So the Operational Risk Workgroup is taking on the task to recreate this list based on high level FAIR analysis. Through this exercise, we hope to publish a revised list with supporting analysis for practitioners to use as a starting point for their own programs.
Last time we analyzed Outsourcing, see full details in Part 1 of this post. This month the group looked at Regulation (#2 on the list from Risk.net) as the initial theme.
Join the Operational Risk Workgroup and participate in the next group discussion, May 16, 2017, at 4 PM EDT
On the surface, regulatory changes and scrutiny seems like a no brainer for a top risk list. In fact, Bloomberg reports that global lenders have paid $321 billion in fines since the financial crisis, based on data collected by the Boston Consulting Group:
Source: World’s Biggest Banks Fined $321 Billion Since Financial Crisis (Bloomberg)
To further support the assertion that this belongs in the top risks list, Risk.net quotes one Senior Operational Risk Manager at a London-based bank as saying:
“Regulatory change has been a constant for a number of years, and it should be the number one risk in any organisation. With change comes elevated operational risk that needs to be appropriately managed. The challenges faced by banks, especially internationally active ones, is keeping up with the global change agenda and understanding the inter-linkage of regulatory changes across jurisdiction.”
That is a very bold statement. Is regulatory change really the top risk for every organization? How would we support this?
The workgroup dissected what is the likely context behind this assertion and captured those concerns as discrete factors that can be measured. Some of the underlying concerns include:
Using this as a starting point, the group established a risk statement to capture the spirit of this Regulation risk:
[Type, regulator, jurisdiction] regulatory non-compliance may result in a fine, business loss, or increased cost of compliance.
The group agreed to place an optional qualifier at the beginning of the statement for the organizations who may want to narrow the scope of the analysis to specific types of regulation, a particular regulator, or a given jurisdiction. With that in mind, the following key scoping attributes were captured:
Two fields were added to the template since the last analysis: Risk Ownership and Risk Oversight. The group agreed that capturing this information would help make a catalog of these risks more usable and searchable.
The group also discussed the following assumptions for the scenario:
With this as the basic template for the revised risk, it could be applied and measured in the context of any regulation. For example, if you wanted to analyze the risk of non-compliance with the General Data Protection Regulation (GDPR), these data points from IAPP might influence your analysis:
Using this information about GDPR, you could estimate a new range of potential penalties, and how that will differ from current estimates of probable loss magnitude. Or how the 72 hour notification requirement might stretch current incident handling controls, increasing susceptibility. You could even extrapolate that additional audit and investigative resources in the local data authorities might increase the exam frequency. The workgroup didn’t get into this level of analysis, but the template is designed to be the starting point for further detailed analysis.
If you found this topic interesting and would like to contribute to this project, please consider joining the FAIR Institute’s Operational Risk Workgroup. We will be continuing this exercise on the next call which is on May 16, 2017, at 4:00pm ET.