Operational Risk

Operational Risk

By Alice Kelly, Head of Research and Production, CeFPro

Operational risk as a remit continues to expand and develop beyond the traditional scope, with the inclusion of technology, vendor & third party risk, fraud and cyber risks. It is more important than ever to ensure industry professionals are keeping up with the threat landscape and developing skills to manage operational risk and the broadened remit it now encompasses.

The Center for Financial Professionals conducted extensive research ahead of the highly anticipated 8thAnnual Risk Americas Convention, drawing upon industry expertise with the Blue Ribbon Advisory Board, and conducting one on one interviews with 60+ industry experts to gain an understanding of what lies ahead.
The research was divided into 4 main subject groups; Market trends, innovation in risk management, model risk management and operational risk.
These main headings form the streams at the Risk Americas convention, and will form the headings for this 4-part series reviewing the results of the research.

Part 2 of 4 draws attention to operational and enterprise risk management and the key trends across the industry.

One of the key areas continually evolving as a subset of operational risk is that of vendor and third party risk. As the threat landscape continues to develop, it remains critical that institutions develop practices and ensure effective controls to understand and manage their vendor and third party risks. As with any area across the industry, technology advances have changed the way institutions manage their risks, both from an automation and efficiency standpoint, but also opening up new vulnerabilities. Institutions face the added pressure of understanding technology advances both internally and externally across their vendors and third parties to ensure effective controls and oversight, whilst ensuring up to date technology offerings for customers. The industry continues to grapple with concentration risk both in uses of third parties, but increasingly across the supply chain, with many third parties increasing concentration by outsourcing to the same companies. It is more important than ever that institutions understand their supply chain and where their third parties are outsourcing services to ensure security and robust oversight. Many are drawing experience from other industries, with areas such as retail and leveraging oversight technology used to manage supply chain to track and source all products. Vendor and third party risk continues to increase in complexity and regulators increase pressure to ensure effective oversight, it is critical that the risks are managed with dedicated experts.

Secondly, following the theme of operational risk subtypes s that of fraud which is increasingly seen under the operational risk umbrella, and again very specialized in requirements for expertise. Fraud and financial crimes continue to rise and new technology increases the opportunities for fraudsters with new vulnerabilities opening up across the industry and continual testing of security needed. It is more important than ever that the operational risk subtypes collaborate to ensure security across the institution and protect from fraudulent activity both online, through new technology, email fraud, insider fraud and much more. As the industry continues to progress, institutions must balance competitiveness with security and ensure that all new products are protecting the customer not exposing them. There is an increase in customer protection as identification and authentication techniques develop, allowing institutions to draw correlations in activity and increase KYC knowledge to better understand customer behaviour to identify anomalies. Many institutions are developing best practices to further protect customers, as are fraudsters, it remains critical that institutions become more nimble to keep ahead of fraudsters.

Finally, in amongst a range of topics focused on technology and innovation, the more traditional area of RCSAs was highlighted by many during the research, with all asking why they so often do not work? RCSAs have become a complex process with limited output, businesses must look to simplify the process to maximize the benefits and uses. RCSAs have value beyond just compliance and as a tick box exercise, many are exploring the possibilities and uses of them to ensure maximum value and integrating better within businesses as a tool. RCSAs need to be simplified for increased usage to provide tangible and actionable management information to the board, and reporting top KRIs and KPIs and residual risk to take action. Taking the process back to basics and developing a control environment around RCSA can further enhance the benefit beyond just a tick box exercise and used as a management tool for effective decision making and enhancing controls.

Overall, operational risk looks more complex than ever, with many different subtypes emerging, increasing requirements for effective management and expertise of very niche areas requiring highly skilled experts. Technology remains a running theme throughout operational risk and risk management more broadly, with many unsure as to what the future looks like and what opportunities or threats technology could be offering.

CeFPro have collated all of the above and many more topics to be addressed at the 8th Annual Risk Americas Convention, featuring expert panels, insightful presentations and interactive Q&As from industry practitioners, regulators, solution providers and academics. Join us in New York City on May 14-15 – visit www.risk-americas.com for full information.