Operational risk management teams in financial institutions had a tumultuous year in 2020, and it seems likely that 2021 will bring even greater challenges as regulators around the world press ahead with delayed plans, new risks emerge, and existing ones rise up the agenda. For risk professionals and their organizations, navigating these risks effectively will directly impact whether firms are able to deliver on crucial business goals. In the process of meeting these challenges, operational risk management will in turn likely be transformed.
Risk professionals will likely face seven key challenges for the upcoming year:
1. Navigating the new working model: The pandemic has changed the world of work forever, with higher levels of remote working either from home or from business continuity back-up sites expected to continue. Regulators and firms fear that this could cause both increased market abuse and a rise in other financial crimes. In fact, according to Acin data, 60% of all data-driven risk intelligence produced since COVID-19 arose is connected to conduct risk, with a surge at the height of the March 2020 lockdown.
Financial institutions are looking to navigate this new, dispersed approach to work in a variety of ways, including using technology to more intensely digitally monitor employees. But it also means fostering and developing work culture, which requires other types of controls to be applied. This is starting to happen already—Acin’s risk intelligence observations show a 30% rise in controls related to supervision and surveillance since the pandemic struck.
2. Paying back the regulatory debt: COVID-19 has created the phenomenon of “regulatory debt,” which can be broken into two parts. First, when the pandemic started, regulators around the world relaxed certain rules to enable financial services firms to continue operating with changes to working models. In 2021, these rules will likely be tightened, and firms will have to rapidly adapt—for example by enhancing their ability to monitor calls at remote work locations—or face significant enforcement actions.
The second part is regulators’ desire to make up for lost time implementing new rules, particularly related to issues impacted by the pandemic, such as operational resilience and third-party risk management. Firms will need to be prepared to invest in keeping up with the pace of regulatory change in 2021.
3. Improving risk data quality: Data quality has long been an issue for operational risk, with information shared on spreadsheets or in point solutions, usually without data lineage or accuracy checks. At many firms, boards and senior managers under pressure to react quickly to the pandemic were surprised by the poor quality of their risk and control data. Regulators are keener than ever for operational risk management teams to embrace the data governance revolution.
The Basel Committee on Banking Supervision’s (BCBS’s) recent consultation paper, Revisions to the Principles for the Sound Management of Operational Risk, put data governance front and center. It asked firms to “establish risk reporting and management information systems (MIS) producing timely, and accurate data” and that the data’s “integrity is ensured by strong governance and robust verification and validation procedures.” The BCBS also called for “a common taxonomy of operational risk terms to ensure consistency of risk identification, exposure rating and risk management objectives across all business units.”
4. Controlling third-party risk: This emerging risk was attracting interest from both regulators and boards of directors before the pandemic hit and is set to continue to evolve through 2021 and beyond. Originally, much of the focus was on cyberrisks in third-party relationships, especially given that the financial services industry is increasingly outsourcing key activities to third parties. But now, owing to COVID-19, other risks are being amplified too, such as the financial viability risk of third parties, fourth-party risk and concentration risk.
Regulatory activity is picking up in this space. The International Organization of Securities Commission (IOSCO) issued a consultation on Principles on Outsourcing in May 2020 and the Financial Stability Board published Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships in November 2020. Other regulators, in the United States and United Kingdom for example, are preparing new guidance and rules on this topic for 2021. Boards of directors are increasingly recognizing the potential strategic importance of managing this risk.
5. Building operational resilience: When the U.K. Financial Conduct Authority (FCA) published a consultation on operational resilience back in 2018 and a follow-up at the end of 2019, proposed a number of things, including making critical business processes more robust, whether conducted internally or by a third party. While some questioned the need for these proposals, today, boards and senior managers in financial services firms no longer argue over them, as the pandemic has underscored the need for significantly enhanced operational resilience. Firms are also recognizing that robust operational resilience nurtures agility, and that the ability to adapt under trying circumstances can create competitive advantage. Internationally, regulators are accepting the idea of operational resilience. The BCBS’s August 2020 consultation on its Principles for Operational Resilience is creating a roadmap for jurisdictions to follow when setting their own rules.
6. Increasing regulatory sophistication: Supervisory technology (SupTech) is on the rise, and in some areas is far more advanced than the technology that firms have to detect wrongdoing. Both the U.S. Securities and Exchange Commission (SEC) and the U.K. FCA are now using technology to review trade data for signals of market abuse, and both regularly flag market abuse incidents to unaware compliance teams. SupTech could usher in an era in which the regulators have the upper hand in many non-financial risk areas. For firms grappling with trading teams working remotely, and a lack of technology to monitor remote workers for market abuse producing potential regulatory debt, this presents a clear source of compliance risk.
7. Embedding new technology: Firms with fragmented operational risk infrastructures found it difficult to respond quickly and with agility during the pandemic crisis, and it shone a spotlight on the shortcomings of financial institutions’ current systems and processes. Although many firms were starting to recognize that they could not manage their operational risk management programs on a mass of spreadsheets and a handful of point solutions, the pandemic revealed how critical this transformation is.
As firms adapt and evolve their approach to managing operational risk, there will be significant changes to the operational risk discipline. Looking forward, we are likely to see significant improvements in data quality, increased automation, and a more sophisticated use of technology to proactively manage risk, as well as risk-related processes. As a result, operational risk teams should be much better placed to deliver real value to their business, their senior management teams, and their boards in 2021 and beyond.