Operational risk in the banking system is not a new concept. Only recently, however, has it been elevated to a distinct risk category that can shape the risk profiles of financial institutions. This elevation is mainly due to the Basel Committee on Banking Supervision (BCBS).
In one of its papers, the BCBS defines operational risks for banks as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or external events.”
Since the global financial crisis in 2008, financial institutions have established advanced systems to control financial risk. Alas, they haven’t been able to deal with operational risk as effectively. One reason is that operational risk is more complex, involves many risk types, and is not always easy to measure. Another is that active risk management requires advanced visibility into diverse processes and activities across the organization.
Banks and other financial institutions must evaluate and manage operational risk through various tools and mitigation strategies.
Operational Risks vs. Strategic Risks
In banking (as in other industries) operational risk is often confused with strategic risk. The two concepts actually are distinct and should be managed as such.
Strategic risks arise when an initial business strategy fails to deliver the expected objectives, affecting the financial organization’s progress and development. Such risks can be created due to a technological change, the entry of a new competitor, or changes in consumer demand.
The different types of operational risk, on the other hand, arise from failed internal procedures, employee errors, breaches, fraud, or external events that disrupt operations.
Top Operational Risks in Banking and Financial Services
New business models, complex value chains, regulatory challenges, and increasing digitization have created unknown operational risks for banks in recent years. These include:
Cybersecurity Risk
Even as financial institutions ramp up their cybersecurity efforts, cyber risks, including ransomware and phishing, have become more frequent and influential, affecting their operational continuity.
This is especially true in the post-pandemic world where threat actors leverage security weaknesses in firms’ IT infrastructure to perpetrate serious (and profitable) cyberattacks.
Third-Party Risk
Financial institutions are increasingly relying on third-party providers, which means they must identify, evaluate, and control third-party risks throughout the lifecycle of their relationships with those companies.
With that increasing digitization and hyper-connectivity, however, banks must also worry about the fourth parties that do business with their third parties; those risks must also be identified, evaluated, and managed.
Internal Fraud and External Fraud
According to one survey, almost 40 percent of mid-sized and large digital financial services organizations experienced an increase in fraud in 2020. Operational risk losses from internal scams can stem from asset misappropriation, forgery, tax non-compliance, bribes, or theft.
Fraud committed by external parties includes check fraud, theft, hacking, system breaches, money laundering, and data theft. The risk of both internal and external frauds arises from diverse factors, including the massive growth in transaction volumes, the availability of sophisticated fraud tools, and the security gaps created by increasing digitization and automation.
Business Disruptions and Systems Failures
Hardware or software system failures, power failures, and disruption in telecommunications can interrupt any financial organization’s business operations and lead to financial loss.
In addition to the operational risks identified above, other risk or loss events could harm financial companies, increase reputational risk, or lead to legal problems. These include:
- Missed deadlines;
- Accounting or data entry errors;
- Vendor disagreements;
- Inaccurate client records;
- Loss of client assets through negligence;
- Operational losses.
Losses from operational risks can devastate a financial firm. They can also harm its business continuity, reputation, and compliance position.
As the financial services landscape becomes increasingly complex, banks and other financial companies must control operational risk by adjusting their risk management strategies, systems, and procedures.