Our latest annual report exploring some of the major risk management issues for the year ahead, with commentary from select industry experts.
What a difference a year makes
Looking back at last year’s report, there are several key business concerns that will make a reappearance on the corporate agenda as we progress through 2021.
“COVID-19” wasn’t yet part of common parlance this time last year, though the new coronavirus strain did get a mention in our 2020 report:
“At the time of writing, the coronavirus has infected more than 5,000 people in 16 countries including the US, and claimed 132 lives in China, with 12 cities on lockdown.”
What a difference a year makes. If we’ve learned anything over the past 12 months, it’s that geographical location is not a valid risk mitigation method. All of the business concerns highlighted below are global issues and could have catastrophic consequences for firms of all sizes, all over the world. COVID-19 was seen as a “Chinese problem” just over a year ago, but now it’s almost impossible to identify any element of our daily lives which is yet to be impacted by it. It was the Grey Swan event we had all been waiting for.
This report takes a look at some of the crucial areas of concern for businesses in the year ahead, with commentary from select industry experts. The topics aren’t listed in any particular order, but comprise some of the major issues being prioritised by those working in risk management-related roles right now.
Cyber and IT security
Mass remote working has thrown our sense of cyber and IT security into disarray. The relative safety of a system largely accessed from a central location is now a distant memory, with the majority of staff in financial services firms still working from home. This has put pressure on those tasked with cyber security to adapt quickly, no doubt providing criminals with an opportunity to take advantage of gaps in IT controls.
“Certainly next to the pandemic, this is our biggest risk, still,” says Annie Searle, an associate teaching professor at the University of Washington’s Information School, where she teaches risk, cybersecurity, privacy information ethics, policy, and law. “The pandemic magnifies all the fissures in our critical infrastructure, and it shows most in the cyber arena, particularly where attacks like SolarWinds are concerned.”
George Clark, director of CC Risk Limited and former Chair of the Institute of Operational Risk, agrees. “I would consider this one of the top five risks facing all organisations at this time. The recent SolarWinds event shows how vulnerable systems – which could reasonably be expected to be well controlled – are to sophisticated attack.”
The hack at software giant SolarWinds went undetected for approximately nine months and involved criminals (believed to have been acting on behalf of the Russian government) planting malware in one of the firm’s most popular software products, Orion. An estimated 250 organisations were affected, including US government agencies and several Fortune 500 companies – but the true impact is still unknown.
Though the process of introducing the malware to Orion was pretty sophisticated, the way the attackers accessed the system in the first place may not have been. According to one security expert who worked with the firm in 2019, concerns were raised about the use of an easily guessable password (“solarwinds123”) for its update server. According to reports, researchers looking into the hack said the password wasn’t considered the most likely source, but it doesn’t instil much confidence in the firm’s security.
The way we refer to and oversee cyber and IT-related risks might also be an area of concern, argues Clark. “The ‘Cyber’ descriptor has overtaken historic descriptors such as Information Security and is now a catch all for IT, Data, Systems, etc. This aggregation may have some issues in maintaining visibility of the granularity of risk and controls – as the underpinning risks will certainly not have gone away.”
The pandemic has at least helped propel cyber and IT security to the top of the agenda for risk management, with 51% of global financial services executives who responded to PwC’s Global Digital Trust Insights Survey confirming they are “baking cybersecurity and privacy implications into business decisions and planning as a result of COVID-19.” More than half also plan to increase cyber budgets (57%) and headcount (53%) this year. “Organisations should ask: How does the shift to remote-work mode change our cybersecurity posture? Which cyber-hygiene practices do we already use, and which do we need to add for remote work? Which other risks – operational, regulatory and compliance – should we manage?” says PwC.
We all hoped 2020 might be the year of change when it came to climate-related issues, but like most things, it took somewhat of a backseat thanks to COVID-19. Last year we highlighted a letter written by BlackRock CEO Harry Fink, who suggested companies could not expect to achieve long-term profits if they did not consider the bigger picture and the ethical impact of their actions, adding that BlackRock would be exiting investments that presented a high sustainability-related risk, such as thermal coal producers. ESG (environmental, social and governance) issues are still a key concern for firms, both from the perspective of their own impact on the world and that of the businesses they fund.
COVID-19’s influence on this area of risk has been to focus firms’ approach to climate and societal issues into a more unified approach that safeguards people as well as the planet. It has increased the focus on employee and customer wellbeing and has shone a spotlight on the complex and interconnected nature of markets. “The positive is that it will likely drive activity and high standards of corporate behaviour” says Clark, “including a social conscience and consideration of the societal impacts from organisations’ strategy and operations.” But, he adds, policy makers have some catching up to do first: “The risk is that, although broad targets and a direction of travel are understood, in the absence of policy, it is the values of a select but growing group of investors, financiers and others, which drive outcomes.”
2020 did see a huge shift in investments to more ESG-focused offerings. According to a report in Lexology, issuance of sustainable bonds was up 96% in 2020 compared to the same period in 2019. Of these, 49% were made by corporates – a 35% increase. The number of social bonds issued was also eight times higher than the same nine-month period in 2019.
Digitalisation and AI
Technology provides firms with at least as many opportunities as it does risks and the most powerful tool for firms in both respects is knowledge. AI (artificial intelligence) in particular is a term which is bandied about a lot, and often by people who don’t really know what it means. The concept of AI is commonly misunderstood, says Husan Mahey, Co-Founder of SkySoft UK and a specialist in robotic processing automation training. So what is it in a nutshell? “A vital part of our daily life involves making decisions,” explains Mahey. “If we were to automate these decisions they can be broken down into two distinctive categories: either the decision is derived using a rule-based system, or using a machine-learning algorithm, the latter being an implementation of AI. It’s similar to applying a decision based on knowledge rather than a predefined set of conditions.” These capabilities provide huge opportunities for the risk-management space, in particular in helping to prevent false positives in anti-money laundering detection systems including KYC (know-your-customer) and due diligence functionality, and the monitoring of transactions for suspicious activity. But, argues Clark, there is a knowledge gap which needs addressing first. “I do question if current mainstream risk practitioners and functions have the technical competency to keep up…It’s unlikely that current risk and control frameworks will be fit for purpose in an artificial intelligence/machine learning world, but, they could actually transform how the large volume of risk data – RCSA, regulations, policies, emerging themes, recorded conversations/emails etc – is used to better target risk exposures. I believe that AI offers a real possibility of better understanding concentrations of bad apples and bad barrels, potentially now inclusive of behavioural data, increasing the potential of more forward/predictive capability rather than the heavily backward-looking current practice.”
It’s also worth noting that just as AI provides opportunities for firms, it also offers a powerful tool for criminals. “As the use of artificial intelligence, machine learning and deep learning technologies are increasing to help with running businesses in a more digitised and effective way, these technologies are also being used by hackers to create more sophisticated and effective malware. Keeping your organisation protected is not a one-off task, but an ongoing challenge,” warns Mahey.
A report published by RiskBusiness in September 2020 explored the risks posed to business by AI and the development of increasingly convincing deepfakes. Active learning technology allows cybercriminals to boost the success rates of phishing emails and other such scams by gathering data on what works and what doesn’t, then using this information to adapt their approach. “They are always one step ahead,” says Graeme McGowan, Director, Cyber & Security Risk at the Optimal Risk Group. “This is why it is so important to keep educating staff about the technological capabilities cybercriminals now have. Share examples of incidents that have occurred, remind staff of the protocols they must follow and don’t just limit cyber risk training to new recruits; it should be ingrained in everyday, business-as-usual activities so that being aware of these types of risk is second nature.”
According to Deloitte’s 2021 banking and capital markets outlook report, investing in technology to cope with demands related to COVID-19 had a direct impact on performance in the financial services sector in 2020: “In addition to accelerating digital adoption, the crisis has also served as a litmus test for banks’ digital infrastructure. While institutions that made strategic investments in technology came out stronger, laggards may still be able to leapfrog competitors if they take swift action to accelerate tech modernisation.”
Despite headlines to the contrary, it wasn’t the public sector that was hit hardest by ransomware attacks in 2020. According to The State of Ransomware 2020, a global survey by cyber security software provider Sophos, 45% of public sector organisations were hit by ransomware last year, compared to a global average of 51%, and a high of 60% in the media, leisure, and entertainment industries.
In the financial services sector, 48% of those surveyed reported being hit by a ransomware attack in 2020, but it’s possible the real figure is much higher. “In many countries, public sector organisations are obliged to report ransomware attacks,” says Sophos. “However, the private sector often has no such requirements and so can choose to keep the attack quiet – perhaps to avoid creating concern among customers, reputation damage, or being perceived as an easy target by other attackers.”
A massive 73% of cybercriminals were successful in encrypting the data they stole (making it unusable unless a ransom is paid). 26% of organisations whose data was encrypted got it back by paying the ransom. A further 1% of organisations paid the ransom but didn’t get their data back.
As recent events in the US have demonstrated, political risk knows no bounds. Even seemingly politically “stable” countries are not immune. In an article for her risk consultancy’s newsletter, Searle writes about the triple threat of the pandemic, the recent SolarWinds cyber breach and the insurrection at the US Capitol building on January 6th, which saw five people lose their lives: “I’ve been looking at white supremacist/fringe conspiracy theory groups like the KKK, Proud Boys and Qanon for years, and so has the FBI. Until 2015 when Trump was campaigning, most of these groups had communicated among themselves. Spurred on and encouraged by the current president, such groups have gone mainstream and represent a very real threat to our way of government.”
“We can say that we don’t recognise this behaviour, or that this is not the America we know, but that is avoidance of several fundamental questions…Do we want to live in an armed standoff for the next four years, even as we try to deal with the greatest public health threat and the greatest cyber hack that the country has ever known?”
Politics may seem outside of the remit of risk management, but the regulatory landscape is directly determined by those in power. Donald Trump’s administration saw the dismantling of almost a decade’s worth of post-2008 financial crisis regulation. Brexit will also have inevitable impacts on the management of regulatory risk and London’s position as a global hub for financial services. The handling of COVID-19 recovery schemes and the resultant fraud (and potential legal claims due to inequality of distribution) are a direct result of the political environment. Whatever your standpoint – and whether or not you choose to refer to this area as “political risk” or not – it is still something that continues to affect every business.
Firms in the UK will be keen for an equivalency decision to be made with the EU on financial services regulation, but they should remember that finding an arrangement which prioritises the UK will never be on the cards. “To be very clear to our UK colleagues…we want to make sure we move in a direction that is the best fit for our European Union of 27,” Mairead McGuiness EU commissioner for financial services told Bloomberg news on January 22nd. But she also pointed out that moving away from a London-centric approach might not be a bad thing for the future of financial services: “The idea of one major centre for any particular sector may not be as important in the future as in the past. We’re all now relocated to wherever we live and we are able to do business.” Though McGuiness was unable to put a definite timeframe on when an equivalency agreement would be completed, she did say she looked forward to the end of this year “when we will hopefully have completed all of this work.”
Corporate diversity demands
2020 was a monumental year for the Black Lives Matter movement, with the brutal killing of African American George Floyd bringing the issue of racial inequality and police brutality to the fore. From a business risk point of view, never has corporate diversity been so high on the agenda. Just as 2017-2019 witnessed a revolution in how sexual misconduct and discrimination were viewed in Hollywood via the Me-Too movement, last year was a pivotal moment in the way America and the rest of the world sees and treats people of colour.
If we are to distil all of this down into what it means for the risk management function, we must be careful not to treat this complex issue as a tick-box process. Better corporate diversity is beneficial for every aspect of a business and creating a system that protects individuals from discrimination on the basis of race, gender/gender identity, sexual orientation, socioeconomic status or religious beliefs is more than an HR issue. Simply paying lip service will not serve the interests of the firm, its employees or its customers. Large corporations including financial institutions employ thousands of people and wield a great deal of power through the opportunities they afford those they employ, and those who use their services.
Despite many firms having dedicated huge sums of money towards corporate diversity initiatives, it’s clear there is still a long way to go, even in some of the world’s largest banks. An email written by Frederick Baba, a managing director at Goldman Sachs who is black, went viral last year. In the wake of the death of George Floyd, he wrote to colleagues describing his experience of police racism first hand and of the feelings evoked by Floyd’s death: “The past few months have been demoralising, and family/friends/colleagues I’ve spoken with and listened to across the firm and country seem to share this feeling…Being black has been nothing if not instructive,” he wrote. He also shared his thoughts on how Goldman Sachs deals with racism: “A common bit of feedback from our junior colleagues is that while our firm expresses a commitment to equality and social justice up top, they don’t necessarily see commitment and support from their direct managers.” The email was forwarded so many times, it was seen by almost all of Goldman’s 38,000 employees and was later published on the firm’s internal website.
Third-party risk/supply chain disruption/vendor solvency
This area of risk will always appear in reports of this kind, but the SolarWinds hack in the US in December 2020 certainly reignited concerns over vendor security.
This major cyber espionage incident was one of the worst in US history, with hackers gaining access to sensitive Government data for approximately nine months. Orion, a popular software programme made and distributed by SolarWinds, was first compromised in March via malicious code hidden in software updates. This allowed hackers access to the networks of the US Treasury Department, the National Telecommunications and Information Administration (NTIA), plus hundreds of private sector organisations, including several Fortune 500 companies.
“If there were ever a clear illustration of how the government and the private sector are inextricably bound together, it would be with this breach,” writes Searle. “The pandemic magnifies fissures in our critical infrastructure. Personnel in both the government and private sector are mostly working from home, which might help explain how the breach activity went undetected.”
The hackers are believed to have been acting on behalf of Russian intelligence agency, SVR who took advantage of limitations in US security capabilities. “By attacking from inside the United States, the Russians exploited the limits on the authority of the National Security Agency (NSA), which cannot enter or defend private sector networks,” explains Searle. “The assessment of impact is not yet complete…At this time, we do not know if SVR’s intent was simple espionage or rather the installation of back doors into prime strike sites that could include the electrical grid, nuclear power plants, labs that are developing new versions of nuclear weapons, and so on.”
This case demonstrates the risks associated with heavy reliance on a single supplier. During an earnings call with analysts in October 2019, SolarWinds chief executive Kevin Thompson said: “We don’t think anyone else in the market is really even close in terms of the breadth of coverage we have…We manage everyone’s network gear.”
Cybercrime is not the only area of exposure for third parties; COVID-19 and Brexit are also impacting supply chains. Despite the UK Government and the EU reaching a trade deal just days before the December 31st deadline, there are some areas of regulation which remain uncertain, particularly in the financial services sector.
Treatment of consumers
The UK’s Financial Conduct Authority will be publishing its updated guidance on how firms should treat vulnerable customers, in Q1 of this year. The FCA’s Financial Lives Survey in 2019 showed 50% of UK adults displayed one or more characteristics of being “potentially vulnerable” (showing characteristics related to low financial resilience, a recent experience such as divorce or bereavement, low financial capability, or a health issue that affects day-to-day activities a lot.) The survey took place before the pandemic took hold, so the situation is likely to have worsened considerably with the growth in unemployment. With this added strain on consumers’ financial wellbeing, firms will be expected to make the welfare of their clients a priority and must “take a proactive approach to understand the nature and extent of vulnerability in their target market and customer base,” according to the FCA’s guideline document.
The pandemic has also changed the way firms deliver their products and services to customers and this will likely have an impact on service quality and customer satisfaction. Reduced face-to-face contact has forced an acceleration in the digitalisation process, with EY reporting a 72% rise in use of banking apps in Europe (November 2020). It’s therefore important that firms ensure consumer satisfaction and wellbeing is not sacrificed at the expense of efficiency and rapid adoption of new ways of operating.
Age UK recently highlighted the potential impact of COVID-19 on the over 70s’ ability to carry out simple banking transactions. “Older people are often particularly reliant on cash – more than half of over 70s do not use the internet so online banking just isn’t an option,” said Chris Brooks, the charity’s senior policy manager. “We have received many calls expressing concern about how they can access cash during the pandemic, given many have been advised to stay largely or exclusively indoors. Many older people found it hard to access cash even before the COVID-19 outbreak and we remain concerned that the current situation will make this extremely difficult or even impossible for significant numbers.”
2021 banking and capital markets outlook by Deloitte: https://www2.deloitte.com/us/en/insights/industry/financial-services/financial-services-industry-outlooks/banking-industry-outlook.html
A More Perfect Union, by Annie Searle from University of Washington’s Information School: https://anniesearle.createsend.com/t/ViewEmailArchive/r/00B1340DEA65BDE12540EF23F30FEDED/6F21BA1D1D483682/
FCA’s consultation on guidance for firms on the fair treatment of vulnerable customers:
Financial Lives: The experiences of vulnerable customers by the UK’s FCA: https://www.fca.org.uk/publication/research/financial-lives-experiences-of-vulnerable-consumers.pdf
Global Digital Trust Insights by PwC: https://www.pwc.com/us/en/services/consulting/cybersecurity-privacy-forensics/library/global-digital-trust-insights.html
Key Business Concerns for 2020 by RiskBusiness: https://subscriber.riskbusiness.com/ComponentFiles/Website/InterestingReading_Filename_618.pdf
Recovering from a virus by RiskBusiness: https://subscriber.riskbusiness.com/ComponentFiles/Website/InterestingReading_Filename_621.pdf
The State of Ransomware 2021 by Sophos: