Will IT Disruption be your #1 Operational Risk in 2020?


March, 2020

There are many risks to business operations, and we are currently deep in the fallout of Covid-19 geopolitical risk. The Covid-19 outbreak highlights just how quickly things can change. When surveys were conducted in January ranking the top operational risks for 2020, the outbreak drew scarcely a mention, with only some respondents based in the Asia-Pacific region flagging it as a minor concern.

Disease outbreaks are a detached operational risk, compelling governments to respond with varying isolation measures and restrictions on travel. These all cause major disruption with international companies’ ability to maintain business continuity. Such virus outbreaks are considered a geopolitical risk. With the virus already causing a global economic slowdown & stock markets declining nearly 30%, Covid-19 marks the fastest onset of a bear market in history. This will spark the possibilities for wider operational risks. As the challenges of large-scale remote working continues, organisations will need to review business continuity plans.

Aside from this most recent form of geopolitical risk, the other pressing categories of risk concern, as reported by chief risk officers, heads of operational risk including banks, insurers, asset managers and infrastructure providers for the year ahead, are as follows:

Such surveys provide an industrywide attempt to communicate and share worries regarding the broader risk concerns in the industry. It is interesting to note that I.T. Disruption is the #1 perceived risk area, and that traditional Regulatory and Conduct risks are placed towards the bottom. When customers are unable to access their accounts because of a cyber attack or critical I.T. failure, the consequences are clear, not only for the company’s profitability but also their reputation, often with long lasting effects.

There are two major risk concerns to I.T. systems and operations today. Firstly, the threat from cyber criminals or even nation states penetrating a bank’s defenses. The most prominent being the escalation of targeted ransomware attacks. Attempts only need be successful once to cause major problems. Secondly, banks are continually replacing or patching ageing I.T. systems to remain compliant. If not managed  
effectively, they can be exposed to cyber attacks or lengthy outages.

Faced with the increasing number of cyber attacks, regulators are contemplating if financial companies should divulge information on cyber incidents. Traditionally banks are reluctant to divulge information regarding cyber threats, concerned that information could be used to target other companies. Cyber attacks & cyber warfare can be prone to overspill. Exploits & Cyber weapons currently spread rapidly. The continual frequency of new and ever sophisticated attacks leave regulators fearing a major attack could escalate to the level of a systemic liquidity crisis.

Both concerns also lead into resilience risk. This considers the consequences of an outage or failure in the context of changing regulatory expectations; exploring how and when a company can return to operations, and the role it plays within the financial system as a whole. The recent Travelex ransomware attack highlights just these fears. The company’s systems were shut down for six weeks while they tried to restore operations. Given the interconnectedness of financial institutions, the disruption to business was widespread. Banks across the globe rely on Travelex for their currency exchange transactions and were unable to make exchanges for customers while Travelex was offline. Travelex quickly enacted a business continuity and disaster recovery plan – something all organisations should have in place for situations like this. After quarantining the virus, Travelex continued to conduct business at its 1,200 locations worldwide, using pencil, paper, and calculators to tally transactions, tracking currency exchange rates by phone.

The past decade of regulatory reforms, shaped by the financial crisis and various misconduct issues, has seen financial regulations change significantly. Technological change and social concerns are rising on regulators’ agendas. Against a rapidly changing economic background there will be increasing focus on companies’ financial and operational resilience, how they adapt to technological change and innovation, and how they plan and respond to cyber events. After all, nobody wants to become the next Travelex.

Please download Intuition Perspective App from app store

Contact us to learn more