Op Risk Benchmarking: Inside the G-Sibs
New initiative scrutinises op risk measurement and management practices at the world’s largest banks
“I often reflect on the fact that RiskMetrics was released in 1992,” says the head of operational risk at a large European bank, referring to the analytics suite JP Morgan published in an attempt to create a standard for market risk. “Thirty years later, despite some good advances in the way we think about operational risk, we still don’t have anything approaching that.”
Op Risk Benchmarking doesn’t aspire to that kind of status. What it does seek to provide are answers to an array of questions that bedevil senior op risk managers: how many people do my peers have in their second-line teams for a particular risk? Do other banks set key risk indicators or controls for hard-to-measure risks? How do they model those risks? How often is it acceptable to breach risk appetite and modelled risk tolerances? Are risk reports creating the ‘right’ kind of actions?
Highlights from each of the five benchmarked risks can be found below. The full article for each risk can be found here.
Cyber risk: IT disruption
Click here for full article and analysis
Perhaps the starkest finding in Risk.net’s research on how banks manage and measure cyber risk is the most obvious one: the wide disparity in the size of the teams assigned to the job.
Many put that down to the long-standing divide within banks over who ultimately owns and manages cyber risk; others see it as a function of maturity. One bank acknowledges its team’s large size is an outlier, adding it knows of a bank that has a second line cyber team of just two people – but argues this is a function of the trust managers feel able to put in the first line.
But the resulting divide feeds into other key aspects of banks’ frameworks: whether to implement preventive controls, or corrective ones; whether to model cyber, and what approach to take; and who the risks should be reported to, and in what form.
The project has its origins in Risk.net’s annual Top 10 Op Risks report, which many firms have long used as a form of soft benchmarking, as part of qualitative reporting to boards and business units, and as a means of keeping key stakeholders apprised of what their peers are doing.
After a concerted push, 55 organisations participated in this year’s Top 10 – enough to split the responses into four cohorts, and create separate top five risks for each. Global systemically important banks made up the largest group of respondents at 20 (representing two-thirds of the global population of G-Sibs). The other three cohorts are non-G-Sib banks, asset managers and insurers, and financial market infrastructures.
Execution & process errors
Click here for full article and analysis
One risk manager calls this “bread and butter” op risk – simple errors that can produce outsized losses – and that is reflected in the list of banks’ top controls, where basic checks are prominent. Yet almost half of participants are currently reviewing their control libraries, with some yet to move towards a central repository of all controls. Only a handful currently benchmark their efforts.
It is also one of only two risks in the top five where banks acknowledge they're currently light on headcount: almost half plan to hire more bodies in the coming 12 months. This may be a function of the post-pandemic overhang, where vacancies went unfilled, senior managers retired, and certain roles were ‘juniorised’, leading to reports of a higher number of routine errors.
In another first, the Top 10 survey also included a handful of brief follow-up questions, asking firms whether risks had risen or receded in the previous 12 months, whether they expected that trend to continue, and whether their loss exposure had increased or decreased over the same period. These were used to create Likert scales, giving a useful forward-looking indicator for each risk.
But our ambition went beyond rough gauges of perceived risk – and it was clear subscribers’ did too. Over the course of dozens of hours of interviews, Risk.net discussed the exercise with more than 30 financial firms, first to define the topics where benchmarking would be useful, then to set and focus the questions.
Regulatory and compliance risk
Click here for full article and analysis
The biggest banks have been clobbered by fines and settlements over the past decade. It has not yet produced a standard approach to managing the risk, but there are emerging points of agreement: on how to use scenarios, and who should review them; on the destination of risk reports; and (among those who model this risk) on which approach to use and what to do with the results.
Key risk indicators are another topic where there is some consensus. The biggest shared concern is about delays and bottlenecks of various kinds – in compliance training, in audit extensions, in alert processing. The argument is presumably that these delays create uncharted space on a map of risk, where monsters could lurk.
The result was nine clusters of questions, seven covering different aspects of op risk management frameworks, and two focusing on quantification practices. These were: risk appetite setting, including methodologies and appetite breaches; organisational structure, including lines of defence and staffing; key risk indicators; risk controls and control benchmarking; risk reporting; technology, including preferred vendors for each risk; regulation; risk modelling; and scenario analysis.
These nine clusters of questions have been combined with the top five risks chosen by each peer group, creating a unique sweep of measurement and management practices across each cohort’s most pressing concerns.
Firms were free to participate in as many or as few sections as they wished. Some chose to answer every cluster of questions, for all risks; some focused on the two risk quantification sections; others took a risk-by-risk approach, eschewing those they manage separately, particularly regulatory compliance and geopolitical risk. The sample count is therefore shown for each figure in each of the five reports the research produced.
Geopolitical risk
Click here for full article and analysis
It’s hard to be rigorous about a risk that is often tied to decisions made by powerful people in private, or vast crowds at the ballot box. Public speeches can deceive, polling can mislead. So risk managers often end up picking up the pieces.
Our benchmarking results show that few G-Sibs apply the standard items of risk management furniture to their geopolitical exposure: only one has a dedicated team within the risk function, key risk indicators are missing, half do not try to model their exposure.
Scenarios are widely used, but with a wide range of participants involved in the review process: the closest thing to a pattern is for senior management, business lines and in-business risk teams to play a part.
Eleven G-Sibs took part in this first instalment of the exercise, with responses gathered during April and May 2023, yielding more than 1,500 data points. The respondents are roughly one-third Asia-Pacific banks, one-third European, one-third US. Answers were cleaned and aggregated, and used to build up a picture of current practice for each of the top five risks selected by G-Sibs. Follow-up interviews offered insight and supplementary analysis.
Five reports have been produced, for each of the top five risks: cyber risk in the form of IT disruption, which was the top concern for G-Sibs, and of information security, which ranked fifth; execution and process errors; regulatory compliance risk; and geopolitical risk.
The full datasets are available to participants in the exercise. Subscribers have access to selected highlights and commentary – a fairly detailed snapshot. In the months ahead, we will produce reports on the data collected from each of the other cohorts about how they manage the five risks selected by their own peer group.
Risk.net hopes the information will be helpful to a discipline that has grown up rapidly in the past two decades, but often lacks clear standards and best practices. As the head of op risk notes: “This is a discipline where we still need all the external data we can get our hands on.”
If you want to see the full datasets, you’ll need to take part in the next benchmarking round. Message us for details: ORMBenchmarking@risk.net
Cyber risk: Information security
Click here for full article and analysis
The rise of decentralised hacking networks, the war in Ukraine, stiffer penalties for misuse or misappropriation of customer data – it’s a tough gig being an information security officer at a big bank these days.
Ironically, perhaps the major difference between banks’ management of infosec versus disruptive cyber attacks is the amount of data risk managers have to work with – a result of the higher number of successful hacks. This enables more sophisticated modelling techniques to proliferate, with more G-Sibs using regression analyses and loss-distribution approaches for infosec than for IT disruption.
And while many banks favour the same governance, risk and compliance vendor to aid in their management of either aspect, others don’t, preferring to rely on in-house tech.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@risk.net
More on Op Risk Benchmarking
Top 10 op risks: AI fears drive cyber risk to record high
External fraud re-enters top 10; change management now a top five concern
Op Risk Benchmarking, round III: the FMIs
Decade of change has seen exchanges and CCPs grow in size and importance, dragging their management of op risk into the regulatory spotlight
Regulators pushing CCPs and exchanges on op risk
Op Risk Benchmarking: In latest batch of data, FMIs report growing scrutiny, plus watchdog asks for stress tests, monitoring and more
Op Risk Benchmarking, round II: helping lenders borrow
From KRIs to four-eye checks, how do op risk frameworks at regional and domestic banks stack up?
New threats, old foibles prompt banks to switch GRC vendors
Op Risk Benchmarking: more than half of participants are reviewing or switching systems
Banks frequently breach appetite for top op risks
Op Risk Benchmarking: Five G-Sibs breached appetite in past year across four risk types, new research reveals
