Operational risk will overtake credit and market risk. Or has it already?
The annual conference of the Austrian Financial Market Authority (FMA) is coming to a close today in Vienna. An audience of around 250 senior banking professionals had the opportunity to hear senior regulators and banking professionals discussing the challenges ahead.
The first part of the morning concentrated on the Single Resolution Mechanism, the second part, on major operational risks. The afternoon included three workshops on Cyber security, on the implications of Mifid II and of Brexit. Maybe for the first time, a major regulatory conference of the financial sector is dedicated entirely to non-financial risks.
Felix Hufeld, Chairman of the BaFin delivered a keynote speech on the importance of operational risk, before a panel composed on the chairmen of the FMA, BaFin, IOSCO, the CEO of Erste Bank, and myself, reflected on the current and future challenges in operational risks for banks and regulators.
We find the usual suspects among the top operational risks discussed:
– Cyber risks: the operational risk for some; “a risk that banks cannot take seriously enough”. They do take it seriously: a survey of the audience showed 68% of the respondents rating Cyber and IT risk number 1 in the list of top operational risks;
– Outsourcing: in particular – interestingly – the concentration of certain outsourced activities – like Cloud computing – on a small number of dominant players, creating a single (or rather, a dual) point of failure in case something major happens to one of those key vendors;
– Conduct risk and misselling: ethics, conduct, culture and the behavior of all staff is still very present in the discussions;
– AML and terrorism financing, alongside political risk – and the difficulty of measuring it – were the other top risks highlighted by the panel.
I would add to the list: the conflicting priorities in banks between falling revenues, increased costs of regulatory compliance and reporting, colliding with the necessity to dedicate more resources in people and systems infrastructure and redesigned process to address the heightened operational risks generated by the pace of change. The pace of change is itself driven by the evolution of the banking business model, Fin Tech and the way new technologies affect how more and more people use financial services.
Regulators highlighted the fundamental difference between operational risks and financial risks, their intricate links with the quality of people, process and systems infrastructure that are its core drivers. This difference requires a profound rethink on how supervision is designed and applied. It also poses the difficult challenge of the management of incentives to banks by the regulators: capital is not enough, and illusory without proper management. For this, actors need better guidance and probably better incentives than the fear of fines.
To address the diversity and complexity of challenges posed by the growing and transforming operational risks, the panel insisted on the need to invest in people and in systems infrastructure. This includes recruiting and training staff with the right skill sets and keeping up with advancing technologies and change.
Despite the disinterest of some (about 15% of participants left the room when the topic was announced), operational risk will soon overtake credit risk and market risk in terms of losses, in terms of capital, in terms of regulatory attention. Or has it already?