Top 10 op risks 2022: geopolitical risk takes centre stage

Below is a preview of this year’s top 10 operational risks survey. For the full results and analysis, click here.

The chief risk officer at a large European asset manager sums up the impact of Russia’s devastating war in Ukraine on his firm’s operational risk profile succinctly: “We have war in Europe. Not just small blips: things that move our business entirely.”

And although the votes in Risk.net’s annual Top 10 operational risks survey were cast in the advent – within a climate of deteriorating relations and Russian troops massing on Ukraine’s borders – the war and its aftermath cast a horrible shadow over this year’s results.

As banks brace for an escalation in hacking attempts from Russia-linked groups, op risk managers have never been more aware of the hazards posed to their institutional infrastructure by malevolent actors. The head of cyber risk at a European bank says he also fears IT disruption from extreme cyber attacks or outages beyond his control.

Small wonder, then, that IT disruption tops this year’s poll again – a phenomenon that has never been far from top of mind, with the heads of the largest US banks in May voicing their fears to Congress. Last year also marked the first anniversary of the Russian hack of SolarWinds, which is thought to have compromised US government servers as well as banks and other financial institutions.

Theft and fraud jumps several places this year, to second – perhaps owing as much to the bulk of last year’s largest op risk losses emanating from mega frauds as a nod to the current state of roiling markets, and their propensity to drive episodes of internal fraud. Meanwhile, the FBI has warned of a rise in ransomware attacks emanating from Russian state-sponsored cyber criminals targeting US infrastructure.

At third, a curveball. Talent risk has appeared on the radar for operational risk managers, landing at an unwelcome all-time high. The risk is twofold: with pay and bonuses jumping last year amid record results for banks, attracting and retaining the best staff in their field has been an unprecedented challenge, say firms of all stripes.

Perhaps more worryingly, firms say there simply aren’t enough skilled employees to fill open vacancies in certain critical functions. There is a real danger that a “skills shortage leads to weak oversight of business operations, [particularly in] risk compliance personnel”, says a senior op risk manager.

Fourth position goes to geopolitical risk – unsurprisingly up several places this year. The headline risk of a rise in state-sponsored cyber attacks in response to sanctions is “a probability”, says one head of cyber risk. However, the impact of global instability has far wider potential ramifications for his bank’s threat profile, the exec adds: “I would not take just this one instance to mix the two fully – geopolitical risk has [a] cyber element, but also supply chain and resilience elements too.”

Information security ranked fifth this year, with the US Federal Reserve Board warning in October 2021 that looming changes in technology would produce new ways for information to be stolen from financial companies. Arthur Lindo, deputy director for policy in the board’s supervision and regulation division, described the rapid growth of high-speed, internet-enabled mobile devices as an emerging source of risk for banks, providing cyber criminals with ever more options for ingress.

Sixth place goes to resilience risk – the ability to maintain critical services or operations during periods of disruption. Expectations have been formalised by UK regulators’ resilience principles – set to come into effect at the end of March 2022 – and given a real-world test in the form of the Covid-19 pandemic, plus the very real threat of outages hitting payment networks and other key pieces of global infrastructure following the aftermath of the invasion of Ukraine.

Third-party risk – threats originating in external providers, supply chains and outsourcing networks – appears this year at seventh place, with banks and fund managers increasingly relying on third parties to leverage economies of scale and gain access to specialist expertise and advanced technologies that support innovative services.

Eighth place goes to conduct risk – a malign, persistent presence in the top 10, although for now relegated to the lower half of the leader board. But op risk managers warily eyeing the global economy’s slow recovery from Covid and the war in Ukraine know times of great economic disruption and physical upheaval are breeding grounds for misconduct – ones that invariably take time to come to light, before the perpetrators can be brought to book.

Climate risk, appearing for the first time in a top 10 operational risk ranking, appears at ninth place this year, with firms seemingly as wary of the propensity for regulatory missteps as of the immediate threat of physical or transition risks, amid a glut of supervisory activity on the issue, including stress tests, verbal warnings and methodological recommendations.

Finally, at 10th, is regulatory risk – the risk of noncompliance with supervisory regimes, and the various penalties that such rule-breaking can prompt. This year, sources complained of trouble with model risk management – involving, for instance, models used in anti-money laundering activities – as consumer behavioural changes generated data that such models struggled to interpret.