Cyberthreats much more than operational risk

Too often the knowledge and awareness of risks and threats, including cyber threats, are siloed in the operational risk management area of banks, says Deputy Comptroller for Operational Risk Carolyn DuChene.

“Risk awareness, risk identification, risk assessment, and controls need to be pervasive in your organizations,” DuChene said during a speech last month at OpRisk North America, in New York. “Let me use cyber threats as an example. Cyber threats are more than an information security risk and more than an operational risk. They pose a risk to every element of your business model, a risk to your strategy, and a risk to your reputation. Cyber threats are not just a technology issue. If managed only from a technology perspective, a bank misses the opportunity to identify and plug holes and vulnerabilities.”

To highlight her claim that cyber threats include more than technology, she pointed out the distinct human element that is often embedded in them.

“Whether it’s spear-phishing emails, social engineering phone calls, or the flash drive found in the parking lot, there is a human component to the vulnerability and it can exist anywhere in your firm, or at any of your third-party relationships, or with your customers. This type of threat requires a comprehensive business—not just an operational risk—response,” she said.

In the coming year, the Office of the Comptroller of the Currency will “explore” several related aspects in this regard, including whether existing organizational structures are sufficiently agile, and whether the tools, techniques, and technologies being used are sufficient for the changing environments, DuChene said. Part of this derives from the realization that, increasingly, bank lines of business are embracing new technologies to pursue organization goals and strategies, often ahead of risk management coordination.

“Business lines—increasingly recognized as the organization’s first line of defense—are not always exhibiting the needed robustness in risk-control self-assessments and emerging risk identification. In a number of operational models, technology is being developed at, deployed from, and managed by the business lines. Where this is the case, the first line of defense must understand the risks and be held to the same standards for risk management as technology units.

“The second line of defense—the independent risk management functions—is increasingly being stretched thin. More worrisome, in too many instances second lines of defense are inadequately staffed, experience high turnover in critical leadership positions, or are insufficiently engaged with identifying, assessing, and monitoring the risks associated with strategic and business model change,” she said.

DuChene pointed out that OCC proposed rules earlier this year that would impose enforceable guidelines establishing heightened standards for large insured institutions with $50 billion or more in average total consolidated assets. Part of that rule would establish a risk governance framework that covers all risks, including operational risk.

More fundamentally, though, DuChene pointed out the need for risk management to pervade any financial institution’s organization.

“In the end, sound operational risk management isn’t something a bank does. It’s more than that. It’s something so embedded in a bank’s culture and its DNA that the thought of cutting corners to be first to market isn’t even a consideration. It’s the ingrained guiding principles that recognize that defense against cyber threats and ensuring information security are more than the technology, more than firewalls, more than perimeter protection. It’s an inherent and automatic understanding that the best defense against the risks associated with managing change is central to identifying and mitigating the operational, strategic, and reputational risks facing institutions today. It’s individuals who understand and own the risks, and it’s the necessary controls and incentive schemes that do not encourage employees to compromise the control environment. Moreover, it’s the tone from the top that promotes and ensures that this can all happen at your organizations,” she said.