“You can plan a pretty picnic but you can’t predict the weather”, as the song has it.
It’s an often-heard frustration among operational risk managers that trying to anticipate when and how large losses will occur is extremely difficult.
In recent years, the industry has been encouraged to consider esoteric risks that might previously have been assigned a low or near-zero probability as part of routine stress testing, including regulator-set exams – in other words, knowing what your exposures are and thinking about what losses would occur if there were significant changes to your operating environment.
Of course, whether firms choose to act on the outputs these exercises throw up, and update control environments accordingly – like the bank that built a stress scenario for a global pandemic two years before Covid-19 struck, before tearing it up, dismissing it as unrealistic – is another matter.
For nearly a year, the Risk Management Association has tried to help guide risk managers pool their collective insights as a list of shared concerns over broad categories of risk. As was the case with Covid, however, Russia’s invasion of Ukraine – while not wholly unexpected – has also exposed the inherent limitations of risk forecast.
For this reason, this trimester’s operational risks look a little different to last semester’s but these are more related to global events than to any industry shift per say.
As such, and with the ever-growing prevalence of the work-from-home and remote working concepts, cyber risk is not a true operational risk; rather, its impact is now considered so all-pervading that it is treated as a causal factor across multiple categories – principally IT disruption, data compromise, and theft and fraud, but also outsourcing – rather than as a wide group in itself.
The knowledge that more practitioners consider loss of functionality from a cyber attack – whether intended to be disabling or not – to be a (marginally) greater threat than that of data compromise or plain old theft should prove valuable to firms, if not exactly comforting.
Another case is that now, many practitioners consider the threat of losses from unauthorised trading from rogue algorithms to outweigh that of rogue humans. The growing risk from errant algorithms, as well as tighter conduct risk regulations clarifying risk managers’ responsibility for overseeing them, means the two should now be considered alongside one another.
The resulting taxonomies may look alien to some firms, but the way in which many banks categorise and manage risks is also changing – nowhere more so than in the realm of operational risk.
Below are the top 10 risks for mid-2022:
- IT disruption
- Geopolitical risk
- Theft and fraud
- Talent risk
- Data compromise
- Climate risk
- Resilience risk
- Third-party risk
- Conduct risk
- Regulatory risk