lead to a

risk.net 12
 Top 10 op risks

compounding of the impact of organisational changing customer base. Lack of strategic create Truist Financial Corp was expected to usher
change risk. anticipation to address structural changes and in a wave of mergers among small and medium
“Significant levels of change aimed at transform- maintain a sustainable business model, such as banks. While the pandemic has put a damper on
ing and restructuring our organisational operating dependency on a few key products or markets, will mergers during 2020, M&A activity is expected
model are planned in 2021, alongside managing a mark the laggards. to resume once Covid ends.
demanding regulatory and risk agenda in a Perhaps the biggest source of organisational “Business transformation risks, including the
challenging economic environment,” says an change is idiosyncratic to each firm: mergers and impact of recent major integrations and
operational risk executive at a large European bank. acquisitions carry their own set of risks, including divestments, has downstream impacts on
The past year has taught the industry that it the integration of disparate systems, redrawing of technology, operations, resiliency, third party and
should not take anything for granted given organisational charts and turf battles. people risks,” says an operational risk executive at
fluctuating markets and an uncertain and The 2019 merger of SunTrust and BB&T to a large financial market infrastructure. ■

#9 Geopolitical risk “What is particularly troubling is that we’ve

pretty much exhausted the governmental tools
of everyone’s minds,
the geopolitical
that we could use to solve this crisis,” says a pressures that persisted
regional chief risk officer of one Asian bank. “We before the upheaval
Stimulus unwind, Covid nationalism and can’t lower rates more – they’re at the bottom – of 2020 – most
regime changes spell volatile operating and we can’t inject more liquidity, as that will go crucially national
straight into the stock market again.” protectionism –
environment​
Moreover, while central governments appeared have not gone away.
to act in a co-ordinated way going into this crisis, Rising nationalism and deepening trade wars,
Covid-19 erupted across the globe just as last it is far from certain that such a unified approach most notably between the US and China, were
year’s Top 10 operational risks survey was going can be maintained, as the liquidity life support is again flagged by many respondents to this
to press – a pandemic few predicted the severity switched off – raising the spectre of further year’s survey.
of, nor its long-lasting insidious effects. What market disruption and policy fragmentation. Any Political sea-changes can also spell sudden
followed from governments was equally unprec- difference in approaches taken could potentially shifts in the regulatory environment – both in
edented: an attempt to counteract the virus by place an additional compliance burden on terms of policy frameworks and broader attitudes
shuttering entire economies almost overnight, financial firms operating across multiple to supervising financial firms. Although there is
and to tourniquet markets rapidly pricing in the jurisdictions. now a new commander-in-chief in the White
impact with massive fiscal and monetary stimulus. Changeable attitudes to Covid lockdowns have House, many of the policies that former US
In the advent, it took a Herculean effort from also made it harder for firms to recruit and president Donald Trump instigated remain.
banks and financial firms just to keep pace with organise staff when they need to, both in-house While Joe Biden has made it clear that he is keen
and adapt to these seismic changes to their and with contractors. Sweeping stay-at-home to rebuild bridges to the rest of the world, rapid
operating environments. But perhaps greater restrictions in countries like India, a key unwinding of legislative programmes can create
risks lie in weaning markets off the medicine; in back-office jurisdiction for many banks, saw staff uncertainty in legal and operating environments
seeing which jurisdictions will move first to shut out of their offices almost overnight in for financial firms. Climate change is a case in
unlock their economies, following successful March 2020, with some unable to adapt quickly point, with regulators under the Biden administra-
mass vaccination programmes; which will allow to homeworking, cramping dealers’ ability to pull tion publicly pledging to make up for lost time
unrestricted international travel to resume – and key data and produce key reports close to when it comes to adopting policies the previous
how they’ll set out plans to unwind stimulus quarter-end reporting dates. administration repealed, sat on or actively resisted.
measures, and start paying for them in the Unable to send staff abroad, some firms say The departure of the UK from the European
painful years to come. they have been forced to reassess the viability of Union, which formally took place at the end of
All of that seemed far off in March 2020, as projects that they outsourced overseas, bringing the past year, has also been creating its own
central banks rushed to shore up markets that some of these projects onshore. This has placed uncertainty, with many firms having to decide
were reeling from the fallout. The US Federal even higher demand on the local job market, how much staff on trading infrastructure to retain
Reserve, for instance, offered trillions in stimulus increasing the cost of human labour, at the very in the country and how much to shift elsewhere
and monetary easing measures – but only after time that many expatriate workers are – all of it creating room for operational mis-
markets had endured a couple of weeks of ­returning  home. steps and the risk of upsetting new supervisors.
unprecedented volatility, and the US Treasury “If you get senior project people who were This is true even on issues banks and financial
market had flirted with disaster. Stimulus has leaving for other jobs or better-paid jobs, that firms had reason to consider settled, like the
also had a deeply distorting effect on price puts pressure on the projects and everyone else. trading and clearing of euro-denominated
valuations: although the S&P fell 33% in This overall pressure is driving costs up,” says a derivatives: delays over equivalence decisions have
March, by September it had risen even higher risk manager at a securities exchange in Asia. heightened the risk of swaps trading shifting away
than pre-Covid levels. While Covid-19 is still very much at the forefront from the UK, but any sudden decision over this

13 risk.net March 2021

 Top 10 op risks

carries with it the risk of getting things wrong. was seen in the UK and parts of Europe. In Hong Kong, the emergence of a new social
Financial institutions also expressed worry “I feel that we are seeing increased volatility in unrest, raised by a contentious extradition law
about regional social unrest in developed previously stable regions. This could, for allowing the extraction of suspected criminals to
markets, with many firms exploring ways of example, be demonstrated by the recent mainland China, has developed into a national
stress-testing the impact on portfolios. storming of the US Capitol: an event in a security issue, with financial institutions
At the beginning of the year, a group of protes- country that I would have always considered expressing concern about being targeted by
tors supporting Donald Trump broke into the to be among one of the most stable in the world. protestors.
Capitol building, where the US Congress meets, My concerns have also been heightened by the “We are sort of a natural target to [protestors],
in a failed attempt to overturn the results of the pandemic which seems to have resulted in, and so we are in communication with Hong Kong
election. Last year, riots erupted across the US highlighted, rising inequality, a factor that can Exchange about how they were dealing with it,”
following the killing of an unarmed black man result in increased volatility,” says a non- says the general manager of enterprise risk of
by police officers in Minneapolis. Similar unrest financial risk consultant based in London. another exchange. ■

#10 Employee wellbeing of his staff has become his top concern
for the year ahead, he says.
absent due to all
types of illness and
wellbeing “This is a risk that we need to take into injury, according to
account: the fact that our staff haven’t been able recent UK govern-
to go on holiday, our staff haven’t been able to ment statistics.
All-encompassing impact of Covid meet their extended family, some of them have A senior
leaves employees with the feeling of been through a loss – whether they’ve lost operational risk
someone actually from Covid, or someone in manager at one large
‘living from work’
their family has lost their job.” European bank says supporting employees is
The management challenge for firms stems one of their top priorities for 2021 – but adds
Stress. Burnout. Running on empty. Call it from the lack of universal remedy for staff, adds that, with most staff and many managers stuck
what you will – the financial industry faced an the CRO, as everyone could be facing very at home, it “remains a challenge”.
equally grave mental health crisis in 2020, to different, idiosyncratic problems. “With the impact of lockdowns, accompa-
go with the humanitarian one playing out all “As a company, we are limited as to what we nied by seasonal factors, [we’re] likely to see
around it. can do to mitigate this risk, which is why I some regression, with negative effects on mental
The industry might have showcased its think it’s even a bigger risk than others, because health, fatigue and increased absence. Our HR
resilience with its ability to continue functioning we have limited powers to [manage] this. I can’t function is focusing targeted support interven-
with tens of millions of employees working from go to the government and say, ‘please reopen tions to address increased pressure and
home, sometimes in makeshift offices, often the borders, because my staff needs to get out potential burnout whilst being mindful of
competing for space and attention with children there and travel, they need to meet longer-term impacts on psychological [mental]
and loved ones. But for many employees, the their ­family’.” wellbeing,” they add.
early days and weeks of the pandemic – when Banks and financial firms have good reason to A permanent move to more flexible working
markets were in freefall, control environments fear from employees they fail to look after: threats practices could help – working from home
were being redrawn overnight and processes from disgruntled employees, perhaps placed on through choice is a world apart from doing so
upended – probably felt more like a grim feat part-paid leave, threatened with redundancy, or forcibly – but it will mean placing greater trust
of endurance. given a gruelling stay of execution in struggling in employees, adds the CRO. 
“Think about people working in a remote firms all increase the insider risks a company “That’s hard. It’s easy to do at the beginning,
environment getting through more than two faces, from aiding and abetting cyber attackers to because you have this strong global movement
times their day job in a fairly seamless way – vanilla theft and fraud.  towards it. But when the pandemic eases a bit,
they did that by working longer hours,” The scale of the risk is likely impossible to or more importantly, if your profits start to
Deutsche Bank’s then-head of non-financial risk, quantify – but even before the pandemic, decline, [your firm] will want to get a stronger
Balbir Bakhshi told Risk.net in the aftermath. research suggested the biggest cause of business hold back on your staff members: ‘guys, we’re
“The mental health hotspots to watch, from an disruption across industries globally is poor not meeting the target here, let’s all go back to
inherent risk perspective, are in areas like that.” health, outstripping other operational risks such the office’.” 
It’s not a working life any employer would wish as cyber attacks and IT outages.  A decline in mental health among individuals
on their staff. Covid anxiety has resulted in an Mental health-related absence can also be more could open up banks to litigation risk as workers
“unravelling” of productivity, focus and morale at costly for a company than absence from physical look to sue employers for stress-related illness. In
times, says the regional chief risk officer of one illness or injury. Employees who are absent for 2019, JP Morgan faced a lawsuit from the
global lender – all of which can lead to employees sickness such as stress, anxiety and depression are family of a sales executive who committed
making mistakes. The physical and mental off work for 40% longer on average than those suicide after suffering from depression.​■

risk.net 14
 SPONSORED FEATURE

Heightened operational risks

in a changing world
Christoph Kurth, partner and member of the global financial institutions leadership team at Baker McKenzie, discusses the growth
of conduct and operational risks in the light of the pandemic, including those caused by mass home-working, the enhanced
technological ability to address them, and why we should design a new type of workplace culture or risk losing one altogether

The financial crisis that began in 2007–08 more complex and varied picture has emerged. On
ushered in a wave of regulation that is still the one hand, anecdotally, many businesses have
being rolled out today. How can regulators doubled down on facilitating healthy cultures to
best support financial firms this time around reduce conduct risk. On the other, many businesses
as they emerge into a post-pandemic appreciate extended home-working leads to the loss
‘new normal’? of physical town halls, in-person bilaterals and team
Christoph Kurth: The global financial crisis meetings as well as ‘water-cooler moments’ – all
caught financial institutions unprepared and the important in creating and maintaining culture.
regulatory system wanting. The international Businesses must design new ways of building
response saw the creation of the Financial Stability culture or risk losing it. As it was after 2008, as
Board and commitments made to reform global we return to the new normal we can expect to
financial architecture and to rein in excesses that see investigations and enforcement activity rise
had contributed to the crisis. as misconduct comes to light. However, given the
During the Covid-19 pandemic, regulators reforms of the past decade, including the SMCR,
have responded sympathetically to businesses by Christoph Kurth this time around cases may be more modest. In any
pushing back consultations on new rules, with event, due to the long lead time for investigations,
exceptions as required. This pragmatism should What impact has the Senior Managers we will not know the full picture for a while.
continue and previous reforms should be allowed and Certification Regime (SMCR) had on
time to bed in. That said, there is an important the approach to conduct and culture in Sophisticated analytics and a greater volume
role for regulators to play in relation to the financial organisations? To what extent of available data have enhanced firms’
digitisation of the industry, including digital assets, should we expect to see investigations and ability to detect and monitor operational
and the transitioning of the economy to carbon enforcement actions arising from pandemic- risks. What threat does this pose to
neutral by 2050. related stress and turmoil? customer/employee rights and data privacy?
Financial institutions are conscious of their key Christoph Kurth: It is still too early to assess Christoph Kurth: Rapid developments in advanced
roles as intermediaries in this transformation, the impact of individual managerial accountability data analytics, artificial intelligence (AI) and data
which has been accelerated by Covid-19, yet regimes on conduct and culture. However, anecdotal capture have created myriad new opportunities
there is a need for coherent, globally aligned evidence suggests senior managers are more for our clients. We are partnering with a number
frameworks and accompanying standards to engaged with compliance and conduct risk; no of them to implement innovative technologies to
allow them to play their parts effectively. Putting longer is it left to compliance officers or as the last boost productivity and mitigate op risk, while also
these in place and providing certainty will allow item on the board’s agenda. With Covid-19, there managing customer and employee compliance
financial institutions to rise to the challenge has been a real concern that a focus on stressed and wellbeing. From an employment perspective,
more effectively, contribute positively to the markets and widespread home-working, with its increased reliance on technology – and especially
transformation of the economy and to harness practical challenges of supervising client-facing staff, employee monitoring – can expose employers to
digitalisation for efficiency gains. may translate into increased conduct risk. In fact, a risks of discrimination and breaches of the implied

15 risk.net March 2021

 SPONSORED FEATURE

for a new regulatory framework for emerging

technology. Regulation should not regulate or
hold back technology, but provide certainty on the
regulatory treatment of technological innovation.

Given the increasing incidence of geopolitical

risk facing the financial system, how should
regulators and financial firms respond?
Christoph Kurth: Geopolitical risk is a fact of
life with cross-border business. We have just come
through Brexit, which has cut market access in Europe
and where the extent of future equivalence-based
access remains uncertain. Political and economic rivalry
is increasing between the West and China, and with it
possible protectionism. There are no easy answers to
managing such uncertainties, but financial institutions
must identify their vulnerabilities and assess the likely
The addition of employee wellbeing to the top 10 operational risks for 2021 reflects impact. Regulators will of course expect financial
the heightened risk that has come with the surge of home-working during lockdown institutions operating in ‘at risk’ markets to be
prepared, but supervisors can also help by liaising with
duty of trust and confidence. From a data privacy likely to have to install IT changes in an emergency, counterparts, offering guidance and, where necessary,
perspective, many new technologies, if used to their and those changes tend to be more successful – a providing a degree of forbearance and flexibility to
full potential, may collide with concepts ingrained in virtuous circle. By their nature, emergency changes allow financial institutions time to adjust and adapt.
the General Data Protection Regulation; regulators carried out with speed have an increased margin for
have shown they are alert to transgressions in this error and risk, exacerbating any existing weaknesses. Which op risks should financial firms be
regard. Similarly, customer-facing technologies most concerned about?
must be implemented carefully to mitigate against New technologies such as AI, machine Christoph Kurth: IT disruption and data compromise
overreaching data processing that may present real learning and blockchain bring equal are likely to be near the top of firms’ agendas. The
regulatory risks. The sheer volume of data collected measures of opportunity and risk. To what last year has seen accelerating digitalisation during
means technical and organisational security measures extent does regulation act as a drag on the pandemic. With increased dependency on digital
are of fundamental importance. Data breaches can innovation, and how can regulators find the services, even short-lived incidents such as a denial of
cause considerable reputational and commercial right balance going forward? service can cause significant disruption, reputational
harm, as well as exposure to regulatory action. Christoph Kurth: Although regulation rarely keeps fallout and regulatory exposure. Escalating cyber
up with technological advances and changing market attacks that increase the risk of data compromise are
Covid-19 has had a profound and lasting practice, this does not necessarily mean it holds an indirect consequence of greater interconnectedness
effect on the world of work, placing greater back innovation. While it can impede new services in the banking and payments sphere, particularly
reliance on digital channels and technology. and products, it is often a facilitator rather than an when IT processes are built on a patched legacy
What are the pitfalls financial firms face obstacle. A good example is payments, which today infrastructure. Regulators, such as the Monetary
as they scramble to replace ageing IT are synonymous with fintech. If the Revised Payment Authority of Singapore, warn that, because large-scale
infrastructure and systems? Services Directive had not required account providers remote working is a recent development, the risks may
Christoph Kurth: The fourth industrial revolution is to allow access and share customer data, we would take time to fully emerge.
well under way, but Covid-19 has further accelerated not have seen such tremendous growth in new In recognition of such risks, countries are
the digitalisation of financial services – some innovative third-party services. In contrast, the lack imposing tougher obligations on businesses over
commentators consider parts of the industry to have of legal and regulatory certainty, alongside political the collection, use, sharing, storage and disclosure
advanced five years within the space of just one – and other concerns, may hold back the development of data. Whereas before, data protection regulators
and, inevitably, opportunities also bring risks. Given of digital assets – intangible assets supported by might not have brought enforcement action, now
the intensity of technology changes being put through blockchain technology. they just as likely to as financial services regulators,
at such a fast pace with stretched resources, the Clearly, regulation can be overprescriptive, stifling and can impose substantial fines based on turnover.
usual risks may be elevated, particularly where there innovation and making compliance costly, but most Another issue worth mentioning is the Covid-
are new or emerging technologies. Most financial regulators recognise the benefits of innovation and 19-related impact on staff wellbeing. This reflects
institutions, other than fintechs, still rely on legacy competition to the market and, besides regulatory the heightened risks around home-working during
infrastructures, and replacing them is associated sandboxes, seek to provide a technology-neutral lockdown, on the basis of which many employers
with the highest failure rate in change management. framework within which the market may operate. have developed special programmes. As we move
In fact, there is a direct link between lower levels Proof of this is in the approach of the Swiss to the new normal, they should be careful not to
of legacy infrastructure and the success rate when Financial Market Supervisory Authority of enhancing overlook this duty.
implementing technology change. Moreover, financial client onboarding via digital channels and The Kalifa 1
 Kalifa (February 2021), The Kalifa review of UK fintech, Gov.uk
R
institutions that lack legacy infrastructure are less review of UK fintech,1 the very welcome proposal policy paper, https://bit.ly/3kGNXGM

risk.net 16
COVID-19 represents one of the greatest challenges
to the business models of financial institutions and
the way they do business.

Our series that maps the

Finding landscape for Financial
Balance Institutions as they shift
to business renewal.

bakermckenzie.com/findingbalance

We are the
New Lawyers.

© 2021 Baker McKenzie. All rights reserved. Baker & McKenzie International is a global law firm with member law firms around the world. In accordance with the common
terminology used in professional service organizations, reference to a “partner” means a person who is a partner or equivalent in such a law firm. Similarly, reference to an
“office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.