Operational risk continues to evolve and build increased focus and scrutiny both internally and from a regulatory perspective. As a uniquely unquantifiable practice, operational risk breaks the mould with increased uncertainty as many institutions and managers grapple with managing and mitigating the risk. The world of operational risk continues to evolve and new challenges are posed as the industry moves forward to compete for innovative practices. Regulators are keeping operational risk at the forefront of focus with levels and expectations of requirements. Many institutions are looking to develop practices to translate a more quantitative approach for managing the risk and producing a numerical value stakeholders can understand and action, with limited direct losses operational risk demands increased management buy in and focus.
The Center for Financial Professionals conducted a series of extensive interviews with some of the leading operational risk practitioners from a range of financial institutions with the aim to determine the unique challenges they face in the management of operational risk. The results of these interviews can be found at the upcoming Operational & Enterprise Risk Management Congress, October 19-20 in NYC. Industry practitioners join over two days to interact, discuss and debate the evolving trends in the industry and compare best practice approaches to manage the risk.
One of the first areas apparent across the board is the broadening remit of operational risk, with different institutions adopting different approaches as to the scope of the practice and where certain areas are managed. One thing that was for sure is the traditional definition of operational risk has now expanded exponentially to incorporate a range of risk types that fall under the broader operational risk umbrella. Traditionally, operational risk encompassed ‘risk of loss resulting from people, processes and systems’; a very vague definition open to interpretation and uncertainty in institutions. Operational risk has now expanded, with the main headline topics typically relating to technology and the increased competitive landscape in a technological world where all institutions are looking to further innovate practices and user experience. This increased remit and broadening in the scope of operational risk has implications for aggregation and reporting. With uncertainty as to what constitutes an operational and should therefore be managed by that team remains a concern across the industry making aggregation of results and activities difficult, with some areas not lending themselves to the traditional operational risk definition. Legacy systems as with all areas of risk management hinder progress and abilities to aggregate results and activities of operational risk teams. Alongside the expanded remit, comes other areas expending to the size that they are considered separate entities. Areas such as cyber and vendor risk have been escalated to the level where individual workstreams are created within the organization, pushing these areas to levels equal to the umbrella of operational risk.
Along this line of thought comes the forever present cyber security concerns and risks to institutions that this poses on sensitive information. Cyber risk continues to escalate to new heights as the industry evolves and continues the pursuit of implementing innovative technologies to compete in the market and provide advanced end user capabilities. With the technological landscape making dramatic leaps, and the industry grappling with how to maintain the level of change, cyber risk becomes an ever present threat as systems and infrastructure are updated to accommodate the change. Historically cyber security has been little understood and widely underestimated, with many not making the necessary investment until it is too late and a significant loss is visible. This is often the case with many initiatives, especially for larger institutions who struggle with gaining management buy in. Often the changes to larger institutions are far more complex and resource intensive, and as a result are often pushed to the side. With cyber now firmly at the front and center of discussion and focus, many are adapting to attempt to keep up with the changing times. Financial institutions are becoming less customer facing, with many users opting to use online technologies and applications, institutions have a further challenge with not just protecting customers information, but educating customers to protect themselves. Malware and phishing scams are part of daily life for many, but oftentimes some slip through the cracks opening the customer up to a breach. Financial institutions are looking to educate customers on these campaigns and how to protect themselves. The industry face the challenge of having to intensify efforts to always stay one step ahead to protect themselves and their customers as fraudsters continue their campaign to infiltrate systems. As is the case outlined above, cyber as with operational risk as a whole is difficult, if not impossible to quantify into a net number, the impacts can be far reaching and often indirect. With increased media attention given to cyber security, and in particular cyber breaches of institutions, the challenge remains to determine how far the impact reaches both through direct losses and indirectly impacting future business. The sheer size and scope of the topic has escalated cyber risk to become almost considered a risk type outside of operational risk, and many institutions now treat it as such.
Closely related and a result of a cyber-attack lies the increased risk of fraud, both internally and externally. Institutions are using technology as a preventative measure against the risk of fraud, as fraudsters techniques and resources become more sophisticated, so must the industry in their engineering and prevention techniques. Education plays a part in this process, both in terms of educating the customer, but also KYC techniques deployed to staff to identify behaviours. Staff are used as a second line of defense to technology, with algorithms and machine learning practices detecting user patterns, anything out of the traditional pattern should be detected, if this is not the case, human interaction comes in to identify unusual activity. Many institutions face a difficult time managing fraud and customer satisfaction, with some transactions being deemed out of usual behaviour and transactions being blocked, can often lead to customer dissatisfaction. Institutions must find a balance between security and satisfaction, and in turn customers must view blocked transactions as a security measure and vigilance of their provider in ensuring their security. With increases in technological products, comes increases in technological security and protection, with many user devices providing the capabilities to introduce biometrics and secondary authentication, traditional passwords and security questions now run alongside practices such as finger prints, retina scanning or voice recognition. The management, detection and prevention of fraud activities is a cross functional operation with interaction from key functions including cyber, fraud and AML. Institutions must implement a level of uniformity and communication to establish a clear cross functional risk management program and convergence of intelligence and analytics from key players. With increased alignment of these teams should come increase response time incidents, the management of customer expectations needs is vital to limiting the reputational fallout, with increased identification practices allows for better incident response.
Operational risk professionals face a challenging and uncertain road to manage the risks and balance customer experience with security. Financial institutions are continually at risk and must maintain a level of security to stay ahead of the increasing vigilance of attackers. Alongside the direct net losses can come extensive reputational losses, stretching over time. As institutions establish departments and risk response teams, the organizational structure must determine where these areas fall and whether they are considered within the remit of operational risk, and cross functional collaboration for areas that are intertwined.
If you are an operational risk professional and the challenges and areas highlighted above resonate, we invite you to join us at the upcoming 3rd Annual Operational & Enterprise Risk Management Congress taking place in NYC on October 19-20. We bring together over 200 operational and enterprise risk professionals to discuss the two work streams individually and collectively and how collaboration and clear communication can increase efficiency.
For more information on the agenda, speaker line up and who you can expect to network, discuss, debate and share ideas with please visit the Operational & Enterprise Risk Management Congress website