By far the biggest operational risk for business leaders is cyber risk and data security – according to a recent Riskonnect report – but better management of employees will help organisations reduce their exposure in the digital age, says our expert panel
Andrea Brody, chief marketing officer, Riskonnect
Kristen Drobnis, chief risk officer, Commonwealth Financial Network
Hung Lee, CISO, Kasasa
Terrance Phillips, head of enterprise risk management, Affinity Federal Credit Union
Joe Scarlato, chief strategy officer, Lowers Risk Group
Jean Tien, executive director, business controls department, Mizuho
What are the current top operational risks in financial services in the US?
AB: Riskonnect works with over 60 financial institutions across the US, and consistently cyber risk definitely drives the risk exposure. Improving operational risk and operational risk is as much about people as it is about technology. For example, people working from home due to the pandemic has increased security exposure. Organisations are struggling, and the solution is an integrated operation approach to risk, starting back from the customer.
KD: Everyone’s now transforming to the cloud or embracing artificial intelligence. And because we’re moving at the speed of lightning, people forget about the old code. Many of the cyber issues stem from either code left behind or gaps in the old infrastructure. This is how people are getting infiltrated. Careful planning and removal are essential, and the board, management and even customers should be asking how data is being protected as the business goes through this migration.
JS: Third-party cyber risk is a big challenge. At Periculus we are looking at assessing the cyber risk exposure for small- and medium-sized enterprises and mitigating that risk through a stack of technical products, such as firewalls, antivirus software, dark-web monitoring tools, and more. Additionally, we allow businesses to transfer their risk through our insurance partners. Additionally, I feel it’s important to stress that human capital is cyber risk. An informed employee is critical when it comes to cybersecurity. Insider threat is real. Ensuring your employees are screened and monitored is the first step in protecting your business.
TP: By definition, operational risk is the risk of inadequate people, processes, systems and external threats – but top of the list is people. Over the last year, like many organisations, Affinity underwent a significant transformation and, as an 85-year-old credit union, human capital continues to be a hot button for us. Because of technology, we have been able to bolster our talent and increase our human capital, but it is a top risk.
HL: In my experience, a lot of the most mature organisations integrate operational risk and, specifically, risk management into their daily processes. For companies with lower data privacy and security hygiene, some new regulations such as the General Data Protection Regulation or the California Consumer Privacy Act might be massive disruptors to their business. More mature organisations consider the risks of new legislation coming in and have baked those privacy-by-design principles into their culture and DNA.
JT: Reputational risk is so important, and while it is broad, it is basically about brand exposure. It’s crucial to understand your operation, work out the inherent risks, and take a good look at the controls. The risk analysis for large businesses will be different to smaller organisations. Still, regardless of size you have to take a very proactive approach to reviewing the reputational risk.
How is the shift to hybrid working likely to affect operational risk?
JS: Many organisations have introduced a bring-your-own-device (BYOD) policy, and people use their smartphones or tablets to have virtual meetings and communicate with customers. Not many businesses have a mature BYOD policy for today’s environment, which is an important operational risk.
HL: Leaders must lead by example, accept this new reality, and not yearn for life in the office like it was in 2019. There are many different new threats as well as new risks associated with this new reality. Also, we are going through the ‘great resignation’ – it’s easy to ditch and switch your job. Talent attraction and retention are the most significant operational risks because you have to have the right players on the team to win when it comes to limiting risks and combating threats.
KD: This is an opportunity risk for organisations to get the right human capital. We have to plan for remote working and drive awareness and education. Cost savings can be made by not having buildings. More than that, organisations can catapult into the future and act on ESG strategies.
TP: This new environment has made us more aware of what we can do, and it’s up to the leaders to be accountable and lead a remote working team as best we can. We have moved to 100% remote, and we’re not going back. I meet up with my team in person periodically, and we will catch up over lunch. I do the same with my vendors. Having emotional intelligence is so vital now.
JT: As people are working at home, there is less separation between work and between the office and home. There is more of a bleed. Strong and caring management is critical. There is a supervision and visibility issue, but there has to be an element of trust and autonomy. As a manager, you have to focus on what the team is doing, not what they are not doing, because people are working around their home lives more now.
AB: I think leaders are discarding a rear-view mirror approach. Organisations are focusing on business resiliency and critical vulnerabilities – things like mandating the need to expand to include second-line oversight to support operational excellence. Clearly, human factor risks will have to be better monitored and assessed.
What technology and tools should financial services organisations use to limit the impact of future crises?
KD: It is now just over 20 years since the 9/11 attacks, and unfortunately, organisations haven’t necessarily learnt from that. If your technology falls over – as it did a few weeks ago with the Akamai issue – what are you going to do? You need to go back to basics.
HL: A lot of businesses don’t do enough risk assessment. I would argue that enterprise risk assessment is a daily task. Risk assessments will happen every day if you succeed at embedding risk and customer-centricity into your organisational DNA.
JS: Regulations and standards are not moving as fast as the digitisation of organisations. It’s important for the enterprise to decide how fast they want to move when assessing their risk. With continuous assessment through products – like Riskonnect and Mastercard Cyberquant – a business can evaluate the risk by domain and compartmentalise it, so that each department owns their own risk domain and then combined that for an aggregated risk view for the organisation.
TP: Again, emotional intelligence is so crucial for delivering these messages to the board. Because of our line of work, we have to deliver bad news, and there’s a skill in doing that. That’s why, in this time of uncertainty, I seek out the best talent with this skill set.
For more information please visit riskonnect.com