Looking at the Top 10 Operational Risks for 2020

  • Subscribe to updates

  • Privacy
  • This field is for validation purposes and should be left unchanged.

This blog explores some of the most important operational risks that financial services firms will be facing in 2020, and offers some suggestions that operational risk teams can take to mitigate these risks.

The New Year is here and so it’s the time to explore what the top operational risks for the next 12 months will be. One thing is for certain – financial services firms can expect the pace of change to accelerate across the board – regulatory, business, operational, etc. This in itself is a kind of meta-risk, and as a result, firms are finding an increasing need to react with more agility to the constant changes in risk within their ecosystem. Key operational risks that look set to evolve quickly over the coming year include:

  • Cyber risk – Unfortunately, the level of threat from cyberattacks will only increase in 2020. Certainly, there are criminals who continue to grow more sophisticated in the methods they use to attack consumers, business, and financial institutions themselves. However, and even more disturbingly, hostile activity instigated by antagonistic governments is also on the rise, and the financial services industry is a prime target. In particular, experts predict that attacks on mobile banking apps and websites will rise in 2020. Firms should work with colleagues across the industry to identify risks and mitigate them.
  • Digital transformation risk – Financial institutions are under tremendous pressure to transform themselves into digital enterprises, or risk falling behind their competitors, including FinTech firms. This digital transformation comes with a whole range of risks, however. Strategic risks, IT risks, business risks, compliance risks, product risks, and cultural risks can all morph into significant loss events in such a rapidly evolving environment. Operational risk teams should try to work closely with digital transformation projects to flag potential emerging risks.
  • Data management and privacy risk – Today, data privacy gets a lot of the headlines. This is because of new rules such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as the high-profile data breaches that have taken place over the past few years. However, data privacy is really a data management problem, and in the grander scheme of things, this is what firms are really struggling with. Data is siloed, is not subjected to governance processes, and so is difficult to track across its lifecycle. As a result, poor quality data can undermine AI efforts, cause harm in marketing campaigns, and lead to bad business decisions. EU regulators are even talking about cracking down on poor quality MiFID II and BCBC239 reporting data. For firms, these data management risks are a significant operational issue that needs to be managed in 2020.
  • Workforce risk – Financial firms need lots of tech whizzes to implement digital transformation, data governance and regulatory change programs. However, hiring and retaining the talent needed in today’s financial services firms is becoming more difficult, in spite of the ability of the industry to provide high salaries. Often, the most talented individuals prefer to work for start-ups, where there is the potential for an equity stake, and a different kind of workplace culture. As well, financial firms are having to adapt their cultures to a Millennial generation, who bristle at their hierarchical structures and traditional working environments. All of these trends create significant workforce risks.
  • Third party risk – The risk of harm from third parties is substantial, which is why regulators continue to put so much focus on it. Third parties are a significant source of cyber risk – and often it’s the contracting financial firm that gets stuck with the reputational damage. Regulators are also worried about concentration risk – for example, most financial institutions rely on a small number of cloud providers. As well, supervisors are looking at whether firms have sufficient joint business continuity plans in place with their third parties. Operational risk teams should make sure third party risk has a risk appetite that aligns with the organization’s overall risk appetite, and that the program sits within either op risk or enterprise risk management.
 
  • Operational resilience risk – Although the UK’s FCA is out in front on operational resilience, with a new paper expected out before the end of 2019, it is a global regulatory priority. Financial services industry supervisors want to make sure that firms are able to rebound from significant events, so that consumers, business and the financial system as a whole are protected from harm. Op risk teams should engage with operational resilience, looking in particular at the impact controls their organization has in place, and at how scenario analysis might be used to better understand resilience challenges.
  • Conduct and culture risks – In the UK, the Senior Managers & Certification Regime (SM&CR) will be in place for all financial services firms in December 2019. The FCA continues to emphasize the importance of conduct and culture, and has stated publicly that it believes that SM&CR is an important supervisory tool for achieving the regulator’s goal of improving accountability and transparency within the industry. Since the introduction of SM&CR in the banking industry in 2016, sanctions and fines against individuals have risen sharply. Op risk teams need to work with colleagues in other GRC roles, and across the business, to enhance culture and accountability. It is also important to put in place strong controls, as well as key risk indicators and key control indicators to help measure changes in culture within the organization.
  • Political risk – With Brexit postponed until 31 January 2020, and more negotiations to come around the trade relationship between the UK and Europe before the end of the New Year, the financial services industry can expect a bumpy ride. Adding to the headwinds are potential impeachment proceedings in the US against President Donald Trump, and the presidential election in November 2020, as well as ongoing political protests in Hong Kong. Political risk looks set to continue to grow.
  • Climate change risk – Firms are facing a broad range of risks here. There is, of course, the impact of climate change on the physical infrastructure of financial services firms. As well, new standards are being adopted – which could well turn into rules – around financial reporting around climate change by firms. The UK’s Financial Conduct Authority is also looking into how fairly customers are being treated by new climate-change oriented financial products. Firms would do well to pay close attention to this rapidly evolving area, by weaving climate change elements into their operational risk framework.
  1. Benchmark reform risk – According to JP Morgan, more than $400 trillion in assets globally will need to be migrated to new risk-free rates, to comply with Benchmark Reform in time for the retirement of Libor in December 2021. This could potentially create significant operations and legal risks. Many technology systems will have to be changed to accommodate the new rates, creating probable IT risk challenges. Op risk teams should identify operational risks within Benchmark Reform projects up front, and monitor ongoing programs closely.

Financial services firms can expect all of these risks to evolve rapidly in the coming year. Firms need to make sure they have the right resources in place to manage these risks, including human expertise and operational risk management software. Attempting to manage such a complex risk ecosystem using spreadsheets and email is no longer sustainable. Firms may also want to consider how they update their operational risk programme, including RCSAs, KRIs, scenarios, and loss event capture practices.

Learn more about how operational risk software could be used to better manage 2020’s risk environment.

Related Posts

Effective business continuity & operational resilience are both outcomes of good risk management
There has been some debate whether Operational Resilience (OpRes) and Business Continuity Management (BCM) are the same discipline, different disciplines, or similar areas but with differing degrees of granularity. It is arguable that OpRes is customer centric in that it looks at the threats and vulnerabilities to the services provided to the customer, whereas BCM …

Effective business continuity & operational resilience are both outcomes of good risk management Read More »

Digitising Risk Management – Time to ditch the spreadsheet
It is a recognised issue in the industry that the most widely-used risk management software tool is actually provided by Microsoft – and it’s called Excel. And it’s only a partial solution – at best While tier one financial institutions have been early adopters of large, complex risk management software solutions, due to both sophistication …

Digitising Risk Management – Time to ditch the spreadsheet Read More »

Long term value from ESG – the Importance of embedding a true ESG culture in your organisation
ESG, Environment, Social, Governance reporting seems like a good thing!  Being associated with ESG practices has a positive effect on the brand, which helps organisations to sell more products and services. Meta-analysis of over 1,000 studies published between 2015 and 2020 conducted by NYU Stern and Rockefeller Asset Management found a strong correlation between ESG …

Long term value from ESG – the Importance of embedding a true ESG culture in your organisation Read More »