Is your financial institution staying ahead of these evolving operational risks?
Operational risk is an ongoing challenge for every financial institution. The risk environment is constantly changing, and financial institutions that don’t keep up can expose themselves to unknown or unwanted risk—or miss emerging opportunities.
How is operational risk evolving in 2022? A recent survey conducted by Risk.net sheds light on shifting operational risk priorities, with significant differences from just a year ago.
Here are the areas of operational risk that are trending:
Russia’s invasion of Ukraine and the resulting U.S. sanctions against Russian individuals and businesses catapulted geopolitical risk to #4 on the 2022 Risk.net’s Top 10 operational risks survey—up from #9 in 2021.
These sanctions have elevated BSA/AML risk, as financial institutions must stay on top of OFAC (Office of Foreign Assets Control) sanctions and ensure BSA/AML screenings are updated and properly implemented.
Sanctions also mean greater third-party risk—number #7 on the list of operational risks—has increased due to the risk of dealing with a vendor on a sanctions list. Just last month OFAC issued a finding against an $32 billion-asset Oklahoma Bank because it failed to realize that its vendor only screened the bank’s full customer list against OFAC’s List of Specially Designated Nationals and Blocked Persons once a month instead of daily. The bank ended up processing 34 transactions for blocked persons.
Operational risks related to BSA/AML touch nearly all areas of an institution, including third-party vendor management. Financial institutions need risk management solutions that facilitate collaboration and efficiency, allowing them to connect all the pieces while assessing and strengthening controls in real time.
In assessing risk, financial institutions should ask:
- Have we scrubbed our vendor list to assure that none of our vendors are on the most recent OFAC list? This is especially important due to the new and ever-changing Russia-related sanctions.
- Have we scrubbed the beneficial owners of our vendors to assure they aren't on the most recent OFAC list?
- How often are we running vendors (and beneficial owners) through the OFAC filter? How do we know for sure? This process should be automated to ensure greater efficiency.
In a shock to no one involved in hiring this year, talent risk made its debut as #3 on the list of operational risks. The Great Resignation, the push for competitive pay and benefits, and an overall lack of qualified talent have created a skills gap, especially for compliance departments.
Financial institutions often say their greatest strength is their people. Without those people, institutions face challenges everywhere from customer service and lending to IT and operations. It presents a real risk that the institution won’t be able to deliver products or services as promised, will miss the mark on customer service, or will fall short when it comes to cybersecurity, compliance, and other key areas.
Attracting, onboarding, and retaining talent is a challenge in today’s job market. Promoting positive corporate—one with open communication and tools that minimize busywork and inefficiencies—show employees and job candidates that your institution is a modern, forward-thinking institution. This is particularly important to Millennial and Gen Z employees, who will often search places like Glassdoor.com to check an organization’s corporate culture as part of their due diligence.
It’s also important to cross-train employees to ensure continuity in case of turnover.
To assess talent risk, financial institutions should ask:
- In what ways are we promoting a positive corporate culture?
- How are we keeping remote workers engaged?
- What messaging do our teams receive regarding our expectations of them?
- Does this messaging include key topics like compliance, risk management, inclusion, and ethics?
- How are we sending a consistent corporate message about our corporate culture?
- How do we show employees our commitment to career development?
- What are we doing to document institutional knowledge?
Did you know business units made up of highly engaged employees are 21% more profitable than their peers?
Want Engaged Employees? Here are 5 Things Your Employees Need to Hear from You
IT/Cyber Risk remains the #1 operational risk in 2022—and for good reason.
Cyber risk is rising—and not just because of geopolitical risk and Russian-linked hacking. Security researchers identified a 48 percent increase in attempted cyberattacks targeting email accounts in the first six months of 2022.
The stakes for cybersecurity are higher than ever at financial institutions, with fraudsters using increasingly vicious tactics. In fact, a new report found that 63 percent of financial institutions have seen an increase in destructive attacks—17 percent more than in 2021.
The survey also notes that application program interface (API) attacks are rising. A staggering 94 percent of financial-industry security leaders have experienced an API attack through a fintech application.
As cyber threats persist, financial institutions should ask:
- Do we have a documented program of continuous improvement in place for our institution's cyber maturity?
Financial institutions must evaluate their cyber risk, as well as report on the results. As cyber threats grow more sophisticated, regular cyber risk assessments are necessary nonnegotiable.
As financial institutions anticipate new regulatory requirements and deal with more frequent extreme weather events (such as two 1-in-1,000 year rain events in two days in Kentucky and St. Louis), climate risk—or the risk that climate-related changes pose to financial institutions—made its first appearance on the list, ranking #9. Closely related is resilience risk at #6.
Climate risk continues to demand more attention, with regulators ramping up efforts to assess potential risks to the U.S. financial system. This includes plans to prove climate-related disclosures and other sources of data and to incorporate climate-related financial risk into regulatory and supervisory practices.
Financial institutions should be asking:
- Are we currently assessing such risks, and if so, how?
- How are we testing the effectiveness of our control environment?
- Does this data flow back to our risk management or internal audit systems?
- Do we have KPI's/KRI's and/or risk tolerance statements? If so, how are we monitoring and reporting performance against these tolerances?
- What happens if we find a flaw or breakdown in our control environment? How are we remediating it? What oversight is there over the remediation process?
Want to know how your financial institution can get ahead of climate risk?
Read our post: Climate risk is coming.
The huge swing in operational risk rankings in just one year is a reminder that a once-a-year approach to assessing risk and the related control environment is not enough. Financial institutions need to be proactive when it comes to operational risk—reassessing risk when the risk environment shifts.
Now is the time to review areas of elevated operational risk and re-evaluate your assessment methodology and control environment to ensure they still are effective.
Still using fragmented manual processes for risk management?
Find out how to simplify your approach with Nrisk.
Topics: Risk & Compliance