This blog explores some of the most important operational risks that financial services firms will be facing in 2020, and offers some suggestions that operational risk teams can take to mitigate these risks.
The New Year is here and so it’s the time to explore what the top operational risks for the next 12 months will be. One thing is for certain – financial services firms can expect the pace of change to accelerate across the board – regulatory, business, operational, etc. This in itself is a kind of meta-risk, and as a result, firms are finding an increasing need to react with more agility to the constant changes in risk within their ecosystem. Key operational risks that look set to evolve quickly over the coming year include:
- Cyber risk – Unfortunately, the level of threat from cyberattacks will only increase in 2020. Certainly, there are criminals who continue to grow more sophisticated in the methods they use to attack consumers, business, and financial institutions themselves. However, and even more disturbingly, hostile activity instigated by antagonistic governments is also on the rise, and the financial services industry is a prime target. In particular, experts predict that attacks on mobile banking apps and websites will rise in 2020. Firms should work with colleagues across the industry to identify risks and mitigate them.
- Digital transformation risk – Financial institutions are under tremendous pressure to transform themselves into digital enterprises, or risk falling behind their competitors, including FinTech firms. This digital transformation comes with a whole range of risks, however. Strategic risks, IT risks, business risks, compliance risks, product risks, and cultural risks can all morph into significant loss events in such a rapidly evolving environment. Operational risk teams should try to work closely with digital transformation projects to flag potential emerging risks.
- Data management and privacy risk – Today, data privacy gets a lot of the headlines. This is because of new rules such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as the high-profile data breaches that have taken place over the past few years. However, data privacy is really a data management problem, and in the grander scheme of things, this is what firms are really struggling with. Data is siloed, is not subjected to governance processes, and so is difficult to track across its lifecycle. As a result, poor quality data can undermine AI efforts, cause harm in marketing campaigns, and lead to bad business decisions. EU regulators are even talking about cracking down on poor quality MiFID II and BCBC239 reporting data. For firms, these data management risks are a significant operational issue that needs to be managed in 2020.
- Workforce risk – Financial firms need lots of tech whizzes to implement digital transformation, data governance and regulatory change programs. However, hiring and retaining the talent needed in today’s financial services firms is becoming more difficult, in spite of the ability of the industry to provide high salaries. Often, the most talented individuals prefer to work for start-ups, where there is the potential for an equity stake, and a different kind of workplace culture. As well, financial firms are having to adapt their cultures to a Millennial generation, who bristle at their hierarchical structures and traditional working environments. All of these trends create significant workforce risks.
- Third party risk – The risk of harm from third parties is substantial, which is why regulators continue to put so much focus on it. Third parties are a significant source of cyber risk – and often it’s the contracting financial firm that gets stuck with the reputational damage. Regulators are also worried about concentration risk – for example, most financial institutions rely on a small number of cloud providers. As well, supervisors are looking at whether firms have sufficient joint business continuity plans in place with their third parties. Operational risk teams should make sure third party risk has a risk appetite that aligns with the organization’s overall risk appetite, and that the program sits within either op risk or enterprise risk management.
- Operational resilience risk – Although the UK’s FCA is out in front on operational resilience, with a new paper expected out before the end of 2019, it is a global regulatory priority. Financial services industry supervisors want to make sure that firms are able to rebound from significant events, so that consumers, business and the financial system as a whole are protected from harm. Op risk teams should engage with operational resilience, looking in particular at the impact controls their organization has in place, and at how scenario analysis might be used to better understand resilience challenges.
- Conduct and culture risks – In the UK, the Senior Managers & Certification Regime (SM&CR) will be in place for all financial services firms in December 2019. The FCA continues to emphasize the importance of conduct and culture, and has stated publicly that it believes that SM&CR is an important supervisory tool for achieving the regulator’s goal of improving accountability and transparency within the industry. Since the introduction of SM&CR in the banking industry in 2016, sanctions and fines against individuals have risen sharply. Op risk teams need to work with colleagues in other GRC roles, and across the business, to enhance culture and accountability. It is also important to put in place strong controls, as well as key risk indicators and key control indicators to help measure changes in culture within the organization.
- Political risk – With Brexit postponed until 31 January 2020, and more negotiations to come around the trade relationship between the UK and Europe before the end of the New Year, the financial services industry can expect a bumpy ride. Adding to the headwinds are potential impeachment proceedings in the US against President Donald Trump, and the presidential election in November 2020, as well as ongoing political protests in Hong Kong. Political risk looks set to continue to grow.
- Climate change risk – Firms are facing a broad range of risks here. There is, of course, the impact of climate change on the physical infrastructure of financial services firms. As well, new standards are being adopted – which could well turn into rules – around financial reporting around climate change by firms. The UK’s Financial Conduct Authority is also looking into how fairly customers are being treated by new climate-change oriented financial products. Firms would do well to pay close attention to this rapidly evolving area, by weaving climate change elements into their operational risk framework.
- Benchmark reform risk – According to JP Morgan, more than $400 trillion in assets globally will need to be migrated to new risk-free rates, to comply with Benchmark Reform in time for the retirement of Libor in December 2021. This could potentially create significant operations and legal risks. Many technology systems will have to be changed to accommodate the new rates, creating probable IT risk challenges. Op risk teams should identify operational risks within Benchmark Reform projects up front, and monitor ongoing programs closely.
Financial services firms can expect all of these risks to evolve rapidly in the coming year. Firms need to make sure they have the right resources in place to manage these risks, including human expertise and operational risk management software. Attempting to manage such a complex risk ecosystem using spreadsheets and email is no longer sustainable. Firms may also want to consider how they update their operational risk programme, including RCSAs, KRIs, scenarios, and loss event capture practices.
Learn more about how operational risk software could be used to better manage 2020’s risk environment.