Are investment banks prioritising market and credit risk at the expense of key operational risks?

When it comes to investment banks, is their intense focus on market and credit risk causing them to overlook significant operational risks?

With many modern financial firms heavily reliant on digital systems, mobile apps, online portals, and technology solutions to run their operations, an operational risk failure could completely halt their entire operations.

In this blog we dive into the top operational risks facing investment banks, we explore the reasons why operational risks are often neglected, and we share how the latest GRC technology is supporting risk teams to get a holistic view of risk and implement the right controls.

Operational risks are an ever-present threat to the financial services industry, and the consequences of ignoring them can be crippling – so can investment banks afford to neglect this important risk area? After all, a great deal is at stake – and not just in terms of operational down time, but poorly managed operational risk can also result in direct financial costs, regulatory fines, and legal liability.

Core Areas of Operational Risk Management in Investment Banking

Investment banks are primarily dealing with businesses, government entities and wealthy individuals. Although this results in larger, more complex transactions, and a differing regulatory environment, many of their operational risk areas mirror the wider financial services sector. Understanding these core areas of operational risk and effectively them risks becomes a huge factor influencing their enterprise risk management journey.

In the context of financial institutions, the Basel Committee on Banking Supervision defines operational risk as “The risk of loss resulting from inadequate or failed internal business processes, systems, people, and external events”.

Unlike its counterparts ‘credit risk’ and ‘market risk’, operational risks are inherently tied to the internal processes of a business. And because operational risks stem from many sources and tend to manifest in various forms, poor operational risk management can disrupt the core of a business’s operations.

Operational risk is usually caused by four different avenues:

1. People: Intentional misconduct, inadvertent mistakes by employees, loss of staff or the lack of necessary skills and training can lead to vulnerabilities. 
2. Processes: Outdated, inefficient, or poorly documented processes and procedures can greatly affect operations. 
3. Systems: Compromised data security, cyber-attacks, system downtime, technological failures, outages, and loss of power or internet can severely disrupt operations and cause financial losses. 
4. External Events: Factors such as regulatory changes, competitor activity, staffing, and geopolitical risk are essential influences to consider as part of your ORM programme. 

Why do investment banks fail to get a grip on operational risk?

Many financial firms including investment banks often view operational risks as ‘less tangible’ than other types of risks such as credit and market risks. Because operational risks are related to people, processes, systems, and external events, they can be perceived as hard to quantify and measure. As a result, they often receive less attention from senior management and are not given the same level of resources as other types of risks – despite being an integral part of their overall risk management strategy. Many organisations also tend to view operational risk management as a “compliance requirement”. They treat this essential function as a mere box-ticking exercise rather than using it to add value. But when done well, operational risk management programmes do add value. By identifying their key risk areas and implementing the appropriate controls to reduce the risk, organisations can actively prevent risk that if left unaddressed would severely impact their operations.

What are the key operational risk areas investment banks should be addressing?

System Downtime – With most banking corporations relying on a wide variety of systems & applications to run their operations, addressing operational risks that could cause system downtime is essential. Risks relating to loss of power or internet, licence expiry and contracts should all be carefully managed.

Employee Errors or Misconduct – Operational mistakes by employees can cause a huge impact on an organisation. This risk should be carefully mitigated with controls such as staff training, retention schemes, and policies & process documentation. Areas of misconduct should also be handled appropriately.

Fraud – Insider fraud such as embezzlement or insider trading is a pervasive threat that can have devastating consequences for investment banks. Organisations can proactively mitigate fraud risks through continuous monitoring and automated controls. By setting up risk-based controls and monitoring parameters, organisations can identify potential vulnerabilities and take immediate corrective actions.

Cybersecurity Breaches – Investment banks must continuously monitor for ransomware infections, account takeovers, and phishing schemes. These threats can result in interruptions to operations, data breaches, and costly remediation. Banks need to have robust cybersecurity measures to protect customer data and financial systems.

Regulatory Non-compliance – Compliance is not just a legal requirement, it’s also a crucial aspect of operational risk management. Failing to comply with regulations can have severe consequences, both financially and reputationally for investment banks. Implementing software systems that automate compliance monitoring, reporting, and record-keeping can streamline processes and reduce the risk of non-compliance.

How can GRC technology help investment banks to automate operational risk management?

As investment banks grapple with various internal and external risk factors, cultivating a robust operational risk management programme has emerged as a linchpin for long-term sustainability and resilience!  GRC technology offers a suite of functions to support firms to automate their operational risk management processes and get a holistic view of risk.

Organisations can easily set up comprehensive online risk registers, where multiple departments can directly log risk, and risk can easily be categorised and rated using a consistent risk framework.  Risk assessments can be rolled out online via automation with all data feeding directly into the platform.

Businesses need a risk management solution that can collect and aggregate risk data from stakeholders across the entire organisation.  By utilising GRC software, risk teams can easily collect sufficient risk data from stakeholders throughout the business. Each employee has their own dashboard where they complete risk related tasks like ‘risk assessments’ and ‘control checks’. This data is captured centrally allowing risk teams to easily calculate the likelihood, severity, and impact of risk and generate risk ratings.

Transactional & operational data can be pulled into the GRC tool from other systems & data sources via API connections – enabling teams to set Key Risk Indicators (KRIs) and define risk tolerances based on real data. With the right software, the entire organisation can log risks and take ownership of risk. This makes risk management more accessible, accountable, trackable, and resolvable – providing instant visibility to leadership teams.

Auto–generated instant reports further enable an organisation to get a complete view of its risk profile and drill down into detail to address problem areas.

Implementing a robust GRC platform not only creates a risk-aware culture across the organisation, it also eliminates time-consuming and mundane admin tasks and reporting. This leaves the risk team with time to analyse risk data and introduce measures to reduce operational risk and support decision making – rather than performing admin tasks.

Operational risk: Challenges related to siloed, siloed, manual processes…

Traditionally risk management at most financial institutions continues to rely on manual spreadsheet-based processes or legacy platforms that tend to be fragmented, expensive, and inefficient. While ERM has become more widely accepted, many investment banks are still operating in silos of analytical information relying on a collection of different solutions that don’t integrate – denying senior management of a true picture of risk across the enterprise. 

Typical problems with a manual, siloed, spreadsheet, based approach include:

• Poor quality risk data due to a lack of data governance. 
• Duplication of effort and increased admin – as data often needs to be transferred between forms and various spreadsheets.
• Disjointed & siloed processes as spreadsheets don’t integrate, making it hard to get a consolidated view of risk across multiple spreadsheets & data sources.
• No standardised risk framework, making it hard to prioritise the most critical risks.
• Access issues resulting from multiple employees trying to access the same spreadsheets – often resulting in over written data. 
• Poor accountability as there is no user tracking – making it hard to know who amended what.
• Disjointed processes – making it hard to link risks to the relevant controls or associated incidents.
• A lack of automation means all risk assessments are sent and chased up manually, data is transferred manually, and there are no automated notifications and alerts to flag problems or workflows to formalise processes and manage risks through to resolution.
• Time consuming and cumbersome reporting that only gives a moment in time snapshot of events.

This approach to managing risk often causes the C-suite to focus on issues that have little impact on the bank’s strategic and future viability.

Aligning Risk Management with Strategic Planning and Enterprise Performance for enhanced oversight

Aligning risk with strategy is an essential aspect of effective risk management. Strategic planning must integrate with risk management for organisations to effectively address prospective risks and seize opportunities. By aligning these two processes, businesses will increase resilience against unanticipated events, enhance resource allocation efficiency, and ultimately improve the achievement of strategic objectives.

GRC solutions that bring ‘risk elements’ into the strategic decisions that need to be made, very quickly show the value they can generate – both in opportunity and in avoiding costly issues. An entity’s medium and long-term viability depends on its ability to anticipate and respond to change – not only to survive but also to evolve & thrive.

The Camms platform enables stakeholders from across the business to feed into the risk management process, providing comprehensive data to mitigate risks while gleaning insights to uncover process inefficiencies and potential growth opportunities.

Losses due to operational failure in investment banking are becoming more frequent – and the price of overlooking risk is often higher than actively addressing it. If improving operational risk management is a key concern for your organisation, reach out to us for a demo and discover how the latest GRC technology could streamline and automate your processes.