Rachel Adeney and Amy Fraser
Operational risk is rapidly becoming one of the most important threats to the financial system but is also one of the least well understood. Cyber attacks are regularly cited as one of the top risks faced by firms in the financial sector and one of the most challenging to manage. But they are only one part of operational risk, which includes losses from any kind of business disruption or human error, including power outages or natural disasters. In this post we discuss why operational risk matters for financial stability, how policymakers have responded to increasing risks from operational disruptions and the future challenges that may arise in this space.
Why does operational risk matter for financial stability?
Operational risk has typically been viewed as an idiosyncratic risk that only matters for individual firms. However, as firms have increasingly digitised and outsourced services to third parties, operational interconnections are increasing and the associated risks need to be assessed as threats to the wider financial system.
There are two key ways by which crystallisation of an operational risk event could create widespread disruption to the financial system (that is, become a systemic risk).
Firstly, a direct impact through operational disruptions to the most important institutions in the sector. This includes not just the very large banks, but also critical financial market infrastructures (FMIs). FMIs play a unique role as the ‘plumbing’ of the financial system. They provide the networks for payment, settlement and clearing that connect and ensure the functioning of international capital markets. Their size also makes them a critical part of the financial system. LCH Swapclear regularly clears in excess of US$3.5 trillion notional per day while CLS operates the world’s largest multicurrency cash settlement system for foreign exchange transactions in 18 currencies.
FMIs are utility-like entities, and their services are expected to be reliable and founded on sound risk management, much like our expectations for electricity provision. This market structure creates efficiencies but also raises questions around the standard of resilience that is acceptable, including questions of substitutability. A further tension is between providing low-cost services and the need to invest to ensure appropriate standards of operational resilience.
The risk of operational failure at financial market infrastructure firms has long been recognised and for many FMIs it is the number one risk they face. A prolonged operational outage affecting one of these ‘global pipes’ is likely to have an impact on the wider financial system. This impact has been seen in the settlement system outage experienced by Euroclear UK and Ireland in September 2020 which caused notable market disruption and resulted in the Bank of England delaying an Asset Purchase Facility gilt purchase operation. Visa Europe also experienced a partial service disruption in June 2018 which prevented many cardholders from using their systems for payments.
Secondly, financial stability risk can arise indirectly from correlations in operational disruptions across firms. This means that operational disruptions at one firm are likely to be associated with similar disruptions at other firms, which means the impact can quickly become very large. Operational disruptions can be correlated across firms if they rely on the same digital technology or outsource their services to the same third parties. These correlations have increased in recent years, making it more likely that an operational disruption in one part of the financial system could have widespread impacts. For example, cloud services are often provided to the financial system by a small number of unregulated firms. The Future of Finance report set out that these services can range from pure infrastructure services to data applications and analytics, and increasingly financial firms’ technology vendors are dependent on cloud. An operational disruption at one of these unregulated tech firms could have implications for a large number of regulated firms that depend on their services. In the UK, HM Treasury has, with the financial regulators, developed a proposal on mitigating risks from critical third parties such as cloud providers to the finance sector and has brought forward legislation in the Financial Services and Markets Bill.
Cyber incidents and financial stability
While cyber incidents are just one type of operational risk, they have unique characteristics that warrant more attention. In particular, cyber threats are dynamic and attacks can spread quickly with the potential for high impact. For example, cyber attacks such as ransomware and distributed denial of service can lead to a prolonged disruption to services. A cyber incident has the potential to escalate into a systemic crisis when the operational shock creates financial and confidence impacts, beyond the capacity of the financial system to absorb.
The changing risk landscape
Managing operational risk has become more challenging in recent years due to profound changes in the external environment. The financial system has weathered some significant and unprecedented operational challenges in recent years, such as the Covid-19 pandemic, all in an environment of rapid technological change and increasing cyber threat.
Operational challenges are likely to increase in the face of physical threats from climate change (causing disruption to banks’ physical assets), new technologies such as quantum computing (increasing complexity and causing disruptions in a complex environment), and an increasingly geopolitically fragmented world (higher risk of nation state cyber attacks). Innovation in payments and the process for clearing and settling transactions potentially offers benefits but could also raise new questions around resilience and operational risk. These innovations could reduce cost and offer new convenience and functionality, as well as increase resilience by offering alternative new ways to pay, clear and settle transactions. But these opportunities can only be realised if new forms of innovation are safe.
How are policymakers responding to the heightened risk from operational disruptions?
In an ideal world firms would have control measures in place that are effective enough to prevent any operational disruption from occurring in the first place. However, this is unlikely to be achieved in practice, especially for cyber risk where new vulnerabilities are always emerging and attack types are constantly evolving. Instead policies are typically built on an assumption that controls fail and are focused on ensuring firms’ operational resilience. That is, are firms able to recover from operational disruptions within certain tolerances?
Existing policies around the world recognise that disruptions of all kinds will occur and set out expectations for firms and FMIs to mitigate and recover from an operational risk event if it crystallises. However such policies are often largely microprudential in nature, being focused on strengthening the safety and soundness of individual firms. As operational risk presents more of a threat to the stability of the whole financial sector, macroprudential policies are likely to be needed to ensure the management of system-wide risks. We are beginning to see the development of such policies in a number of jurisdictions with regulators considering how to manage the risks presented by outsourced third parties providing critical services to a wide range of financial service firms and the development of cyber stress tests.
Future challenges for policymakers
While policymakers and industry are working to improve the operational resilience of the financial sector and FMIs, many challenges lie ahead. One important reason why operational risk has been relatively underresearched from a systemic point of view is due to challenges with finding appropriate data. This presents regulators with an important challenge because without appropriate data, it is difficult to effectively monitor and manage these risks within the financial system and quantify what consequences there might be for the wider macroeconomy. Macroprudential policy has proven itself adaptable to change in the past, working to allow the economy to expand and innovate safely. But policies will need to continue to evolve to meet these new challenges in a way that ensures the resilience of FMIs and the financial system more broadly.
Rachel Adeney works in the Bank’s Banks Resilience Division and Amy Fraser works in the Bank’s Financial Market Infrastructure Regulation Division.
If you want to get in touch, please email us at bankunderground@bankofengland.co.uk or leave a comment below.
Comments will only appear once approved by a moderator, and are only published where a full name is supplied. Bank Underground is a blog for Bank of England staff to share views that challenge – or support – prevailing policy orthodoxies. The views expressed here are those of the authors, and are not necessarily those of the Bank of England, or its policy committees.
Increasingly, customers are required to use online services. The risk to consumers is shown very clearly with the recent damage to the cable between the mainland and Shetland, which removed access to phones and the internet. If a consumer relies totally on internet banking (and the banking model is increasingly pushing us in that direction) then the impact on consumers could be severe and the costs will be borne more by consumers than by banks and other financial institutions.
This write-up aligns with my thinking.
Technology is a significant cause of operational risk events in today’s financial institutions. Do we need to think far to recognize this fact? My response is, “No”. Let’s flashback our memories to the recent Rogers Telecommunications outage in Canada.
Financial supervisors and regulators globally need to focus attention on the unregulated providers of critical services to the financial sector.
Governments must ensure that tech firms critical to financial system stability become regulated and supervised by a member of the financial safety net. I understand that in many jurisdictions, government supervises FMIs. However, unregulated tech firms are becoming very important, and the government should recognize this fact and pay attention to them.
The next global financial crisis is not likely to result from financial risk events but from operational risk events.