Operational uncertainty – An unavoidable challenge

By KPMG | Advertisement | 19 March 2020

The transition from Libor to a new risk-free rate (RFR) has revealed a number of challenges for all financial markets participants – the nature and scope of what lies ahead is vast, impacting businesses, operations and support functions. KPMG‘s global Libor solution lead, Chris Dias, explores why firms will need to consider the impact of the transition on a number of overlapping dimensions, including strategy, risk, operations, finance, compliance, legal and clients

Chris Dias, KPMG

While the efforts to prepare for the transition away from Libor will be significant, operational readiness may be most demanding of all. The number of operational factors that must be considered grows quickly when links to clients, products, systems and legal departments are entered into the mix. Structural differences between Libor and its proposed replacements make operational uncertainty unavoidable. These challenges are further exacerbated by looming unknowns in market conventions, market structure and legal certainty – not to mention the rapidly approaching Libor end-date.

 

The new RFRs are simply different 

Libor is a somewhat homogenous rate. It comprises five currencies and seven tenors, all of which are published simultaneously every day by a single administrator with oversight from a single regulator. Going forward, there will be five new standalone RFRs to replace Libor. Each of these rates will be published daily, though at different times, by five different administrators, with oversight from five different regulators. This nominal difference will cause firms with cross-border exposure or global footprint to, as a minimum, rethink their valuation and risk measurement processes.

Libor is an unsecured rate with a credit risk adjustment built into the published rate – it is, for the most part, a rate estimated by only a handful of banks. Panel banks submit daily benchmark rates for several tenors from overnight to one year. Institutions have become accustomed to the term structure as well as the credit and term premia, hardwiring this ubiquitous rate into systems, operations and processes. This makes the task of replacing Libor very challenging.

The new rates are characterised as risk-free, with some jurisdictions, such as the US and Switzerland, opting to base the new rates on secured daily transactions, while the UK, Japan and the eurozone have elected to base the new rate on unsecured daily transactions. In addition, the new rates have started life as a daily overnight rate only, with no term structure or additional credit premium. While term structures are expected to evolve for some new RFRs, the timing is uncertain. A static credit adjustment is expected for legacy transactions, but not for new deals. This presents a unique challenge for all institutions – firms will need to deal operationally with replacing a well-entrenched rate with a term structure and a credit component with an overnight rate that currently has neither.

 

The front-book/back-book dilemma

Perhaps the greatest operational problem ahead will be to deal with legacy transactions, while managing new transactions using the new rates. Operational requirements for legacy or back-book trades will require firms to potentially maintain existing infrastructure for a period of time, and to have capabilities to migrate existing transactions to a rate different from Libor. This will require multiple instances of pricing, valuation, accounting and risk systems to coexist until the deals mature, expire or are converted to a market-acceptable rate. The operational problem of switching legacy trades will be further magnified as early adopters of the new RFRs feel empowered to negotiate market conventions yet to be formalised, creating myriad potential outcomes.

New transactions based on the new RFRs will require unique processes. Booking, accounting and risk systems will need to be updated. New processes will need to also coexist with legacy processes for some time, presenting resource challenges and introducing very real operational risk concerns. 

 

Fallbacks will certainly dictate outcomes

The financial services industry – through working groups, industry bodies, individual institutions and regulators – is working intensely to develop a robust fallback language to ensure guardrails exist for transitioning Libor to a new rate. The new language is a good step forward, but the challenge will be to operationalise it.

The first problem will be assessing whether the fallback language is hardwired or relies on an amendment approach. The hardwired approach is predicated on a fallback waterfall – for example, the language could state that parties to the contract fall back to the forward-looking term secured overnight financing rate (SOFR) plus a spread adjustment. If that does not exist, then they fall back to compounded SOFR in arrears plus a spread adjustment and, in some cases, a ‘viable alternative’ to be determined by the lender or agent could be used. From an operational perspective, systems will need to be capable of handling any of the outcomes. In contrast, the amendment approach relies very much on a negotiation between parties to determine the appropriate fallback, which can present a Herculean challenge in terms of anticipating what the negotiation will decide upon. Given that parties to a negotiation will angle for the best outcome possible, operational readiness becomes decidedly more complex. Although the hardwired approach still exudes uncertainty, it is a far better ‘operational readiness’ outcome than the amendment approach. The amendment approach simply ‘kicks the can down the road’ to a time when orchestrating negotiations and translating those negotiations in operations will be taxing on resources and systems. 

 

Don’t put all your faith in timely vendor solutions

Many firms have invested in vendor solutions for financial products and will expect the vendor to provide the fixes required for transition – which may or may not be the case. Vendors will have similar challenges to market participants – they will need to understand the many market conventions around pricing, accrual and settlement, and will have to accept that most RFRs are still evolving. Their reluctance to commit resources to any single solution in an environment that is still fluid is understandable, yet exasperating. However, firms investing in vendor solutions will have to address issues related to version compatibility, system upgrades and testing – all of which could prove costly and time-consuming. Vendors must, therefore, prioritise fixes, upgrades and solution patches to avoid leaving some firms without the required system enhancements until after the market has transitioned. The success of the Libor transition will be highly dependent on firms’ readiness to book new RFR deals.

 

Dealing with operational uncertainty 

The birth of a new rate requires the determination of a number of market conventions and the evolution of market structure – to date, uncertainty exists around both. SOFR pricing has yet to lock in a market-wide convention on either pricing or settlement. Questions yet to be answered include: 

Operational uncertainty is forcing firms to make choices from the many alternatives. Given that time is quickly winding down and no clear direction has yet emerged, it may make sense to plan for all reasonable approaches. 

 

What to do next?

The easy route is to do nothing and hope for the best, but this could be costly in terms of revenue, opportunity, relationships or any number of other problems. There is no easy solution. Understanding the impact to an operational change of this magnitude is the first step, starting with a determination of the products and systems that will be impacted. Then, developing plans or a playbook to transition considering different scenarios or outcomes and, finally, prioritising high-probability, high-impact systems and processes. Firms should engage with working groups, industry bodies, clients and vendors to better inform work effort, operational choices and, ultimately, mitigate risk. With the end of Libor rapidly approaching, hopes for extensions and reprieves should not be a first choice. In the words of Game Of Thrones’ Jon Snow: “Winter is coming.”

The author

Chris Dias is a principal in KPMG’s Modelling & Valuation group, serving financial services companies as a risk practitioner and strategic adviser. He is an accomplished professional with over 30 years of international experience in financial markets and serves as the global Libor solution co-lead at KPMG.  

The KPMG name and logo are registered trademarks or trademarks of KPMG International. This article represents the views of the author and does not necessarily represent the views or professional advice of KPMG LLP.

 

Libor Risk – Quarterly report Q1 2020
Read more

Incremental value-at-risk

By Peter Mitic, James Cooper, Nicholas Bloxham | Technical paper | 24 March 2020

Coronavirus is testing op risk managers to the limit

By Ariane Chapelle | Opinion | 23 March 2020

No amount of stress testing can prepare firms for the risks they’re facing, says Ariane Chapelle

Years from now – and for decades to come – the world will remember ‘the great pandemic of 2020’. The coronavirus’s effects on financial markets and companies are already acute: widespread disruption to business practices and everyday life has caused major indexes to shed up to one-third of their value, and forced governments to enact crisis measures to cope.

From a risk assessment perspective, reaction to this pandemic converges into a strange combination of under- and overestimation. Pandemic risks are sometimes called ‘grey rhinos’: probable, high-impact trends that are clearly observable, but often ignored until it’s too late. Before the current outbreak started, most would class pandemic risk as important, but not urgent.

China’s recent experience of Sars, which killed hundreds during the 2003 outbreak, may have informed its aggressive response to the Covid-19 epidemic, but Europe and the US had long forgotten the Spanish flu of over a century ago. Governments and many organisations were caught by surprise.

On an individual level, though, the virus has created an overestimation of risk, with many countries reporting panic-buying of household essentials, and images of shortages and queues that only reinforce the risk it is supposed to avoid. This self-fulfilling prophecy is caused by extreme herd behaviour and generalised panic, similar to a run on a bank or a market crash.

The virus is testing operational risk managers at banks and other financial firms in manifold ways. Many point out the heightened risk of fraud, and cyber fraud in general. Security engineers report elevated levels of attacks of every form, the most observable one being phishing attempts that play on people’s fears or need for information.

Perhaps more dangerous are attacks on networks and information flows. Firms are typically able to sustain around 10% of staff working from home. Moving suddenly to a multiple of this increases the attack surface in the same proportion, raising both the likelihood and impact of successful cyber events. On the positive side, the crisis has highlighted points of weakness in firms’ IT systems and security levels, leading to a list of remediation plans to be implemented once the storm has passed, hopefully without too much damage in the meantime.

Some local subsidiaries of international banks have decided to shutter all but non-essential operations for two weeks

Not even in the most extreme scenarios have organisations anticipated a situation of near total remote working. National banks and local or national insurance companies have up to 90% of their staff working from home. Regular cleaning and sanitising procedures are in place in all sectors for staff on site. Tier-one banks are focusing on the continuity of essential operations, such as payments and trading, and will delay, if need be, non-essential ones to prioritise resources. Some local subsidiaries of international banks have decided to shutter all but non-essential operations for two weeks.

Split staff across locations, such as duplicated trading floors installed on disaster recovery sites, or staff on site on a seven-day rotating basis, had already been in place at some top banks for weeks. For larger, international banks, technical aspects such as VPN capacity can be an issue during times of heavy use.

Another, more external issue is whether the internet can support such a spike in use, especially in highly dense areas of population. The mobile and landline phone network is a critical dependency: any failure of this network would have a severe impact on the ability of firms to carry out essential functions.

Risks of internal fraud, unauthorised activities, and simply operational errors, mistakes and omissions are expected to increase, too, as a direct consequence of the reduced monitoring capabilities caused by distance working.

Particularly for industries and organisations that are not fully digitalised, there is an accelerated transition to teleworking. The city of Quebec in Canada is the centre for insurance companies in the province. Quebec province and parts of North America experienced the Great Ice Storm of 1998, when exceptional ice falls cut off electric power for 3 million of the 7 million inhabitants. Since then, firms have developed continuity plans, including operating with 70% of staff. However, 100% of remote staff was not part of the plan, especially for an insurance industry that has large call centres and paper-based claims and cheques. Companies are devolving these call centres to people’s living rooms. The transformation effort is gigantic, but “we are getting on”, says a chief risk officer at one large company.

The operational pressures on the financial sector are equally present for their suppliers, and third-party failures constitute another possible knock-on effect. A third-party provider assisting travel insurance in Canada usually handles 3,000 calls a day. On Monday, 16 March, it received 300,000. Its insurance company clients are teaming up to create multiple, additional temporary call centres to help handle the ocean of requests. Supply chains are stretched to the extreme in other sectors, but this is an issue for banks and insurance companies, too.

Regulators and public authorities will have to adjust to the new reality. Compliance breaches and capital breaches will be put to the test. Canadian regulators are keeping a close eye on the financial sector, while realising the need to be flexible in their demands.

Several institutions are already planning for the return to normal. They say it will be complex and slow, and that in itself will generate another wave of operational risks, loss of productivity and mistakes. But thinking of the after-crisis is a proactive behaviour that each op risk manager should have.

Resilience is the capacity to recover quickly from difficulties. We can overcome the crisis, adapt and adjust. This formidable shock is also the opportunity to rethink what we want and who we want to be.

People reveal themselves in crises. Let’s think of how we want to be remembered in this one.

Editing by Alex Krohn

Op risk data: BNP faces €150m bill from mortgage loan sales

By ORX News | Opinion | 10 March 2020

Also: Maybank, ING and MUFG hit by $300m commodities trading fraud. Data from ORX News

Jump to In focus: staff payouts | Spotlight: coronavirus

February’s largest operational risk loss saw a Paris court order BNP Paribas to pay up to €152.2 million ($165.3 million) for concealing the financial risks of real estate loans offered between March 2008 and December 2009.

The loans were denominated in Swiss francs but repayable in euros, and the contracts were criticised by magistrates as “particularly unintelligible”. Borrowers struggled to understand the inherent exchange rate risk baked into the contracts, and many saw repayments on the note soar from 2011 when the euro weakened against the Swiss franc. Many borrowers still owe the bank more than they were loaned despite making repayments for over 10 years.

BNP Paribas made 4,655 of these loans worth €800 million, and 2,300 borrowers have filed complaints, all of whom BNP Paribas must compensate at an estimated cost of €150 million. Additionally, the bank must pay €2 million to two consumer associations and the maximum possible fine of €187,500.

 

In second, third and fourth place, Maybank, ING and MUFG were reportedly defrauded of $118 million, $100 million and $77.3 million respectively by a Singapore-based commodities trading firm, Agritrade International. Court documents accuse the trading firm of using the same collateral to obtain financing from multiple banks. Commerzbank and Natixis were also involved, but the extent of their exposure has not been reported.

Agritrade misrepresented its financial position and issued multiple bills of lading for a single shipment, documents allege. Commerzbank said it believed shipments of coal it had financed did not exist. A group of 15 lenders hold approximately $600 million of Agritrade’s $1.5 billion of liabilities.

The fifth largest publicly reported loss is £33.1 million ($43.2 million) in customer redress and fines paid by car finance company Moneybarn, a subsidiary of UK-based Provident Financial, for ill-treating customers who fell behind with loan repayments between April 2014 and October 2017. Moneybarn did not adequately communicate to customers the financial consequences of failing to keep up with payments, the UK regulator said. More than 1,400 customers defaulted after entering into short-term repayment plans.

Next, Norway’s DNB Bank was ordered to pay 353 million Norwegian krone ($37.6 million) by the Norwegian Supreme Court to settle a class action claim that the bank overcharged for management fees on three funds between January 2010 and December 2014. DNB customers and the Norwegian Consumer Council filed a joint class action claim in 2015, alleging that DNB had charged investors for actively managing funds when it was only tracking a stock market index.

Finally, Sberbank Abkhazia has lost 729.4 million roubles ($11.4 million) in funds embezzled from correspondent accounts. The bank, based in the autonomous Georgian state of Abkhazia, found in an internal review that the funds had been withdrawn from correspondent accounts held abroad in 2017. The funds were reportedly withdrawn over the counter in cash and through wire transfers, both within Abkhazia and abroad.

 

 

Spotlight: coronavirus forces DBS evacuation

DBS Bank evacuated 300 employees from its Marina Bay Financial Centre office in Singapore on February 12, after one employee was confirmed to be infected with coronavirus.

The employee was tested on February 11 and the bank was informed the next morning. Staff were immediately instructed to leave the office and work from home. DBS said it was attempting to trace all staff who may have come into contact with the infected employee.

The bank also announced a range of measures at all its office locations in Singapore, such as temperature screening for staff and a requirement that visitors sign health and travel history declaration forms prior to entering its premises.

The move preceded similar action by banks elsewhere, either as preventative measures or in response to infection. HSBC staff in London were sent home on March 5 following news that a staff member had tested positive for the virus, according to media reports.

 

In focus: the cost of mistreating employees

The year may only be two months old, but it’s already been a costly one for financial firms guilty of mistreating their staff – intentionally or otherwise. As of February 24, firms had made payouts to staff totalling $118.4 million – 74% of last year’s $159.5 million – in relation to operational risk events tagged with the scenario “unfair treatment of staff”.

Wells Fargo accounts for a large chunk of that total: the beleaguered bank agreed to pay $79 million in January to settle with a group of former employees who complained they were wrongly forced to forfeit deferred salary payments when they stopped working at the bank. The bank misclassified the retirement benefits plan as an exempt “top hat” plan, which would have enabled the firm to pay out the money on a discretionary basis, the lawsuit said. The total withheld pay was around $265 million.

In line with the Basel Committee on Banking Supervision’s taxonomy, ORX News considers legal risk, including non-compliance with statutory responsibilities, as a component of operational risk.

 

Other cases in which banks have compensated employees are wide-ranging. In January, it was reported that Jackson National Life, a subsidiary of UK life insurer Prudential, had agreed to pay $20.5 million to 21 former employees to settle charges that it discriminated against female and African American employees and retaliated against employees who opposed this discrimination.

Another case explores the extent of an employer’s responsibility for protecting an employee from harassment in the US. Pennsylvania-based PNC Bank paid $2.4 million to a former wealth manager after she was sexually assaulted by a customer who the bank knew had a history of sexually harassing its staff.

Since 2010, 50% of losses by severity ($2.54 billion) and 70% of losses by frequency (175 events) resulting from the unfair treatment of staff have occurred in the US. Class action lawsuits are common in the US and can result in high payouts by firms due to the potentially large number of claimants. Other jurisdictions have less experience of applying group litigation to employee benefit questions.

The one event so far this year outside the US took place in France. In January it was reported that a Paris labour tribunal had ordered Morocco-based Banque Centrale Populaire to pay €4.3 million to 18 former employees. BCP had not paid the employees’ pension contributions after they were transferred to France in the 1970s, 80s and 90s.

Editing by Alex Krohn

All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX, and we have not confirmed any of the information shown with any member of ORX.

While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.

SOFR drought, CB accounts for CCPs, and the Top 10 Op Risks

By Alexander Campbell | Opinion | 7 March 2020

The week on Risk.net, February 29–March 6, 2020

Fed funds swaptions offer SOFR alternative

Investors dry-run systems using familiar overnight rate, as markets wait for SOFR liquidity to build

ECB mulls wider clearing house access to account facilities

Including CCPs in the Eurosystem may remove the need for them to seek a banking licence

Top 10 operational risks for 2020

The biggest op risks for 2020, as chosen by industry practitioners


COMMENTARY: Into the unknown

Factor-based investors were caught on the hop last week by the market crashes caused by the spread of the coronavirus – and they weren’t the only ones. When Risk.net carried out the survey work for its Top 10 operational risks for 2020 in mid-January, very few operational risk managers even mentioned coronavirus – only a handful, based in the Asia-Pacific region, saw it as a significant op risk for the year ahead.

It’s safe to say that this has now changed. The outbreak has now spread to almost every country in Europe, east Asia and North America, with major new outbreaks in Italy and Iran, and more than 95,000 cases confirmed and 3,286 deaths. Travel restrictions and quarantines are in place around the world, and economic forecasts have been slashed in the face of simultaneous supply and demand shocks.

In this year’s survey, coronavirus falls under the heading of geopolitical risk, although, like Brexit last year, its effects will be felt across a wide range of operational risk areas. And, like Brexit, the core of the problem is uncertainty. It’s not clear yet how far the epidemic will spread; nor is it clear how serious will be the (economically costly) precautions that governments put in place against it.

And all this is played out against a background of political mistrust. Mixed messages from the UK government have dogged the Brexit process. Insistence that a no-deal exit is all but impossible is followed by briefings that it is highly likely; promises that exit will not be delayed are followed by the announcement of further delays.

Doubt, too, shrouds the full extent of the coronavirus outbreak; not only over the true number of cases, including the uncountable many cases that are too mild to reach medical attention, but also over whether these numbers are being reported accurately. Neither the Iranian nor Chinese governments have – or deserve – reputations for transparency, especially when it comes to information that puts them in a bad light, and the international bodies that uncritically accept their announcements damage their own reputations rather than improving those of the governments. The nascent field of alt data is getting its first serious test as investors seek a second opinion on the true state of affairs.

It’s reminiscent of doubt over the true solvency of various major banks during the 2008 financial crisis – doubt that was built on the foundations of worrying news earlier in the year surrounding the misdeeds of rating agencies. This is not a comforting analogy; and it isn’t meant to be. If increased transparency and better reporting of vulnerabilities was difficult for the financial sector, it will be nigh impossible for authoritarian governments. But in an age when crises, financial and otherwise, do not even pause at national boundaries, governments can at least hope to restrict the spread of fear and doubt: building an infrastructure of honesty is the only way to achieve this.


STAT OF THE WEEK

Weekly notional volumes in vanilla EUR/USD and USD/JPY options totalled $119.6 billion and $105.6 billion, respectively, for the week ending February 28, according to data from the Depository Trust & Clearing Corporation’s trade repository. The EUR/USD trading was the highest weekly total since June 2018, while the USD/JPY options markets saw its highest weekly notional traded since at least the start of 2018 – surpassing the previous week’s surge in activity.

 

QUOTE OF THE WEEK

“Today, risk managers get the data and the analysis and, based on the mandate given by the board, go into the market and hedge the position. The question is: why don’t we do it automatically?” – an airline treasury director discusses the attractions of AI-driven “hands-free” hedging

Top 10 operational risks for 2020

By Risk.net staff | Feature | 4 March 2020

The biggest op risks for 2020, as chosen by industry practitioners

Welcome to Risk.net’s annual ranking of the top op risks for 2020, based on a survey of operational risk practitioners across the globe and in-depth interviews with respondents.

As in years past, there's no great secret to the methodology: Risk.net’s team gets in touch with 100 chief risk officers, heads of operational risk and senior practitioners at financial services firms, including banks, insurers, asset managers and infrastructure providers, and asks them to list their five most pressing op risk concerns for the year ahead. The results are then weighted and aggregated, and are presented in brief below and analysed in depth in 10 accompanying articles.

As before, the survey focuses on broad categories of risk concern, rather than specific potential loss events. The survey is inherently qualitative and subjective; the weighted list of concerns it produces should be read as an industrywide attempt to relay and share worries anonymously, not as a how-to guide.

For a note on the impact of the coronavirus, navigate to the final chapter, geopolitical risk.

As ever, Risk.net invites feedback on the guide and its contents – please send all views to tom.osborn [at] risk.net. Thank you for reading.

Profiles by Costas Mourselas, Steve Marlin, James Ryder, Alexander Campbell and Aileen Chuang. Editing by Alex Krohn, Joan ONeill and Tom Osborn.

#1: IT disruption

Click here for full article and analysis

When customers are suddenly unable to access their money because of a paralysing cyber attack or a critical IT systems failure, the consequences for a bank’s profitability and reputation are clear.

Respondents to this year’s Risk.net survey of top op risks report a two-pronged risk to systems and IT operations. First, the threat from hostile hacking groups and even nation states laying siege to a bank’s defences: breach attempts only have to be successful once to sow widespread chaos. Second, banks must upgrade or patch ageing IT systems to stay competitive, and, in doing so, they can expose themselves to cyber attacks or good old-fashioned outages.

“Whenever I talk to my cyber guys, they say the threats are evolving, becoming more clear about where they target,” says the group head of operational risk at a European bank.

In the face of increasingly sophisticated cyber attacks, the US Federal Reserve is mulling whether to compel financial firms to submit data on cyber incidents. Banks have traditionally been nervous about sharing information about cyber threats, and sources worry that information could leak out, painting a bullseye on other firms.

Another target could be systemically important financial market infrastructure providers (FMIs) such as clearing houses and settlement providers, on which the functioning of many markets depends. The chief risk officer of one of the largest FMIs tells Risk.net he spends most of his time worrying about non-default risks, and that he’s “particularly worried” about risks stemming from cyber attacks.

In this year’s survey, IT failure has been considered alongside IT disruption, where last year the categories were considered separately. Although the drivers and risk management of the issues are very different, the consequences – the loss of critical services leading to parts or all of an organisation being unable to function – end up looking much the same.

Both concerns also feed into resilience risk – debuting in fifth place this year – which considers the consequences of an outage or failure in the context of changing regulatory expectations around how and when a firm can return to operations, as well as the consequences of that outage for other firms that depend upon its services, and the role it plays within the financial system as a whole.

IT failure specifically addresses the opportunity cost of failing to do business and the consequences, including permanent damage to a firm’s reputation, which can last well into the future.

 

#2: Data compromise

Click here for full article and analysis

Sitting atop a trove of personal data, banks make tempting targets for hackers looking to make mischief, criminal rings out to collar data for cash, even cyber terrorists bent on holding banks to ransom.

While the operations and reputation of any bank hinge on accurate and secure data, the possibility of breaches, disclosure or destruction of information seems to be growing. A handful of expensive and embarrassing incidents in the past year highlight the threat, with assailants relentlessly probing for chinks in bank cyber defences.

“The threats continue to evolve. You have an increased need to be in front of it,” says an operational risk executive at a large North American bank. “We saw the big Capital One breach, so it’s certainly not going away.”

Last July, Capital One, the US credit card giant, said a hacker had penetrated the bank’s firewall and got hold of the personal data of 100 million credit card applicants as well as 140,000 social security numbers and 80,000 bank account numbers of existing credit card customers. The incident could cost Capital One as much as $150 million in customer notifications, legal fees and technology upgrades, it said.

In this year’s Top 10, data management, a discrete category in previous top 10 lists, has been folded into data compromise to form a single topic. Although the causes and preventions are different – one requires protecting a firm’s data from external malicious attack, the other the risks of mismanaging or mislaying data internally – the financial and reputational harm can be the same. Last year, data management was eighth on the list.

The risks are manifest: almost a year ago, UK authorities fined Goldman Sachs and UBS millions for transaction reporting lapses, while Citi was penalised in the US for prudential reporting lapses. Data mismanagement underpinned all these cases.

#3 Theft and fraud

Click here for full article and analysis

Theft and fraud jumps to third in this year’s survey – a sign of both its ubiquity for financial institutions of all types, from the largest global lenders to eight-person hedge funds, and likely a function of its role in five of the 10 largest reported operational risk losses of 2019.

Many of the most severe frauds reported last year, particularly in emerging markets, bore a similar characteristic: namely, the help of an inside operative working for a bank. That leads one respondent to dub this simply “insider risk”. It was also the case for 2018’s biggest fraud loss – an eye-watering $12 billion hit for Chinese insurer Anbang.

Internal fraud incidents can also have a long tail. Wells Fargo’s legacy losses relating to its ‘ghost account’ fraud scandal also increased throughout 2019, with the total bill for settlements and restitutions already topping several billion dollars and counting – not to mention the long-term impact on the bank’s op risk capital requirements.

Theft and fraud losses are also closely linked to the drive to automate processes and systems. A senior risk manager at a global bank points out that automation of customer authentication, for example, gives criminals the chance to use stolen data to fool robot gatekeepers.

“The situation [with automation] is improving, but the threats are increasing. It’s like the two sides are growing together,” says the risk manager.

While the march of progress may produce all sorts of convoluted, tech-centric crime, naturally theft and fraud can still take place in a more mundane fashion. Earlier this month, Citi was widely reported to have suspended a senior bond trader after he was accused of stealing food from the firm’s canteen in London.

#4 Outsourcing and third-party risk

Click here for full article and analysis

Big banks have decided there are many things it is not worth their while to do in-house. So they contract them out. And that has birthed a whole new anxiety: third-party risk, or the possibility of getting body-slammed by problems at a vendor – cyber infiltrators, power failures and disreputable behaviour among the most common.

Then there are the vendor’s own third-party vendors. At that point, third-party risk splits into fourth-, fifth-, etc, -party risk – a radiating pond of ever less visible odds. On this year’s top 10 op risk list, third-party came in fourth place, moving up from sixth last year.

Banks don’t believe their thicket of vendors take risk management – particularly cyber security – nearly seriously enough, with one respondent to this year’s survey calling them the “weakest link in the organisation”.

The risk posed by fourth- and fifth-parties was much discussed by op risk managers last year, as the European Banking Authority set new guidelines that significantly raised the bar for scrutiny of vendors, as well as their suppliers of critical services. The EBA now expects banks to negotiate audit and access rights for fourth parties working with their vendors.

European op risk managers privately say this is wishful thinking – getting even basic information to assess the security of those subcontractors is difficult.​

#5 Resilience risk

Click here for full article and analysis

When a broker can’t execute a trade because of a system meltdown, or a customer can’t get money out of a cash machine, they don’t ponder whether the bank in question has set its risk appetite correctly. They just want to know when they can get their trade done, or their cash in hand.

Resilience, the ability to get operations and services up and running after a disruption – IT snafus, cyber attack, bungled third-party supplies, cataclysmic weather or any other hazard – is a new entrant to the top 10 op risks, and makes its debut at fifth place.

Several forces are at work in elevating the topic. The growing complexity of banking and the interwoven nature of the financial system, both now rooted in technology, have combined to make resilience a subject of boardroom discussion.

“I definitely see it as a risk in its own right at the moment – and I think that will remain the case for the next three years at least,” says a senior op risk manager at a large European bank.

Some banks have moved quickly on the issue: last year, HSBC hired Cameron ‘Buck’ Rogers, the Bank of England’s cyber risk chief, as its first head of resilience risk, while LCH, the largest clearing house of over-the-counter derivatives, formed a dedicated resilience department. Fears have arisen in the banking world that a cyber attack on a clearing house, for instance, could reverberate throughout the industry.

Regulators are taking a closer look. The Basel Committee on Banking Supervision established a working group in 2018 with the aim of including a discussion of resilience metrics in an update of its principles on operational risk and, ultimately, to create a set of metrics for the industry.

The Federal Reserve is also understood to be preparing a policy paper on the subject. A New York Fed study in January said a disruption at any of the five most active US banks would result in significant spillover to other banks, affecting 38% of the network on average.

#6 Organisational change

Click here for full article and analysis

One large European bank simply calls it “change risk”. It refers to the kinks that may arise as a bank or firm reshuffles its operations for any number of reasons. This year, the biggest of them is the need to keep up with the unstinting pace of technology.

The relentless lunge to the latest technology is being watched closely. However much they invest, firms cannot responsibly move as fast as tech companies – but they do have to move.

Plenty could go wrong. Conversions of this sort, new projects and procedures – such as the long-overdue overhaul of domain models, for example – and the hatching of new enterprises often mean more work for employees who are already under pressure.

“Banks are re-engineering many core processes and leveraging fintech solutions, but time to market is short,” says an op risk head at an international bank. “Agile development makes it hard for risk [teams] to catch up and ensure that risks are being properly addressed.”

But the organisational change category takes in more than the onrush of tech: changes in business strategy, teething issues with new management, shake-ups, onboardings and anything else that could send waves through a company.

When a bank shrinks instead of expanding, that also requires attention. Downsizings that put multitudes of people on the street can hollow out morale and ramp up the workloads of those still at their desks. Recently, HSBC announced it would slash 15% of its global workforce – 35,000 people. Deutsche Bank, in its restructuring effort, announced it would cut 18,000 jobs by 2022. Cost-cutting, generally a sign of lower profits, can be accompanied by reputational risk, especially when accompanied by extensive job culls.

#7 Conduct risk

Click here for full article and analysis

Conduct risk returns to this year’s Top 10 Op Risks, although it’s never really been away. The category is an aggregation of two key subsets of the risk – mis-selling and unauthorised trading – which have appeared repeatedly in previous years.

“We still have not moved away from the number one risk: conduct,” says an op risk head at a UK bank, about the financial industry. “Conduct by its nature tends to take some time to be identified, and then often takes a long time to manifest itself in outflows from fines or restitution. You can’t rest on your laurels.”

Gauging the scale of the problem through risk modelling is notoriously hard: the seemingly sporadic nature of big conduct losses, with low levels of wearable losses punctuated by extreme instances of costly wrongdoing, makes it hard to parse datasets to deliver credible conduct value-at-risk figures.

In a recent high-profile loss, a rogue trader at a subsidiary of Mitsubishi Corporation placed a series of unauthorised trades in crude oil derivatives starting in January 2019. The trading firm discovered the positions in August – but too late. The bets had already racked up $320 million in losses.

Firms’ focus on conduct has been sharpened by the implementation of a number of regulations, among them the UK’s Senior Managers and Certification Regime, which was expanded in December to cover some 50,000 regulated firms. The UK Financial Conduct Authority disclosed in September it had a pipeline of investigations for “serious” breaches of the code.

#8 Regulatory risk

Click here for full article and analysis

​Regulatory risk slips back a few places to rank at eighth in this year’s Top 10 – a function, perhaps, of a slowdown in the printing press of rulemakings that have reshaped the post-crisis financial landscape.

The bedding down of reforms to derivatives markets, financial accounting practices, regulatory reporting and stress-testing requirements – the list goes on – doesn’t make compliance with them easy, however. Given the breadth and volume of new sets of rules, the potential for mis-steps and misinterpretation is manifest.

“Increasing regulatory and compliance requirements – in the form of both new rules and amendments to existing rulesets – as well as intense regulatory scrutiny, is a perennial challenge,” says the head of op risk at one global bank.

A time-honoured way of staying on top of such headaches is to poach those who wrote the rules: UBS hired the head of banking supervision at Switzerland’s Finma, the bank’s primary supervisor, as its head of regulatory affairs last year. 

Advances in artificial intelligence represent another source of regulatory risk. Risk managers highlighted the vital importance of ensuring transparency as AI systems become more widely used. While AI involvement in decision-making increases, whether for trading or in customer-facing roles, the pressure to prove that its decisions are unbiased and well founded grows, too – even as the software, and therefore the task of explaining it, becomes more complex.

#9 Talent risk

Click here for full article and analysis

Talent risk appears in the top 10 for the second time in three years – unwelcome evidence for banks and other financial firms of the struggle to recruit and retain the right calibre of staff and deploy them where they’re needed, in an era of dramatic headcount reductions.

As banks shed jobs, it forces them to think more about how they manage talent risk, says a global op risk head at a US bank. Operating with a leaner business model has forced his firm to recognise more quickly where it does or doesn’t have specific skill sets and juggle resources accordingly, he says. At the same time, a shift in its business mix or change in regulatory priorities can leave the firm exposed.

Within the risk function itself, the IT skills to keep up with digitalisation are in short supply, hiking the risk to banks, says one op risk head at a global bank. “Traditional ways of managing operational risk need to change, and the skills to identify and manage digital risk are still in development, but business is digitalising at a great speed,” he says.

As Basel III moves from rancorous rule-writing to full-on implementation, banks are hunting for experienced talents to lead their efforts. Bank of America, for example, recently hired one of Deutsche Bank’s most prominent risk analytics executives to lead strategic market risk regulatory programmes, such as the Fundamental Review of the Trading Book.

#10 Geopolitical risk

Click here for full article and analysis

Surveys of this type are always in danger of being rapidly overtaken by events. In the category of geopolitical risk, that can happen before the ink is even dry.

As February drew to a close, the coronavirus left markets reeling from their worst paper losses since the crisis, with governments scrambling to formulate a cohesive response. When the survey was conducted in early January, the virus drew scarcely a mention from respondents, a handful of whom, based in the Asia-Pacific region, flagged it as a blip on the radar.

With the virus likely to contribute to a global economic slowdown, this will trigger wider operational risks – making loan fraud more likely as credit markets deteriorate, for example, or increasing cases of internal fraud as front-office staff struggle to hit targets.

Geopolitical risk continues to manifest itself in plenty of other ways, too, such as regulatory uncertainty. Brexit, which also featured in the 2019 Top 10, continues to be an important concern for the financial sector. Almost four years after the UK voted to leave the European Union, there is still no EU-UK trade deal in place, meaning a lack of clarity on equivalence between UK and EU regulators, and on the ability of UK firms to trade in the EU after full separation at the end of 2020.

Aside from whatever tariffs will eventually apply to a Brexited UK, the US government has imposed a raft of trade barriers on countries over the past three years. Survey respondents pointed out the increased compliance burden this involves, as well as the likelihood of sanctions-evading transactions. Fines for sanctions violations reached $19.9 billion between 2009 and 2019, stressing the need for effective know-your-customer procedures.

Another US election is due in November this year. The 2016 poll brought regulatory uncertainty as the two candidates differed significantly on financial regulation. And while Donald Trump is less of an unknown quantity this time around, November is likely again to present a choice between different regulatory and economic policies.

Climate change, leading the list of emerging global threats, does not appear on this year’s list of top operational risks, but has ascended to the level of a strategic risk for many institutions. Many survey respondents cited disruption from climate change protests and the credit and reputational risks of association with legacy fossil-fuel industry as concerns. The model risk involved in adapting to the new threats to lending and mortgage businesses posed by climate-related disasters such as floods and wildfires is also a worry for banks.

Click here for the 2019 survey

Top 10 op risks 2020: geopolitical risk

By Risk.net staff | Feature | 4 March 2020

Nationalism, trade wars and epidemics make for a heady cocktail

Surveys of this type are always in danger of being rapidly overtaken by events. In the category of geopolitical risk, that can happen before the ink is even dry.

As February drew to a close, the coronavirus left markets reeling from their worst paper losses since the crisis, with governments scrambling to formulate a cohesive response. When the survey was conducted in early January, the virus drew scarcely a mention from respondents, a handful of whom, based in the Asia-Pacific region, flagged it as a blip on the radar.

Epidemic diseases are a standalone operational risk, forcing authorities to respond with quarantining measures and blanket restrictions on travel – all of which play havoc with international firms’ ability to do their jobs in a normal manner. However, the virus is here considered as a function of geopolitical risk.

With the virus likely to contribute to a global economic slowdown, this will trigger wider operational risks – making loan fraud more likely as credit markets deteriorate, for example, or increasing cases of internal fraud as front-office staff struggle to hit targets.

At the time of writing, no end to the coronavirus outbreak was in sight. The number of new cases in China is reported to be slowing, but news is emerging of fresh outbreaks and quarantines in Iran, Italy, the Gulf and elsewhere. As the prospect of large-scale remote working grows, organisations will be reviewing business continuity plans.

Global health officials have not yet classified coronavirus as a pandemic, though. And companies will be aware that as fast as global viruses spread, they can just as rapidly recede.

Another form of virus worrying op risk managers is the threat of state-sponsored cyber attack – one of many ways in which modern geopolitical conflicts play out, as its use by Russia, North Korea and the US has shown in recent years.

Cyber warfare is prone to overspill. Cyber weapons, once deployed, can spread rapidly, and the billions of dollars of damage done by the NotPetya attack in 2017 shows the potential scale of the consequences – which, regulators fear, could rise to the level of a systemic liquidity crisis.

Cyber warfare is prone to overspill. Cyber weapons can spread rapidly, and the billions of dollars of damage done by the NotPetya attack in 2017 shows the potential scale of the consequences

Geopolitical risk manifests itself in other ways, too, such as regulatory uncertainty. Brexit, which also featured in the 2019 Top 10, continues to be an important concern for the financial sector. Almost four years after the UK voted to leave the European Union, there is still no EU-UK trade deal in place, meaning a lack of clarity on equivalence between UK and EU regulators, and on the ability of UK firms to trade in the EU after full separation at the end of 2020.

Many op risk managers regard the Brexit situation as more stable today than this time last year, with most financial institutions having established locally domiciled operations inside the EU.

Aside from whatever tariffs will eventually apply to a Brexited UK, the US government has imposed a raft of trade barriers on countries over the past three years. Survey respondents pointed out the increased compliance burden this involves, as well as the likelihood of sanctions-evading transactions. Fines for sanctions violations reached $19.9 billion between 2009 and 2019, stressing the need for effective know-your-customer procedures.

The link between geopolitical risk and financial impact, however, remains frustratingly indirect and uncertain. Nobel prize-winning economist Robert Engle, speaking at a Risk event in late 2019, pointed out that his ‘Geovol’ measure of geopolitical risk, derived from realised volatilities of multiple asset classes, rated the risk far lower than news-based measures like the Geopolitical Risk Index. Spikes in attention paid to geopolitical events are not always matched by market activity; in fact, 2017–19 was a period of abnormally low Geovol once the spike around the 2016 US election had subsided, Engle pointed out.

Another US election is due in November this year. The 2016 poll brought regulatory uncertainty as the two candidates differed significantly on financial regulation. And while Donald Trump is less of an unknown quantity this time around, November is likely again to present a choice between different regulatory and economic policies.

Climate change, leading the list of emerging global threats, does not appear on this year’s list of top operational risks, but has ascended to the level of a strategic risk for many institutions. Many survey respondents cited disruption from climate change protests and the credit and reputational risks of association with legacy fossil-fuel industry as concerns. The model risk involved in adapting to the new threats to lending and mortgage businesses posed by climate-related disasters such as floods and wildfires is also a worry for banks.

Click here to return to the index

 

Top 10 op risks 2020: organisational change

By Risk.net staff | Feature | 4 March 2020

New tech has created perennial state of flux in banking, as other kinds of shake-ups continue

One large European bank simply calls it “change risk”. It refers to the kinks that may arise as a bank or firm reshuffles its operations for any number of reasons. This year, the biggest of them is the need to keep up with the unstinting pace of technology.

The relentless lunge to the latest technology is being watched closely. However much they invest, firms cannot responsibly move as fast as tech companies – but they do have to move. An op risk manager at a US bank says rapid evolution has to be carefully controlled to avoid any sudden movements.

“Change management is a top risk for us,” he says. “Agile methodologies are something we continue to monitor.”

One financial market infrastructure provider, like many others, is facing significant upheaval in integrating “new technology platforms, new services avenues and new management”, its chief risk officer says.

At a large US asset manager, numerous “transformation” efforts are under way, says one managing director, as the firm absorbs the purchase of a business software provider. The firm refers to this sort of overhaul as “process re-engineering”.

“We completely rebuilt our front-to-back systems,” says the head of op risk. “All the processes we execute manually are going to be rebuilt using new technology.”

Plenty could go wrong. Conversions of this sort, new projects and procedures – such as the long-overdue overhaul of domain models, for example – and the hatching of new enterprises often mean more work for employees who are already under pressure.

“Banks are re-engineering many core processes and leveraging fintech solutions, but time to market is short,” says an op risk head at an international bank. “Agile development makes it hard for risk [teams] to catch up and ensure that risks are being properly addressed.”

But the organisational change category takes in more than the onrush of tech: changes in business strategy, teething issues with new management, shake-ups, onboardings and anything else that could send waves through a company.

Banks are re-engineering many core processes and leveraging fintech solutions, but time to market is short. Agile development makes it hard for risk [teams] to catch up and ensure that risks are being properly addressed

Op risk head at an international bank

When a bank shrinks instead of expanding, that also requires attention. Downsizings that put multitudes of people on the street can hollow out morale and ramp up the workloads of those still at their desks. Recently, HSBC announced it would slash 15% of its global workforce – 35,000 people. Deutsche Bank, in its restructuring effort, announced it would cut 18,000 jobs by 2022. Cost-cutting, generally a sign of lower profits, can be accompanied by reputational risk, especially when accompanied by extensive job culls.

Organisational change risks can be more mundane. The chief risk officer at one clearing house, for example, is dealing with a good old-fashioned merger – “a challenge to our IT integration and unexpected regulatory requirements as well”.

Brexit is no longer the anxiety it was a year ago. One senior risk manager at a leading European bank says the UK’s rupture with Europe required shifts at his company, but that that work is now largely complete.

“We had to reorganise in terms of legal entities, and who trades what,” he explains. The “migration tasks” that do remain are well understood and thoroughly mapped out. “It doesn’t add any value to us as a global bank, but it makes lawyers and consultants richer,” he says of the effort.

One perennially predicted insurgency – distributed ledger technology – has not yet materialised. The probability that blockchain will one day bring seismic change to finance is high, but for now, it’s somewhere out on the horizon, says the risk manager from the European bank, despite a surge of ledger-related work.

“I see some niche solutions in blockchain,” the risk officer continues. “But at the end of the day, position-keeping for cash and securities will still be with a trusted third party – which is likely to be a regulated entity, rather than a cryptographic algorithm.”

He adds: “Maybe it’s because I’m old-school.”

Click here to return to the index

 

Top 10 op risks 2020: theft and fraud

By Risk.net staff | Feature | 4 March 2020

From mega loan fraud to canteen theft, the danger is ever present

Theft and fraud jumps to third in this year’s survey – a sign of both its ubiquity for financial institutions of all types, from the largest global lenders to eight-person hedge funds, and likely a function of its role in five of the 10 largest reported operational risk losses of 2019.

Professionals surveyed by Risk.net this year highlighted a wide range of factors behind the rise: technological innovation, fast-changing regulatory expectations and rising institutional complexity. The category is also a broad one, encompassing a variety of crimes.

Many of the most severe frauds reported last year, particularly in emerging markets, bore a similar characteristic: namely, the help of an inside operative working for a bank. That leads one respondent to dub this simply “insider risk”. It was also the case for 2018’s biggest fraud loss – an eye-watering $12 billion hit for Chinese insurer Anbang.

Internal fraud incidents can also have a long tail. Wells Fargo’s legacy losses relating to its ‘ghost account’ fraud scandal also increased throughout 2019, with the total bill for settlements and restitutions already topping several billion dollars and counting – not to mention the long-term impact on the bank’s op risk capital requirements.

While the march of progress may produce all sorts of convoluted, tech-centric crime, naturally theft and fraud can still take place in a more mundane fashion. Earlier this month, Citi was widely reported to have suspended a senior bond trader after he was accused of stealing food from the firm’s canteen in London.

The increasing ease with which low-level crimes can be orchestrated is helping to keep the category firmly on the radar of risk professionals. One senior op risk professional cited concerns over the profusion of “information available to fraudsters from ongoing data breaches” amid the “rapid pace of digital innovation and instant money movement”.

[We’re seeing] more sophisticated fraud. What I really worry about is people taking critical customer data and putting it on the dark web. I don’t worry about a hold-up

Operational risk manager at a US bank

Data theft is a reliably high-ranking risk in itself, and a serious breach can lead to spiralling losses as financial criminals put the stolen information to use. Often, the theft of data is just the beginning.

“[We’re seeing] more sophisticated fraud,” says an operational risk manager at a US bank. “What I really worry about is people taking critical customer data and putting it on the dark web. I don’t worry about a hold-up.”

Theft and fraud losses are also closely linked to the drive to automate processes and systems. A senior risk manager at a global bank points out that automation of customer authentication, for example, gives criminals the chance to use stolen data to fool robot gatekeepers.

“The situation [with automation] is improving, but the threats are increasing. It’s like the two sides are growing together,” says the risk manager.

Institutional complexity may be a boon to fraudsters: super-intricate systems architecture can hinder a bank from understanding how and when a financial criminal has gained access. “It can make it more complex for the fraudster, of course, because they have to work with 10 systems instead of one. But it creates more points of failure, so I’m not able to say if it’s a plus or a minus. A unique system is a unique, single point of failure – and 10 systems are 10 entry points,” the risk manager says.

 

However, automation and digitisation are among the main tools in the fight against theft and fraud. Loan frauds may be easier to perpetuate online, but when a bank has a large digital dataset to parse, it can spot anomalies much quicker than in the days of paper-based fraud.

“With big data and correlation tools, we try to find abnormal patterns in payment systems and trading systems,” the senior risk manager says. “But it is not the panacea – it’s a work in progress.”

Regulation may be another factor in the ascent of theft and fraud in the rankings this year. Gaining access to the data used to commit theft and fraud, some argue, is becoming easier because of laws compelling financial institutions to collect larger quantities of information on customers.

Click here to return to the index

 

Top 10 op risks 2020: resilience risk

By Risk.net staff | Feature | 4 March 2020

In an entwined financial system, an outage at one bank can reverberate through many more

When a broker can’t execute a trade because of a system meltdown, or a customer can’t get money out of a cash machine, they don’t ponder whether the bank in question has set its risk appetite correctly. They just want to know when they can get their trade done, or their cash in hand.

Resilience, the ability to get operations and services up and running after a disruption – IT snafus, cyber attack, bungled third-party supplies, cataclysmic weather or any other hazard – is a new entrant to the top 10 op risks, and makes its debut at fifth place.

Several forces are at work in elevating the topic. The growing complexity of banking and the interwoven nature of the financial system, both now rooted in technology, have combined to make resilience a subject of boardroom discussion.

“I definitely see it as a risk in its own right at the moment – and I think that will remain the case for the next three years at least,” says a senior op risk manager at a large European bank.

Several incidents in the past year raised alarm. CI Banco in Mexico found ransomware on an employee’s computer and restricted operations, taking down online banking services. Smoke in a Wells Fargo data centre shut off power, disrupting online and cash machine services for 14 hours. When hackers tried to steal millions from the Bank of Valletta in Malta, the bank closed all its branches, its cash machine and its website. It returned to normal service the next day.

Some banks have moved quickly on the issue: last year, HSBC hired Cameron ‘Buck’ Rogers, the Bank of England’s cyber risk chief, as its first head of resilience risk, while LCH, the largest clearing house of over-the-counter derivatives, formed a dedicated resilience department. Fears have arisen in the banking world that a cyber attack on a clearing house, for instance, could reverberate throughout the industry.

Unlike business continuity and disaster recovery, which deal with individual systems, resilience looks at how quickly the entire organisation can resume its routine.

Resilience is an outcome, business continuity is a management tool. You are resilient if your banking system is available to the level you target

Senior op risk manager at a large European bank

“Resilience is an outcome, business continuity is a management tool,” says the European bank’s operational risk executive. “You are resilient if your banking system is available to the level you target.”

Regulators are taking a closer look. The Basel Committee on Banking Supervision established a working group in 2018 with the aim of including a discussion of resilience metrics in an update of its principles on operational risk and, ultimately, to create a set of metrics for the industry.

The Federal Reserve is also understood to be preparing a policy paper on the subject. A New York Fed study in January said a disruption at any of the five most active US banks would result in significant spillover to other banks, affecting 38% of the network on average.

At the US Treasury Department, network theory is now being used to identify which links in the financial system chain are most vulnerable, and defend them accordingly. In a targeted attack, the hub with the most direct connections to other nodes in the network is the most critical to protect; in a random attack, the hub that connects to the most nodes – directly or indirectly – is most critical.

A consultation by the Bank of England last December required companies to set timeframes on how quickly services would be restored following any outage. This is a subtle departure from business continuity, which focuses on how long it takes for systems to get back online. The former is about services, the latter about technology.

The consultation will require ‘impact tolerances’ as opposed to risk appetite – the losses a firm is willing to swallow following an outage. The rules, which the Bank of England plans to finalise in 2020, could include impact tolerances for vital services in the broader economy, like payment systems.

That has some companies worried.

“Setting blanket impact tolerances in terms of hours or days could be hugely unhelpful,” says the European bank’s op risk manager. “No two firms look the same, and even within the same operating model you have very different business mixes.” An outage at a retail bank with a large card payment network, he adds, could be far more disruptive to the financial system than a disruption at a big high street bank.

Exactly what is meant by ‘impact tolerance’ is a matter of debate. Some practitioners say risk appetite already includes it.

“The paper talks about defining critical processes and, for each of those critical processes, defines the acceptable tolerance. Some of that work has already been done through risk appetite,” says an op risk executive at a North American brokerage firm. “That might be an area where some examples from the regulator about what they mean would be beneficial. Setting the tolerance at a certain level has financial implications.”

Given the digitalisation of financial services, third-party providers can be weak links in the system. The Bank of England also addressed third-party arrangements in a separate consultation in December. The central bank would require contracts with critical service providers to include provisions for data security, audit, sub-outsourcing and business continuity.

The concept of cyber resilience, in particular, is well-established in the industry. The Financial Stability Board’s cyber lexicon defines it as “the ability of an organisation to continue to carry out its mission by anticipating and adapting to cyber threats and other relevant changes in the environment and by withstanding, containing and rapidly recovering from cyber incidents”.

Banks are extending this definition or variants thereof to operational resilience.

“Resiliency is broader than disaster recovery,” says an operational risk executive at a US bank that has set up a working group on operational resilience. “We’re focusing on end-to-end services.”

More costly than getting things going again can be the lasting reputational damage. Today, there is little cover. If the mainstream media does not report the disruption to service, social media almost certainly will.

“Interconnectivity and social engagement means you can no longer isolate your failures,” says the European bank executive. “If you’re down for a few seconds, it’s amazing how many times on Twitter it will get picked up.”

Click here to return to the index