During the March meeting of the Operational Risk Workgroup, the members took on a project to recast a list of top operational risks using the FAIR risk model. Every year, you’ll find numerous lists of supposed “top risks” from analysts, surveys, professional organizations, etc. with something in common: They don’t actually provide true risks.
Take for example this list from Risk.net of Top 10 operational risks for 2017:
- Cyber risk and data security
- Regulation
- Outsourcing
- Geopolitical risk
- Conduct risk
- Organizational change
- IT failure
- AML, CTF and sanctions compliance
- Fraud
- Physical attack
None of these would pass even the loosest definition of a risk. They’re a mix of management concerns, threats, broad categories, and activities. With each, there is an implied risk context that is never fully articulated, and often left to each reader to interpret for themselves. Sadly, this list is compiled from risk practitioners who are likely using the same flawed “top risks” list in their own organizations. If these lists are being used to communicate risk focus areas to senior management and to prioritize resources towards risk management efforts, then we have a serious problem.
So the Operational Risk workgroup is taking on the task to recreate this list based on high level FAIR analysis that can stand up to credible challenge, and better communicate the potential exposure that is implied by the original list. Through this exercise, we hope to publish a revised list with supporting analysis for practitioners to use as a starting point for their own programs.
To kick off this effort, we started by analyzing #3 Outsourcing. If you read the description in the Risk.net article, they reference several concerns:
- Message from regulators that firms must improve oversight of third-party risk management, or else face punitive sanctions
- The size of the penalty, combined with the undesirable publicity
- GDPR compliance will represent a significant burden; will need to know exactly where their customer data is held at all times, and be able to present this data on demand
- Where you spend the most money isn’t necessarily reflective of your risk profile
- Subcontractors and 4th party relationships
- Reputational damage, service delivery, quality, continuity of service, big disruption to services, etc.
And one event:
- Aviva was hit with an £8.2 million fine from the UK FCA for failure to ensure adequate controls and oversight of outsourced client money handling arrangements
Using this as a starting point, the group first framed a risk statement to capture the spirit of this Outsourcing risk:
"Regulator may find that third-party oversight controls are deficient resulting in large fines from regulators (primary loss) and negative publicity (secondary loss)"
Recognizing that this is only one variation of the broad category of outsourcing exposure, we decided to analyze this scenario as an abstraction of the Aviva event. One of the primary assumptions of this scenario is that the deficient third-party outsourcing controls may not meet regulatory expectations, but that the organization isn’t experiencing any other loss/impact. This is an important distinction, because the group quickly realized that looking at the risk of operational loss due to an actual third-party failure is an entirely different scenario. For now, the scenario is simply scoped as the regulator finding non-compliance and the resulting penalties.
With that in mind, the following key scoping attributes were captured:
|
Asset at Risk |
|
|
Forms of Loss (Primary) |
|
|
Forms of Loss (Secondary) |
|
|
Threat |
|
|
Motivation |
|
|
Impact Area |
|
|
Key Controls |
|
The group also discussed the following assumptions for the scenario:
- We don’t know whether the company knowingly didn’t provide adequate oversight, or accepted this risk and chose not to oversee the service provider
- Is this a repeat or theme, versus first occurrence? – affects the loss estimate
- Leading up to this scenario, could be an internal audit finding
- Reputational loss may depend on whether the fine/sanction is public
- Focusing on the compliance aspect, but there is also operational impact variation that would be another scenario
- Cooperation / and how we handle response to regulator will affect the size of fine
Now we have a template for a tangible risk that could be analyzed in the context of a particular organization, their outsourced business process, and a specific regulator. This of course leaves other scenarios and risk themes to distinguish and scope before we have full coverage for the category of outsourcing.
If you found this topic interesting and would like to contribute to this project, please consider joining the FAIR Institute’s Operational Risk Workgroup. We will be continuing this exercise on our next call, April 11, 2017 at 4:00 PM EDT.
