Operational risk is an ongoing challenge for every financial institution. The risk environment is constantly changing, and financial institutions that don’t keep up can expose themselves to unknown or unwanted risk—or miss emerging opportunities.
How is operational risk evolving in 2022? A recent survey conducted by Risk.net sheds light on shifting operational risk priorities, with significant differences from just a year ago.
Here are the areas of operational risk that are trending:
Russia’s invasion of Ukraine and the resulting U.S. sanctions against Russian individuals and businesses catapulted geopolitical risk to #4 on the 2022 Risk.net’s Top 10 operational risks survey—up from #9 in 2021.
These sanctions have elevated BSA/AML risk, as financial institutions must stay on top of OFAC (Office of Foreign Assets Control) sanctions and ensure BSA/AML screenings are updated and properly implemented.
Sanctions also mean greater third-party risk—number #7 on the list of operational risks—has increased due to the risk of dealing with a vendor on a sanctions list. Just last month OFAC issued a finding against an $32 billion-asset Oklahoma Bank because it failed to realize that its vendor only screened the bank’s full customer list against OFAC’s List of Specially Designated Nationals and Blocked Persons once a month instead of daily. The bank ended up processing 34 transactions for blocked persons.
Operational risks related to BSA/AML touch nearly all areas of an institution, including third-party vendor management. Financial institutions need risk management solutions that facilitate collaboration and efficiency, allowing them to connect all the pieces while assessing and strengthening controls in real time.
In assessing risk, financial institutions should ask:
In a shock to no one involved in hiring this year, talent risk made its debut as #3 on the list of operational risks. The Great Resignation, the push for competitive pay and benefits, and an overall lack of qualified talent have created a skills gap, especially for compliance departments.
Financial institutions often say their greatest strength is their people. Without those people, institutions face challenges everywhere from customer service and lending to IT and operations. It presents a real risk that the institution won’t be able to deliver products or services as promised, will miss the mark on customer service, or will fall short when it comes to cybersecurity, compliance, and other key areas.
Attracting, onboarding, and retaining talent is a challenge in today’s job market. Promoting positive corporate—one with open communication and tools that minimize busywork and inefficiencies—show employees and job candidates that your institution is a modern, forward-thinking institution. This is particularly important to Millennial and Gen Z employees, who will often search places like Glassdoor.com to check an organization’s corporate culture as part of their due diligence.
It’s also important to cross-train employees to ensure continuity in case of turnover.
To assess talent risk, financial institutions should ask:
Did you know business units made up of highly engaged employees are 21% more profitable than their peers?
Want Engaged Employees? Here are 5 Things Your Employees Need to Hear from You
IT/Cyber Risk remains the #1 operational risk in 2022—and for good reason.
Cyber risk is rising—and not just because of geopolitical risk and Russian-linked hacking. Security researchers identified a 48 percent increase in attempted cyberattacks targeting email accounts in the first six months of 2022.
The stakes for cybersecurity are higher than ever at financial institutions, with fraudsters using increasingly vicious tactics. In fact, a new report found that 63 percent of financial institutions have seen an increase in destructive attacks—17 percent more than in 2021.
The survey also notes that application program interface (API) attacks are rising. A staggering 94 percent of financial-industry security leaders have experienced an API attack through a fintech application.
As cyber threats persist, financial institutions should ask:
Financial institutions must evaluate their cyber risk, as well as report on the results. As cyber threats grow more sophisticated, regular cyber risk assessments are necessary nonnegotiable.
Related: 3 Lessons Learned from a $250,000 OFAC Fine
As financial institutions anticipate new regulatory requirements and deal with more frequent extreme weather events (such as two 1-in-1,000 year rain events in two days in Kentucky and St. Louis), climate risk—or the risk that climate-related changes pose to financial institutions—made its first appearance on the list, ranking #9. Closely related is resilience risk at #6.
Climate risk continues to demand more attention, with regulators ramping up efforts to assess potential risks to the U.S. financial system. This includes plans to prove climate-related disclosures and other sources of data and to incorporate climate-related financial risk into regulatory and supervisory practices.
Financial institutions should be asking:
The huge swing in operational risk rankings in just one year is a reminder that a once-a-year approach to assessing risk and the related control environment is not enough. Financial institutions need to be proactive when it comes to operational risk—reassessing risk when the risk environment shifts.
Related: Have You Prepared for Climate Change Risk?
Now is the time to review areas of elevated operational risk and re-evaluate your assessment methodology and control environment to ensure they still are effective.
Still using fragmented manual processes for risk management?
Find out how to simplify your approach with Nrisk.