OCC: Operational Risk Remains Elevated
The only certainties in life are death and taxes, the saying goes, but I can think of one more thing: risk.
Even as we work to mitigate risks, new ones are constantly emerging. Or, as is the case with cyber risk, old controls become less reliable as fraudsters find ways around them.
The Office of the Comptroller of the Currency (OCC) recognizes it in its most recent Semiannual Risk Perspective for Spring 2019.
Let’s take a look at the key risks the agency is eyeing.
Operational risk remains “elevated” due to an operating environment that’s “changing and increasingly complex.” These include:
- Cybersecurity threats
- Innovation in products and services
- Increased third-party vendor use without proper risk assessments and controls
- Poorly planned M&A
The OCC encourages strong change management and awareness of operational resilience to deal with these issues.
- Compliance. New products, services, technologies, and vendors make compliance management and change management as well as the staffing and expertise to address these issues critical. The OCC has noted consumer compliant risk management is common when banks don’t include compliance when modifying or considering new products and services.
- Cybersecurity. Internal and third-party vendor cybersecurity controls are essential, especially when the interdependent activities of the financial sector are considered. Banks should “continually reassess and validate their cybersecurity controls.” Social engineering remains the weapon of choice.
- Increasing competition. Fintech companies and other non-bank providers are changing customer expectations.
BSA compliance risk
Like a bad penny, this perennial issue always comes up.
Despite strong credit quality; years of growth, a slow ease in underwriting standards, and increased concentrations may result in increased portfolio risk. Banks should keep an eye on external economic factors and strong risk management.
Interest rate risk
An uncertain rate environment and strong competition for deposit gathering creates challenges.
Tackling Operational Risk
The solution to all these issues is strong risk and change management. These issues do not fit into clearly defined risk silos. Operational risk touches compliance, cybersecurity, innovation, and financial risk. Addressing any single risk means understanding each of these issues.
It’s also necessary that risk management is an ongoing effort. Controls must be continually assessed and reassessed to ensure they remain effective. Just when your institution thinks it has a handle on cyber risk or understands its vendors, an external (or internal) factor can make former controls moot. Meanwhile, new risks will require new controls.
Don’t let elevated operational risk hinder your institution. Make sure you have a risk and change management program in place. Increasing and evolving risks are all but guaranteed.