Financial services have benefited from concurrent developments in technology, process innovation and regulation. However, these new ways of managing wealth have also raised awareness of increased operational risks to both customers and industry players.
As a practice, operational risk management is relatively young having only evolved as part of a series of papers published by the Basel Committee on Banking Supervision (BCBS).
What is operational risks?
Defined as the risks of loss resulting from inadequate or failed internal processes, people and systems or from external risks, operational risks remain complex and itself contains diverse risk types. Most notable of which are areas around compliance, financial crime, cyber risk, and IT risk.
According to McKinsey, data availability and the potential applications of analytics have created an opportunity to transform operational-risk detection, moving from qualitative, manual controls to data-driven, real-time monitoring.
The dark elements that follow digitization
The COVID-19 pandemic of 2020 may have accelerated the digitization of financial processes but it also attracted even larger attention from cybercriminals.
The July 2020 issue of the World Bank’s Financial Sector’s Cybersecurity: a Regulatory Digest noted that responding to cyber incidents goes beyond an engineering problem and that any business continuity decision cannot be delegated to IT specialists.
The only slightly good news is that the report acknowledged that while financial institutions face a larger number of cyberattacks compared to other industries, the average costs are lower because of the higher investments in IT security.
Still, FutureCIO spoke to Kumar Ritesh, chairman and CEO of Cyfirma, to discuss among other things the operational risks of cyber threats to Asia’s financial sector.
Ritesh acknowledged that while financial institutions are introducing new measures to counter the growing cyberthreat, some efforts centre around retrofitting security into already existing systems – “which is always very difficult to do when you haven’t actually embraced security from day one.”
In defence of the industry, the new threat vectors present today are themselves riding on the same technology innovations introduced only in recent years. Hence it can be argued that financial institutions’ familiarity with the potential threats is limited to what is known at the time.
Securing the core is futile - focus on the edge
He suggested that security should be viewed differently in 2021. Rather than focusing on securing the core, organisations need to look at securing the edge. Why edge?
For security professionals, the traditional perimeter no longer exists – made irrelevant by the adoption of cloud computing, mobility and the Internet of Things (IoT). The borderless connectivity that flowed from these technologies has expanded the attack surface available to cybercriminals.
Ritesh warned that the traditional measurements of success against cyberthreats – number of frauds detected, security alerts issued, incidents managed, discrepancies identified – are not sufficient.
Referring to this approach as event-driven, he suggested to adopt an intelligence-driven approach using trends and insights and apply corrective actions on cyber strategy, policies, procedures, and as well as people and security control.
Privacy will become a key issue in 2021 with new regulations coming. But Ritesh is of the opinion that privacy is not just centred around protecting the identity of customers. He opined that it will be about data privacy – how institutions manage and anonymise this data.
Click on the podcast player for the full details of the dialogue including:
- What is the state of the operational risk exposures for financial services industries in Asia?
- Looking at operational risks in 2021, what should be or will be top of mind for us both the security and the compliance heads working on within Asia's financial institutions?
- What does the next generation of operational risk management for FSI's look like?
- What must heads of security and CIO's include as KPI's so that they can better manage these operational risks in 2021?
- How can CIOs and CISOs sell these new approaches to the C-suite?
- What can financial institutions expect in 2021 to help them better manage operational risks?
