By Ken Lynch

According to the 2018 Verizon Data Breach Investigations Report, financial services providers are at the greatest risk of getting hacked. While security breaches due to external factors declined from 2015 – 2017, they still account for the majority of breaches, at 79%.

Financial institutions face operational risks since their systems are prone to cyberattacks.

Using Effective Workflow Management to Control Operational Risks

Cybersecurity overlaps put financial institutions at greater operational risks. Data breaches last longer than when they are discovered. The cost resulting from vulnerability exploitation in your systems can last for years.

While your organization may have a robust cybersecurity policy, hackers are always staying ahead with new tools and exploits of previously undetected vulnerabilities, also known as “zero-day” vulnerabilities.

Zero-day vulnerabilities pose the greatest danger for banks and other deposit-taking institutions. After all, how can you prevent an attack when you are not aware of the vulnerabilities in your system that will be targeted?


Most financial institutions implement their operational risk management strategies that focus on failed or inadequate business processes.

Cybersecurity Challenges Experienced by Financial Services Organizations

According to the Board of Governors of the Federal Reserve System, financial institutions face three main challenges when calculating operational risk costs:

  1. i) External Losses

One of the primary limitations for bank models is external losses. However, most of the information available focuses on large losses and comes from publicly available sources like financial disclosures and news articles.

  1. ii) Scenario Analysis

A robust operational risk analysis approach should bring together various players to estimate the risk exposure. Information on cyber risks is elusive and, therefore, limited.

iii) Business, Environment, and Control Factors (BEICF)

BEICF incorporates all the factors that expose financial organizations to potential operational losses. This measurement often relies on self-assessments and other non-standardized factors.

Shortfalls of Basel 4

The Basel Committee on Banking Supervisions (BCBS) released its updated rules on operational risk capital management in 2017. These rules follow a Standardized Approach (SA) and will apply from 1st January, 2022.

The new regulations are meant to simplify and standardize operation risk capital requirements to eliminate the problems of the Advanced Measurement Approach. However, the new standardized approach only requires a 10-year loss data capture. Therefore, it falls short in the risk sensitivity factor.

The lack of sensitivity factor in Basel 4’s SA calculation ignores the potential impact that cyberattacks, and other external events have on operational risk.

Improve Your Bottom Line With Security-First Compliance

Basel 4 attempts to standardize the calculation of operational risk capital. However, it fails by not taking into account that reputational risk, legal risk, and operational risk are interconnected.

Traditionally, credit risk, reputation risk, legal risk, operation risk and market risk are considered independent of each other. For instance, credit risk focusses on the likelihood of a borrower failing to meet his credit card payment or loan obligations. The credit risk information can be easily disaggregated from operational risk.

However, operational risk can also impact credit risk. For example, hackers can intrude a bank’s systems and steal customer information. The cybercriminals can then make unauthorized purchases with the credit cards, making the customers unable to pay back. This, in turn, leaves the bank in credit risk exposure.

More problems can arise from there. For example, the customers whose data has been stolen can sue the bank under various privacy and cybersecurity laws. Apart from incurring losses from the resulting legal action, the bank’s reputation as a deposit-taking institution will decline.


From the above scenario, it’s clear that a single breach can have a major impact on the five major capital risks.

How to Create an Operational Risk Monitoring Workflow

Security-first compliance is critical to securing your organizational data. The compliance involves continuously monitoring your data environment to ensure its integrity and mitigate the effects of internal or external attacks.

As more vendors access customer information from banks and other financial institutions, the risk of data breach increases. A single zero-day attack across a shared vendor can have a significant impact across the financial industry. Therefore, financial institutions not only need to protect their environments but also their ecosystems.

A security-first compliance involves both continuous monitoring and auditing of processes and systems that are vulnerable to threats. The compliance should include processes for alerting, responding to and eradicating threats.

You can use banking operational risk monitoring software to secure your data and processes. The solutions can help you to monitor various processes, delegate risk management tasks, prioritize alerts and get real-time notifications. Continuous monitoring of your processes and data helps to keep your institution compliant with regulatory requirements.

A workflow monitoring system is also a single-source-of-truth. With the solution, you can backtrack on an audit trail to evaluate the effectiveness of your security controls as well as identify weaknesses and how they can be remedied.