During the April meeting of the Operational Risk workgroup, the members continued working on a project to recast a list of top operational risks using the FAIR model. Quick recap of this effort so far - every year, you’ll find numerous lists of supposed “top risks” from various sources, but are they even risks?
So the Operational Risk Workgroup is taking on the task to recreate this list based on high level FAIR analysis. Through this exercise, we hope to publish a revised list with supporting analysis for practitioners to use as a starting point for their own programs.
Join the Operational Risk Workgroup and participate in the next group discussion, May 16, 2017, at 4 PM EDT
Regulation Looks Like a Top Risk But...
On the surface, regulatory changes and scrutiny seems like a no brainer for a top risk list. In fact, Bloomberg reports that global lenders have paid $321 billion in fines since the financial crisis, based on data collected by the Boston Consulting Group:
Source: World’s Biggest Banks Fined $321 Billion Since Financial Crisis (Bloomberg)
To further support the assertion that this belongs in the top risks list, Risk.net quotes one Senior Operational Risk Manager at a London-based bank as saying:
“Regulatory change has been a constant for a number of years, and it should be the number one risk in any organisation. With change comes elevated operational risk that needs to be appropriately managed. The challenges faced by banks, especially internationally active ones, is keeping up with the global change agenda and understanding the inter-linkage of regulatory changes across jurisdiction.”
That is a very bold statement. Is regulatory change really the top risk for every organization? How would we support this?
We Took a Closer Look at Regulation Risk
The workgroup dissected what is the likely context behind this assertion and captured those concerns as discrete factors that can be measured. Some of the underlying concerns include:
- Regulations are changing frequently, and becoming more complex as well.
- The number of rule changes that banks must track on a daily basis has tripled since 2011, to an average of 200 revisions a day.
- Complex and hard-to-model threats
- All the rules and regulations since the financial crisis makes us need to be very quick in our adoption and interpretation. It doesn't give us a lot of time to react.
- Regulators have used the stick of fines and sanctions to bring more order. There is a danger that these will become more and more punitive, such that it will be difficult for firms to recover.
Using this as a starting point, the group established a risk statement to capture the spirit of this Regulation risk:
[Type, regulator, jurisdiction] regulatory non-compliance may result in a fine, business loss, or increased cost of compliance.
The group agreed to place an optional qualifier at the beginning of the statement for the organizations who may want to narrow the scope of the analysis to specific types of regulation, a particular regulator, or a given jurisdiction. With that in mind, the following key scoping attributes were captured:
Two fields were added to the template since the last analysis: Risk Ownership and Risk Oversight. The group agreed that capturing this information would help make a catalog of these risks more usable and searchable.
The group also discussed the following assumptions for the scenario:
- Mapping frequently changing regulatory requirements to current controls is challenging
- New regulations often don’t allow enough time to interpret requirements and adopt them
- Ambiguity in the requirements (and assessor inconsistency) can make it difficult to determine compliance, which may lead to legal disputes
- Regulators will have additional resources in 2017 to audit and enforce
- Regulator may leverage a fine/penalty so large that the business can’t recover from it
- Cost of controls can become a barrier of entry into the market, or may drive decision to exit a market
- Need to identify appropriate tolerance/appetite thresholds
Testing Our Template on the EU's GDPR
With this as the basic template for the revised risk, it could be applied and measured in the context of any regulation. For example, if you wanted to analyze the risk of non-compliance with the General Data Protection Regulation (GDPR), these data points from IAPP might influence your analysis:
- The ability to impose harsher penalties will be introduced.
- For example, fines in the UK are currently set at £500,000 maximum, though most fines that the UK data protection authority has imposed are substantially lower.
- A tiered penalty framework with fines of up to 4% of global annual turnover (or €20,000,000, whichever is higher) for more serious violations, and up to 2% (or €10,000,000) for other violations, such as failing to notify a data authority about a breach.
- Violation of the rules around consent generally subject controllers to the higher level of fines, but violations of the rules concerning age of consent are subject to the lower level of penalties.
- Companies will have to appoint a DPO (Data Privacy Officer), who is responsible for advising on and monitoring GDPR compliance, and is a point of contact for the authorities.
- There are new regulations and requirements for collecting and recording personal data and processing activities.
- Data authorities and consumers must be notified within 72 hours after the discovery of the breach.
- Local data authorities will have additional resources to investigate and audit data controllers, and processors and their sub-contractors. A new European Data Protection Board will act as a super data authority to handle disputes between authorities.
Using this information about GDPR, you could estimate a new range of potential penalties, and how that will differ from current estimates of probable loss magnitude. Or how the 72 hour notification requirement might stretch current incident handling controls, increasing susceptibility. You could even extrapolate that additional audit and investigative resources in the local data authorities might increase the exam frequency. The workgroup didn’t get into this level of analysis, but the template is designed to be the starting point for further detailed analysis.
If you found this topic interesting and would like to contribute to this project, please consider joining the FAIR Institute’s Operational Risk Workgroup. We will be continuing this exercise on the next call which is on May 16, 2017, at 4:00pm ET.