This article was paid for by a contributing third party.More Information.
Emerging trends in op risk
Karen Man, partner and member of the global financial institutions leadership team at Baker McKenzie, discusses emerging op risks in the wake of the Covid‑19 pandemic, a rise in cyber attacks, concerns around conduct and culture, and the complexities of geopolitical risk
What are the main regulatory trends and priorities we should expect as economies and markets emerge from Covid‑19 pandemic‑related restrictions?
Karen Man: The digitisation, sustainability, and environmental, social and governance megatrends have already been shaping the future regulatory environment prior to the pandemic, but the pandemic has accelerated them – the former by increasing regulators’ expectations around the need for resilient systems and controls in the face of a faster adoption of digitised solutions. And the latter around new obligations concerning reporting, disclosures and governance on all aspects of sustainability, where the pandemic has been a catalyst for the awareness of the importance of sustainable – or resilient – operations.
In both cases, institutions are exposed to enforcement and litigation risk. There have been signs of an uptake in action, for example as a result of misconduct during the pandemic. However, we would expect that, in the short term, the extent of such actions is likely to be lower than after the global financial criss that began in 2007–08. This is because the expanded regulatory architecture put in place after this financial crisis has been successful in spite of stressed markets and the financial strain on the economy caused by Covid‑19. However, we expect this endorsement will see regulators continue their current expansive approach over digitisation and sustainability megatrends, which is already translating into a tighter web of hard regulatory requirements – requirements that regulators will enforce and that clients will use as a launching pad for civil action.
What challenges do changing working practices present for firms in how they manage and monitor conduct and culture?
Karen Man: With the onset of Covid‑19, there was concern that financial institutions might lose sight of the importance of culture as they were dazzled by stressed market conditions. This, against a backdrop of emerging conduct risks resulting from widespread home and remote working, gave rise to practical challenges of supervising staff.
In fact, a more complex and varied picture has emerged. On the one hand, many businesses have doubled down on facilitating healthy cultures out of a need to help their staff cope with the crisis, keep them operative and to reduce conduct risk. On the other, regulators have been concerned that extended homeworking has led to fewer ‘watercooler moments’ – informal social settings that facilitate the exchange of ideas and views among employees and, through this exchange, promote good grassroots culture.
What does it mean when regulators emphasise not just the ‘tone from the top’ but the ‘tone from within’ – referencing each individual’s mind-set, preferences, beliefs, habits and predispositions? What we said last year still holds true: either you design a culture or you have one. This is especially relevant as businesses respond to the need to embrace diversity and inclusion (D&I) in their working practices and culture. D&I across firms is a key constituent of the tone from within and tends to pre‑empt unhealthy subcultures.
Cyber risk and data breaches continue to appear regularly as one of the most costly sources of op risk losses. What measures can firms put in place to mitigate the impact?
Karen Man: Mitigate is the right word. Given the amount and value of the data firms hold, the number and sophistication of attacks will not recede. And, given the ever-increasing transferability of data across the extended enterprise, the ‘outer skin’ of financial firms and their inherent vulnerability will remain vulnerable. Accordingly, you will never stop all incidents, all the time. This means the response can only be to maximise resilience by identifying critical data and key vulnerabilities, setting tolerance levels and scenarios for disruption and, within those parameters, ensuring continued operability to the extent possible or ensuring a quick recovery. Prior to breaches, regulators will scrutinise your risk management framework where requirements have become tighter. After an incident, regulators will investigate whether firms responded efficiently and effectively. Key measures to ensure resilience include:
1. Mapping where data is held, what is outsourced to the cloud and who is responsible for it
2. Investing in security information management and event software
3. Having proper governance, reporting and supervision up to board level
4. Assuring third-party IT and data hygiene
5. Most importantly, fostering a compliance culture
6. Putting in place an effective incident response team, including forensic experts and legal counsel.
Where the response is a critical part of your resilience and mitigates your regulatory and financial exposure, the importance of this last point cannot be underestimated. It means early identification and assessment, promptly bringing the response team into operation. Legal requirements may mean notifying regulators, law enforcement and data subjects. Outside counsel will advise on the most effective ways to manage regulatory risks and help preserve privilege in the face of increasing civil litigation and threats of regulatory fines.
Increasing reliance on digital channels has placed pressure on legacy IT systems and infrastructure. What risks should firms pay most attention to as part of longer-term digital transformation projects?
Karen Man: Many institutions have found that replacing legacy infrastructures is associated with the highest failure rates. Unsurprisingly, they are reluctant to migrate to new systems when, despite much planning and preparation, there are so many problematic outcomes. However, there is no escape, as further patching over legacy infrastructures, alongside emerging technologies such as blockchain, artificial intelligence and machine learning, to deliver on cost reduction targets and client expectations on their digital journey will only exacerbate the propensity of the IT environment to costly failures.
Common risks to projects include external dependencies, tight deadlines or poorly defined goals, a lack of the right level of focus on legal and regulatory requirements around dataflows, and failure to break projects up into more manageable ones, not least to ensure proper implementation – particularly regarding data transfers into new systems.
What is the solution? Effective governance by senior managers, robust business continuity planning and, best of all, an emphasis on the importance of continuous investment and updating or replacing systems based on sound legal and regulatory advice paired with the right focus on implementation.
Decentralised finance and cryptocurrencies offer new opportunities for market players but have been associated with high-profile cases of fraud and money laundering. How can regulators strike the balance between innovation, protection and prudence in emerging technology?
Karen Man: When it comes to emerging technology, the US Securities and Exchange Commission recently said that the question for regulators was how to achieve their core public policy goals. Concerns around blockchain include consumer protection, financial stability and the risk of financial crime leading to market restrictions, if not outright bans. For a better balance, we need quicker and better regulatory catch-up that accommodates new technologies and facilitates business activity. We can see the positive effect of anti-money laundering controls on promoting market confidence. Regulators also need to revisit their mantras – as expressed by the UK Financial Conduct Authority: “Same risk, same regulation”.
Applying existing requirements to new technologies, without making sufficient allowance for their difference in nature, can lead to an unintentionally tougher approach as many innovative products do not easily fit into existing regulation. This needs to change. We must get past the halo effect, which sees regulators fearful that regulation may confer a form of legitimacy and a false sense of confidence with the public. Nonetheless, when it comes to decentralised finance and crypto assets, the approach of authorities in certain financial centres is one of caution, rather than balance, and this is unlikely to change in the near future.
Which other op risks should financial firms have on their radar in 2022?
Karen Man: It’s not surprising that, in current circumstances, geopolitical risk is identified as an emerging op risk for financial institutions, as of course it is for the wider economy. Both political and economic rivalry is increasing, as are disputes over sovereignty that risk impacting trade and investment. There are no easy answers to managing such uncertainties, but financial institutions must identify their vulnerabilities and assess the likely impact on their business models.
At the same time, we see sanctions being weaponised by states as instruments of policy. Businesses need to have the right systems and controls to effectively screen against sanctions lists and asset-freeze targets, as well as to identify when licences are required to permit activity otherwise prohibited. There are also obligations on firms to report known or suspected breaches of sanctions or asset freezes. Training needs to be put in place to facilitate this. Whether or not prohibited activity has taken place, firms and their management are at risk of legal and regulatory action when their procedures and processes are inadequate. We can be sure that regulators will have high expectations around compliance.
Read Risk.net’s coverage of the top ten op risks for 2022
Sponsored content
More from sponsor
Op risk outlook 2022: the legal perspective
Christoph Kurth, partner of the global financial institutions leadership team at Baker McKenzie, discusses the key themes emerging from Risk.net’s Top 10 op risks 2022 survey and how financial firms can better manage and mitigate the impact of…
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@risk.net