IT risk – including cyber risk and information security risk – is such a big focus within FinTech firms that it can suck all of the oxygen out of the room, leaving discussion of other op risk types struggling to be heard. FinTech firms need to make sure they consider the diversity of op risk types.
It’s easy and obvious to think about the relationship between FinTech firms’ operations and IT risk (and controls) – and that can be a real problem for firms. Firms can become so bedazzled by FinTech that they only think in terms of technology and systems risk. The reality is that FinTech firms are just as vulnerable to other types of operational risk, within the accepted definition, as more traditional financial services operations.
The full definition of “operational risk”, according to the Basel Committee on Banking Supervision, is:
“the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.”
And that’s important to consider, whether engaging with or working inside a FinTech firm that produces software or operates a financial services platform. All FinTech is just as susceptible to people, process, external and legal risks as the rest of the financial services industry. For example:
- People risk – It is possible to argue that FinTechs are even more exposed to people risks than more traditional financial services firms. For example, many FinTechs have small staff numbers with specialized skill sets concentrated in just one person. This makes loss of key staff risk a significant risk, and one that can be challenging to mitigate with controls. The departure of an individual with a vital set of skills can set back development, harm competitiveness, and impact financial performance. Firms should think through how this risk impacts their overall op risk profile, and consider what training might be needed to mitigate this risk.
- Process risk – Many FinTechs are rapidly evolving operations that strive to be agile, but that agility can come at a cost. Investment in the kind of governance, risk and compliance (GRC) frameworks that traditional financial services firms have can lag far behind the development of the business. As well, resourcing process-intensive areas such as human resources, support staff, and finance operations can fall behind too. These lapses in process robustness can lead to challenges within the organization’s culture – for example, poor controls in the finance department could result in theft or fraud. In human resources, the impact could be in the form of employee lawsuits and reputational damage.
- External risk – For FinTechs, all the focus here could be on cyber risk – and that would be a mistake. FinTechs need people, and buildings, and infrastructure, all of which is at risk of a whole range of external threats. For example, a natural disaster could result in a loss of electrical power, and the back-up generator could fail (something that actually happened to one financial firm.) Illness could prevent employees from working – remember the Bird Flu virus that crippled Asia more than a decade ago? Or consider what might happen to a vital third party or fourth party supplier, and the impact that could have operationally. FinTechs need to consider a broad range of external events – working with scenario analysis can be particularly fruitful in this area.
- Legal risk – Of course there are legal risks associated with technology operations, such as intellectual property actions. However, technology is just a platform upon which a product or service is delivered. So FinTech companies are just as vulnerable to more traditional lawsuits by investors, customers, competitors, and employees as other types of companies. In fact, in an environment of rapid growth and fast rises in revenues, such firms could be more at risk of speculative lawsuits. In addition, FinTechs need to consider other legal risks too. Many firms now consider legal risk to encompass:
- Nonconformity of documents with requirements of the law
- Failure to take into account judicial and law enforcement practice
- Deficiencies of the legal system
- Legal errors made when doing business
- Breach of the terms of existing contracts
- Breach by counterparties/outsourcers of regulation
FinTech companies are just as exposed to these risks as other types of companies.
FinTechs should engage with the whole of the definition of operational risk – not just with the systems part of it. And because of the rapidly evolving nature of their risk ecosystem, FinTechs may also benefit from implementing tried-and-true operational risk practices such as risk and control self-assessments (RCSAs), key risk indicators (KRIs), scenario analysis, and loss event capture. Such tools can enable FinTechs to better understand the challenges they are facing today, as well as the emerging risks on the horizon. Learn more about RiskLogix’ range of operational risk training opportunities.