Op risk survey shows the insidious effects of political risk
Rise in geopolitical turmoil drives other risk factors, suggests a network analysis of 2017’s survey
There are decades where nothing happens, and there are weeks where decades happen, Lenin once observed. A steep rise in uncertainty and instability in the global political order following the UK’s vote to leave the European Union and the election of Donald Trump as US president have certainly spurred a mini-revolution in the ranking of the top 10 operational risks this year, top spot notwithstanding.
The world will be dealing with the consequences of both events for years to come. But op risk managers don’t have the luxury of time when it comes to making sense of such events; they need to start incorporating them into their risk frameworks straightaway.
Brexit and Trump’s election pose challenges for practitioners because they cut across such a broad array of risk factors. One way of informing decision-making, instead of looking at risks in isolation, is to use network theory to see how they inform one another.
The figure below proposes one network view of the top 10 risks for 2017, where the arrows represent the possible or likely driving relationships between risks.
The most obvious finding is the pivotal role of geopolitical risk. Political changes, Brexit especially, will almost certainly trigger or accelerate organisational restructuring for many banks and other companies, with forced relocations of staff and the establishment of new operations within the European Union already in train.
One obvious example of interconnectedness is the perceived rise in outsourcing risk, which jumps to third position overall this year. Banks considering shifting staff and operations out of London to the eurozone must be alive to the idiosyncratic risks – from internal and external sources – this can open them up to.
Other forms of geopolitical risk, whether trends in immigration, escalations in extremism or political violence, are also a driver of attacks, both physical and cyber. Ill-chosen outsourcers, a possible rise in IT failures and internal fraud are all possible causes of data security breaches.
This network view underlines the necessity for boards and chief risk officers to monitor the political and business environment carefully for potential repercussions within their own firms. The best risk managers will be formulating adaptive strategies already. Studies have demonstrated the quality of risk management is positively correlated within firms: if a bank has a strong op risk framework, it will tend to be a good manager of market or credit risk too, for instance.
If this year’s top 10 list and its evolution over time paints an interesting picture of the overall worries and concerns in the financial industry, linking these risks with their likely interconnections shows us another layer.
The op risk network is essentially split into two poles: an overtly operational pole that includes geopolitical, organisational and IT security risk, and a regulatory pole gathering the risks of regulatory changes, sanctions, capital hikes and conduct fines.
Our analysis did not find many strong relationships between regulatory risks and others in the top 10, though there were links with conduct risk and fraud through internal controls weaknesses.
Risks of non-compliance, whether driven by a failure to implement or adapt to regulatory changes (#2), misconduct (#5) or sanction breaches (#8), remain prominent in this year’s list compared with last. Overall, however, regulatory risk factors lose ground compared with last year, when they occupied the three top positions after cyber risk. Regulatory fines disappear from the top 10, this time included under regulation risk.
By their nature, different types of regulatory risks are interconnected: conduct risk is connected with fraud, and is a driver of regulatory non-compliance and fines – as are breaches of anti-money laundering (AML) controls, counter-terrorist financing (CTF) and sanctions avoidance.
Cyber risk, unsurprisingly, remains in pole position, with the taxonomy extended this year to encompass data protection. In a world where almost all information, data and money are online, cyber security is likely to be the top priority for all financial organisations, just as security of bank branches and physical safes were in the last century. The conduit has changed, but the need for protection against crime has not.
However, cyber security risk, most often cited as the number one operational risk for the financial sector, appears much more as a consequence than a cause of other risks, counting multiple drivers as varied as physical attacks, organisational change, outsourcing or fraud. This shows the need for considering data protection and cyber security, not only as a risk in its own right, but also as a function of a good – or bad – risk management strategy across a firm.
NB, the diagram above is subjective, driven in large part by experience of working in risk management in the financial sector over the last two decades. Other judges will draw different links – but I hope the benefits of representing the top risk register affecting firms as a connectivity network, rather than a list of standalone threats, allows the ordering and prioritisation of mitigating actions for a more efficient allocation of risk management resources.