Published December 10, 2019 • By Thea Garcia

Operational risk in banking is the risk of loss that stems from inadequate or failed internal systems, internal controls, procedures, or policies due to employee errors, breaches, fraud, or any external event that disrupts a financial institution’s processes.

Operational risk, which includes cybersecurity risk, is one of the most critical risks that financial institutions have to manage and evaluate. In the years since the global financial crisis, the financial services sector has become ever more aware of the need to manage operational risk. 

Although financial institutions have established advanced systems to control financial risk, including credit risk, liquidity risk, and market risk, they haven’t been able to deal with operational risk effectively.

The top operational risks in banking include:

  • Cybersecurity risks: Even as financial institutions ramp up their cybersecurity efforts, cyber risks, including ransomware and phishing, have become more frequent and more effective, posing a major risk to financial institutions. 
  • Third-party risk: Increasingly, financial institutions are relying on third-party providers, which means they have to thoroughly identify, evaluate, and control third-party risks throughout the lifecycle of their relationships with those companies. However, financial institutions also have to identify and evaluate the risks associated with the vendors, suppliers, and contractors that their third-party vendors use. 
  • Internal fraud: Losses from fraud inside a financial institution can stem from misappropriation of assets, forgery, tax non-compliance, bribes, and theft.
  • External fraud: Fraud committed by third parties includes check fraud, theft, hacking, breaching system security, and data theft.
  • Business disruption and systems failures: Hardware or software system failures, power failures, and disruption in telecommunications can interrupt the financial institution’s business operations and cause financial loss.

Other operational risk events could also harm a financial institution and potentially lead to legal problems. These include missed deadlines, accounting and/or data entry errors, vendor disagreements, inaccurate client records, and loss of client assets through negligence.

Losses from operational risks can be financially devastating to a financial institution. Additionally, losses from operational risks can negatively affect the financial institution’s overall business and reputation.

Consequently, as the environment surrounding the financial services industry becomes increasingly complex, financial institutions have to adjust their risk management systems and procedures. 

Operational risk management, which entails incorporating operational risk management practices into a financial institution’s systems, processes, and culture, should be at the center of a financial institution’s operations. Operational risk management is an ongoing process that involves risk assessment, risk decision making, and adopting internal controls to help financial institutions mitigate or avoid risk.

Many financial institutions have implemented operational risk management methods, including deploying internal controls, to help them manage behavioral risk, cyber risk, credit risk, compliance risk, regulatory risk, and third-party risk.  

To build an effective operational risk management program, reduce operational risk in banking, and improve its information security a financial institution should evaluate its risk profile and create a database of potential operational risk events. 

The financial institution should then develop key risk indicators that can alert leadership to potential issues. The financial institution’s leadership then uses these key operational risk indicators to identify and categorize the operational risks. After doing that, the financial institution can decide how to mitigate these risks.

To ensure that its operational risk management program is effective, a financial institution has to train its employees to prepare for what could go wrong. That is especially true when one of the financial institution’s business units is about to do something new, such as change a customer interface, roll out a new product or service, or outsource its business processes. 

It’s also important to note that operational risk and cybersecurity are linked because of the extensive effects of a data breach on a financial institution. As such, if a financial institution combines cybersecurity best practices with operational risk modeling objectives, it will be able to develop a better plan to prevent, mitigate, and remedy operational risk.