Risk Practice

The future of
operational-risk
management in
financial services
By partnering with the business, the operational-risk discipline
can create a more secure and profitable institution. Here’s what
has to happen first.
by Joseba Eceiza, Ida Kristensen, Dmitry Krivin, Hamid Samandari, and Olivia White

© Jose A. Bernat Bacete/Getty Images

April 2020
 New forces are creating new demands for while, the Basel Committee on Banking Supervision
operational-risk management in financial services. (BCBS), in a series of papers published between
Breakthrough technology, increased data 1999 and 2001, elevated operational risk to a
availability, and new business models and value distinct and controllable risk category requiring its
chains are transforming the ways banks serve own tools and organization.¹ In the first decade of
customers, interact with third parties, and operate building operational-risk-management capabilities,
internally. Operational risk must keep up with this banks focused on governance, putting in place
dynamic environment, including the evolving foundational elements such as loss-event reporting
risk landscape. and risk-control self-assessments (RCSAs) and
developing operational-risk capital models. The
Legacy processes and controls have to be financial crisis precipitated a wave of regulatory
updated to begin with, but banks can also look fines and enforcement actions on misselling,
upon the imperative to change as an improvement questionable mortgage-foreclosure practices,
opportunity. The adoption of new technologies financial crimes, London Inter-bank Offered Rate
and the use of new data can improve operational- (LIBOR) fixing, and foreign-exchange misconduct.
risk management itself. Within reach is more As these events worked their way through the
targeted risk management, undertaken with greater banking system, they highlighted weaknesses of
efficiency, and truly integrated with business earlier risk practices. Institutions responded by
decision making. making significant investments in operational-
risk capabilities. They developed risk taxonomies
The advantages for financial-services firms beyond the BCBS categories, put in place new
that manage to do this are significant. Already, risk-identification and risk-assessment processes,
efforts to address the new challenges are bringing and created extensive controls and control-testing
measurable bottom-line impact. For example, processes. While the industry succeeded in
one global bank tackled unacceptable false-positive reducing industry-wide regulatory fines, losses from
rates in anti–money laundering (AML) detection— operational risk have remained elevated (Exhibit 1).
which were as high as 96 percent. Using
machine learning to identify crucial data flaws, Intrinsic difficulties
the bank made necessary data-quality While banks have made good progress, managing
improvements and thereby quickly eliminated operational risk remains intrinsically difficult, for
an estimated 35,000 investigative hours. A a number of reasons. Compared with financial
North American bank assessed conduct-risk risk such as credit or market risk, operational risk
exposures in its retail sales force. Using advanced- is more complex, involving dozens of diverse risk
analytics models to monitor behavioral patterns types. Second, operational-risk management
among 20,000 employees, the bank identified requires oversight and transparency of almost all
unwanted anomalies before they became serious organizational processes and business activities.
problems. The cases for change are in fact diverse Third, the distinguishing definitions of the roles of
and compelling, but transformations can present the operational-risk function and other oversight
formidable challenges for functions and groups—especially compliance, financial crime,
their institutions. cyberrisk, and IT risk—have been fluid. Finally, until
recently, operational risk was less easily measured
and managed through data and recognized limits
The current state than financial risk.
Operational risk is a relatively young field: it became
an independent discipline only in the past 20 years. This last constraint has been lifted in recent years:
While banks have been aware of risks associated granular data and measurement on operational
with operations or employee activities for a long processes, employee activity, customer feedback,

1
 he standard Basel Committee on Banking Supervision definition of operational (or nonfinancial) risk is “the risk of loss resulting from inadequate
T
or failed internal processes, people, and systems or from external events. See Basel Committee on Banking Supervision: Working paper on the
regulatory treatment of operational risk, Bank for International Settlements, September 2001, bis.org.

2 The future of operational-risk management in financial services

Operational Risk
Exhibit 1 of 4

Exhibit 1
Operational-risk losses increased rapidly after the 2008–9 financial crisis and have remained
elevated since.
Banking litigation: costs, fines, and operational losses, $ billion

Europe North America Europe and North America

80 80 80

60 60 60

40 40 40

20 20 20

0 0 0
2008 2018 2008 2018 2008 2018

and other sources of insight are now widely available. traditional human errors but creating new change-
Measurement remains difficult, and risk teams still management risks; fintech partnerships create
face challenges in bringing together diverse sources cyberrisks and produce new single points of
of data. Nonetheless, data availability and the failure; the application of machine learning and
potential applications of analytics have created an artificial intelligence (AI) raises issues of decision
opportunity to transform operational-risk detection, bias and ethical use of customer data. Finally, the
moving from qualitative, manual controls to data- lines between the operational-risk-management
driven, real-time monitoring. function and other second-line groups, such as
compliance, continue to shift. Banks have invested
As for the other challenges, they have, if anything, in harmonizing risk taxonomies and assessments,
steepened. Operational complexity has increased. but most recognize that significant overlap remains.
The number and diversity of operational-risk This creates frustration among business units and
types have enlarged, as important specialized- frontline partners.
risk categories become more defined, including
unauthorized trading, third-party risk, fraud, Taken together, these factors explain why
questionable sales practices, misconduct, new- operational-risk management remains intrinsically
product risk, cyberrisk, and operational resilience. difficult and why the effectiveness of the discipline—
as measured by consumer complaints, for example—
At the same time, digitization and automation has been disappointing (Exhibit 2).
have been changing the nature of work, reducing

The future of operational-risk management in financial services 3

 Operational Risk
Exhibit 3 of 4

Exhibit 2 infrastructure enhancements, as well as other areas

that allow the enterprise to operate effectively and
Indicators of operational-risk levels
prevent undue large-scale risk issues.
continue to rise.
Complaints filed annually with Consumer
Financial Protection Bureau, thousands Defining next-generation operational-
300 risk management
The operational-risk discipline needs to evolve
in four areas: 1) the mandate needs to expand
250
to include second-line oversight, to support
operational excellence and business-process
200
resiliency; 2) analytics-driven issue detection and
real-time risk reporting have to replace manual risk
150 assessments; 3) talent needs to be realigned as
digitization progresses and data and analytics are
100 rolled out: banks will need specialists to manage
specific risk types such as cyberrisk, fraud, and
conduct risk; and 4) human-factor risks will have to
50
be monitored and assessed—including those that
relate to misconduct (such as sexual harassment)
0 and to diversity and inclusion.
2012 2019¹
1
1st half of 2019 annualized. The evolution includes the shift to real-time
Source: Consumer Financial Protection Bureau database;
McKinsey analysis detection and action. This will involve the adoption
of more agile ways of working, with greater use of
cross-disciplinary teams that can respond quickly
to arising issues, near misses, and emerging risks or
threats to resilience.

Looking ahead 1. Develop second-line oversight to

Against these challenges, risk practitioners are ensure operational excellence and business-
seeking to develop better tools, frameworks, and process resiliency
talent. Leading companies are discarding the The original role of operational-risk management
“rearview mirror” approach, defined by thousands was focused on detecting and reporting
of qualitative controls. For effective operational- nonfinancial risks, such as regulatory, third-party,
risk management, suitable to the new environment, and process risk. We believe that this mandate
these organizations are refocusing the front line should expand so that the second line is an effective
on business resiliency and critical vulnerabilities. partner to the first line, playing a challenge role
They are adopting data-driven risk measurement to support the fundamental resiliency of the
and shifting detection tools from subjective control operating model and processes. A breakdown in
assessments to real-time monitoring. processes is at the core of many nonfinancial risks
today, including negative regulatory outcomes,
The objective is for operational-risk management to such as missing disclosures, customer and client
become a valuable partner to the business. Banks disruption, and revenue and reputational costs. The
need to take specific actions to move the function operational-risk-management function should help
from reporting and aggregation of first-line controls chief risk officers and other senior managers answer
to providing expertise and thought partnership. several key questions, such as: Have we designed
The areas where the function will help execute business processes in each area to provide
business strategy include operational strengths consistent, positive customer outcomes? Do these
and vulnerabilities, new-product design, and processes operate well in both normal and stress

4 The future of operational-risk management in financial services

conditions? Is our change-management needs. Be ready to scale capacity up or down
process robust enough to prevent disruptions? according to the results of process monitoring.
Is the operating model designed to limit risk from — Reinforce needed behavior. Ensure
bad actors? reinforcement mechanisms for personal
conduct, using communications, training,
Untransformed operational-risk-management performance management, and incentives.
functions have limited insight into the strength of
operational processes or they rely on an extensive — Enable feedback. Establish feedback
inventory of controls to ensure quality. Controls, mechanisms for flagging potential issues,
however, are not effective in monitoring process undertaking root-cause analysis, and updating
resilience. A transaction-processing system, for or revising processes as needed to address
example, may have reconciliation controls (such as the causes.
a line of checkers) that perform well under normal — Establish change management. Establish
conditions but cannot operate under stress. This systematic, ongoing change management to
is because the controls are fundamentally reliant ensure the right talent is in place, test processes
on manual activities. Similarly, controls on IT and capacity, and provide guidance, particularly
infrastructure may not prevent a poorly executed for technology.
platform transition from leading to large customer
disruptions and reputational losses.
2. Transform risk detection with data and
real-time analytics
New frameworks and tools are therefore needed
In response to regulatory concerns over sales
to properly evaluate the resiliency of business
practices, most banks comprehensively assessed
processes, challenge business management as
their sales-operating models, including sales
appropriate, and prioritize interventions. These
processes, product features, incentives, frontline-
frameworks should support the following types
management routines, and customer-complaint
of actions:
processes. Many of these assessments went
beyond the traditional responsibilities of
— Map processes, risks, and controls. Map the
operational-risk management, yet they highlight the
processes, along with associated risks and
type of discipline that will become standard practice.
controls, including overall complexity, number
While making advances in some areas, banks still
of handoffs involved, and automation versus
rely on many highly subjective operational-risk
reliance on manual activities (particularly
detection tools, centered on self-assessment and
when the danger is high for negative customer
control reviews. Such tools have been ineffective
outcomes or regulatory mistakes). This work
in detecting cyberrisk, fraud, aspects of conduct
will ideally be done in conjunction with systemic
risk, and other critical operational-risk categories.
controls embedded in the process; end-to-end
Additionally, they miss low-frequency, high-severity
process ownership minimizes handoffs and
events, such as misconduct among a small group
maximizes collaboration.
of frontline employees. Finally, some traditional
— Identify supporting technology. Identify and detection techniques, such as rules-based cyberrisk
understand the points where processes rely and trading alerts, have false-positive rates of more
on technology. than 90 percent. Many self-assessments in the first
— Monitor risks and controls. Create mechanisms and second line consequently require enormous
and metrics (such as higher-than-normal amounts of manual work but still miss major issues.
volumes) to enable the monitoring of risk
levels and control effectiveness, in real time Operational-risk managers must therefore rethink
wherever possible. their approaches to issue detection. Advances in
data and analytics can help. Banks can now tap into
— Link resource planning to processes. large repositories of structured and unstructured
Link resource planning to the emergent data to identify risk issues across operational-
understanding of processes and associated

The future of operational-risk management in financial services 5

 risk categories, moving beyond reliance on self- “Targeted analytics tools”). By mining sales and
assessments and subjective controls. These customer data, banks can detect potentially
emerging detection tools might best be described in unauthorized sales. Machine-learning models
two broad categories: can detect cyberrisk levels, fraud, and potential
money laundering. As long as all privacy
— Real-time risk indicators include real-time measures are respected, institutions can use
testing of operational processes and controls natural-language processing to analyze calls,
and risk metrics that identify areas operating emails, surveys, and social-media posts to
under stress, spikes in transaction volumes, and identify spikes in risk topics raised by customers
other determinants of risk levels. in real time.
— Targeted analytics tools can connect the data
dots to detect potential risk issues (see sidebar

Targeted analytics tools

Advanced analytics has applications in or trades triggered by a wealth- requirements. Systemic quality-control
all, or nearly all, areas of operational risk. management adviser as they approach touchpoints can check the accuracy
It is creating significant improvements in compensation breakpoints). Trade- of decisions, disclosures, and filings
detecting operational risks, revealing risks monitoring analytics can mine trading against customer-provided information
more quickly, and reducing false positives. and communication patterns for and regulatory rules (for example, the
Whether in information security, data, potential markers of conduct risk. accuracy of a bankruptcy filing against
compliance, technology and systems, the system of record information).
process failure, or even personal security — Cyberrisk. Machine learning can
and other human-factor risks, the ad- analyze sources of signals, identify — Third-party risk. Models can be
vanced-analytics advantage is becoming emerging threats, replace existing developed that quantify the reliance
increasingly evident. Some applications rules-based triggers, and reduce false- on key third parties (including hidden
are described below: positive alerts. fourth-party exposures) to drive better
business-continuity planning and bring
— Fraud. Machine learning, including a risk-based perspective to vendor
— Anti–money laundering. Replacing
unsupervised techniques, can identify assessment and selection.
rules-driven alerts with machine-
fraudulent transactions and reduce
learning models can reduce false
false positives; synthetic-ID-fraud
positives and focus resources on cases
analytics use external, third-party data,
that actually require investigation.
in accordance with all local regulation,
— Conduct. Analytics engines can to analyze the depth and consistency in
identify suspicious sales patterns, the identity profiles of new customers
connecting the dots across sales,
— Process quality and regulatory
product usage, incentives, and
risks. Automated call surveillance
customer complaints (for example,
using natural-language processing
increases in nonactivated deposits,
can monitor adherence to disclosure
accounts sold by a retail banker,

6 The future of operational-risk management in financial services

 Exhibit 3 shows how a risk manager using natural- Together, analytics and real-time reporting can
language processing can identify a spike in transform operational-risk detection, enabling
customer complaints related to the promotion banks to move away from qualitative self-
of new accounts. Looking into the underlying assessments to automated real-time risk detection
complaints and call records, the manager would be and transparency. The journey is difficult—it
able to identify issues in how offers are made requires that institutions overcome challenges
to customers. in data aggregation and building risk analytics at
scale—yet it will result in more effective and efficient
A number of banks are investing in objective, risk detection.
real-time risk indicators to supplement or replace
subjective assessments. These indicators help 3. Develop talent and the tools to manage
risk managers track general operational health, specialized risk types
such as staffing sufficiency, processing times, A range of emerging risks, all of which fall under the
McKinsey 2020 and inventories. They also provide early warnings operational-risk umbrella, present new challenges
Operational Risk of process risks, such as inaccurate decisions or for banks. To manage these risks—in areas such
Exhibit 3 of 4 disclosures, and the results of automated exception as technology, data, and financial crime—banks
reporting and control testing. need specialized knowledge and tools. For example,

Exhibit 3
Natural-language processing can help detect operational risk.
Customer complaints over time

350
Bank A
Natural-language
processing can be used
Bank B
300 to detect spikes in
complaints around
topics—such as promotions Bank C
and incentives—that
250 signal potential underlying
operational risk Bank D

200
Number of
complaints

150

100

50

Time

The future of operational-risk management in financial services 7

 managing fraud risk requires a deep understanding and manipulation by unscrupulous employees.
of fraud typologies, new and emerging Operational-risk officers will need to rethink their
vulnerabilities, and the effectiveness of first-line risk organization and recruit talent to support
processes and controls. Similarly, oversight of process-centric risk management and advanced
conduct risks requires up-to-date knowledge about analytics. These changes in talent composition
how systems can be “gamed” in each business line. are significant and different from what most banks
In capital markets, for instance, some products are currently have in place (see sidebar “Examples of
more susceptible than others to nontransparent specialized expertise”).
communication, misselling, misconduct in products,

Examples of specialized expertise

Expertise needed for challenge

Risk category and oversight Talent profiles

Cyberrisk — Pathways to vulnerability (such as the — Cybersecurity background

impact of a threat like NotPetya)
— Senior status to engage the business
— The bank’s most valuable assets (the and technology organizations
“crown jewels”)

— Sources of exposure for a given

organization

Fraud — Fraud patterns (for instance, through — Former senior technology managers
the dark web)
— Cybersecurity professionals, ideally
— Technology and cybersecurity with an analytics background

— Interdependencies across fraud,

cybersecurity, IT, and business-
product decisions

Conduct — Ways employees can game the — Former branch managers and
system in each business unit (for frontline supervisors
instance, retail, wealth, and capital
markets) — Former traders and back-office
managers
— Specific behavioral patterns, such
as how traders could harm client — First-line risk managers with
interests for their own gain experience in investigating conduct
issues

8 The future of operational-risk management in financial services

Bank employees drive corporate
performance but are also a potential
source of operational risk.

With specialized talent in place, banks will then these risks are diverse and differ from many other
need to integrate the people and work of the operational-risk types. Some involve behavioral
operational-risk function as never before. To transgressions among employees; others involve
meet the challenge, organizations have to prepare the abuse of insider organizational knowledge and
leaders, business staff, and specialist teams finding ways around static controls. These risks
to think and work in new ways. They must help have more to do with culture, personal motives,
them adapt to process-driven risk management and incentives, that is, than with operational
and understand the potential applications of processes and infrastructure. And they are hard
advanced analytics. The overall objective is to to quantify and prioritize in organizations with
create an operational-risk function that embraces many thousands of employees in dozens or even
agile development, data exploration, and hundreds of functions.
interdisciplinary teamwork.
To prioritize areas of oversight and intervention,
4. Manage human-factor risks leading operational-risk executives are taking
Bank employees drive corporate performance but the following steps. They first determine
are also a potential source of operational risk. In which groups within the organization present
recent years, conduct issues in sales and instances disproportionate human-factor risks, including
of LIBOR and foreign-exchange manipulation misconduct, mistakes with heavy regulatory
have elevated the human factor in the nonfinancial- or business consequences, and internal fraud.
risk universe. In the past, HR was mainly Analyzing functions within each business unit,
responsible for addressing conduct risk, as part operational-risk leaders can then identify those
of its oversight role in hiring and investigating that present the greatest inherent risk exposure.
conduct issues. As the potential for human-factor The next step is to prioritize the “failure modes”
risks to inflict serious damage has become more behind the risks, including malicious intent
apparent, however, banks are recognizing that this (traditional conduct risk), inadequate respect
oversight must be included in the operational-risk- for rules, lack of competence or capacity,
management function. and the attrition of critical employees. The
prioritized framework can be visualized in a heat
Developing effective risk-oversight frameworks map (Exhibit 4).
for human-factor risks is not an easy task, as

The future of operational-risk management in financial services 9

Operational Risk
Exhibit 4 of 4

Exhibit 4
A prioritized grid of human-factor risks can help mitigate risks at points of high exposure.
Potential human-factor risks (retail-banking example), by applicability of risk-mitigation measures
High Moderate Low

Unauthorized Inappropriate Unintended Processing errors, Fraud, personal-

sales, pressure products sold, customer inaccuracy, information leaks
(incentives, sales suitability misinformation negligence (access to
pressure) (incentives, (training, (training, frontline skill, sensitive
product knowledge, product capacity, pressure) information)
training) complexity)

Branch
bankers

Investment
advisers

Lending
specialists

Phone
sales

Processing and
underwriting

Servicing and
back office

Default and
collections

The heat map provides risk managers with the basis A brighter future
for partnering with the first line to develop a set of Through the four-part transformation we have
intervention programs tailored to each high-risk described, operational-risk functions can proceed
group. The effort includes monitoring, oversight, to deepen their partnership with the business,
role modeling, and tone setting from the top. joining with executives to derisk underlying
Additionally, training, consequence management, processes and infrastructure. Historically,
a modified incentive structure, and contingency operational-risk management has focused on
planning for critical employees are indispensable reporting risk issues, often in specialized forums
tools for targeting the sources of exposure and removed from day-to-day assessment. Many
appropriate first-line interventions. organizations have thus viewed operational-risk

10 The future of operational-risk management in financial services

activities as a regulatory necessity and of little The relationship between operational-risk
business value. The function is accustomed to react management and the business can also integrate
to business priorities rather than involve itself in operational-risk reporting and executive and board
business decision making. reporting—including straight-through processing
rates, incidents detected, key risk indicators, and
To be effective, operational-risk management needs insights from complaints and customer calls.
to change these assumptions. When equipped with
objective data and measurement, the function well
understands the true level of risk. It is therefore
in a unique position to see nonfinancial risks and Progress will require time, investment, and
vulnerabilities across the organization, and it can management attention, but the transformation
best prioritize areas for intervention. Together with of operational-risk management offers institutions
the business lines, operational-risk management compelling opportunities to reduce operational
can identify and shape needed investments and risk while enhancing business value, security,
initiatives. This would include efforts to digitize and resilience.
operations to remove manual errors, changes in the
technology infrastructure, and decisions on product
design and business practices. By helping the
business meet its objectives while reducing risks of
large-scale exposure, operational-risk management
will become a creator of tangible value.

Joseba Eceiza is a partner in McKinsey’s Madrid office; Ida Kristensen and Dmitry Krivin are both partners in the New York
office, where Hamid Samandari is a senior partner; and Olivia White is a partner in the San Francisco office.

Designed by Global Editorial Services

Copyright © 2020 McKinsey & Company. All rights reserved.

The future of operational-risk management in financial services 11