by Elena Pykhova
The three-year priorities published by the European Central Bank1 is a must-read document for risk practitioners. It outlines important areas of focus for the supervisors – and, equally, banks and their risk teams, who should be analysing and leading the organisational thinking by ensuring maximum awareness of the environment, comprehension of its impact and hence enhanced preparedness necessary to withstand the next crisis. In the post-pandemic environment, it is not surprising to see credit risk and market risk high on the regulatory agenda. As it relates to Operational risk, while it is explicitly mentioned only in relation to IT Outsourcing and Cyber resilience, it has in fact multiple touch points and direct correlation with other areas, whether linked to business model, governance or climate and environmental risk.
What are the key aspects that Operational risk professionals should focus on while agreeing 2022 priorities?
A survey conducted by the Best Practice Operational Risk Forum, comprised of risk professionals from over fifty international financial services firms, considered the most prominent Operational risks on the radar. These include:
Cyber-crime: complex threat landscape, highly coordinated, multi-step attacks. The risk continues to top the chart in terms of impact and likelihood. Operational risk loss data consortium, ORX, notes 2 out of the top 5 Operational risk losses last year were cyber-related2 (specifically, crypto-related). This is a clear area of focus for both firms as well as supervisors.
Supply chain / third-party risk: failures in the supply chain impacting service delivery; and concentration risk, especially as it relates to cloud service providers. Third-party risk keeps increasing as organisations continue outsourcing more services to the cloud. According to Forbes3, having (or not having) a clear inventory of suppliers could be the difference between success and failure in 2022.
Data breaches: acts of non-compliance with GDPR, given the amount of data continuing to grow. This risk is also linked to and dependent on the legacy technologies. As noted in Forbes report, the frequency of data breaches is increasing and the types are expanding.
Legacy IT systems and infrastructure: system downtime, failures of legacy technology coupled with underinvestment in technology may lead to potential customer and market detriment.
Climate action failure was also identified, related to potential inability to adjust the organisational product set and embed requirements beyond the regulatory minimum; as well as business model change triggered by climate change programs. The risk was perceived as pertinent, however not yet perceived to have the same high impact as cyber or supply chain risks.
Finally, emerging Operational risks considered by the Best Practice Forum were primarily people-related. Staff capacity, capability and wellbeing refer to issues such as the Great Resignation, difficulties in obtaining talent, tax regime not adequate to support global home working and all the unknowns related to the longer-term impact of hybrid working arrangements. It also includes burnout and depression, increased stress levels of both leaders and staff, intensifying during the last two years. Operational risk professionals have a crucial role to play in escalating People risk up the organisational agenda, to ensure it is recognised as a major risk in its own right, evaluated and mitigated, with firm and thoughtful actions.