The top 10 op risks, reloaded

Click here to read this year’s top 10 operational risks

You can plan a pretty picnic but you can’t predict the weather, as the song has it.

It’s an often-heard frustration among operational risk managers that trying to anticipate when and how large losses will occur is extremely difficult.

In recent years, the industry has been encouraged to consider esoteric risks that might previously have been assigned a low or near-zero probability as part of routine stress testing, including regulator-set exams – in other words, knowing what your exposures are and thinking about what losses would occur if there were significant changes to your operating environment (or packing an umbrella, or scoping out a nearby café, to torture the picnic metaphor in ways that Outkast’s André 3000 and Antwan never imagined).

Of course, whether firms choose to act on the outputs these exercises throw up, and update control environments accordingly – like the bank that built a stress scenario for a global pandemic two years before Covid-19 struck, before tearing it up, dismissing it as unrealistic – is another matter.

For more than a decade, Risk.net has tried to help guide op risk managers pool their collective insights as a list of shared concerns over broad categories of risk in the form of the Top 10 Op Risks.

The analysis that results is consistently the most popular piece of content Risk.net produces all year: many of the world’s largest banks spend time debating the survey as part of so-called external perspectives exercises, puzzling over the ranking of a particular category, asking whether they’re paying enough attention to it and have enough internal expertise to respond appropriately if threats are realised.

As was the case with Covid, however, Russia’s invasion of Ukraine – while not wholly unexpected – has also exposed the inherent limitations of the Top 10 as a static, point-in-time exercise. So the survey needs to evolve, too.

Later this year, we’ll be getting in touch with respondents and asking for your input. How regularly should we run the survey: a semi-annual poll, to see how broad areas of concern to managers have evolved over the course of the year? Or a free-form exercise designed to identify emerging risks? What time horizon should we be thinking along?

The outcome might be a more regular, more granular survey offering a breakdown of the hierarchy of perceived threats, and accompanying detail on how some op risk chiefs are responding. But we don’t have a fixed vision yet, so if there’s something you’d like to see, please get in touch: tom.osborn [at] risk.net