Governance, Risk and Compliance

Top 12 Financial Institutions Risks

Posted May 7, 2019 by Resolver

In the late 2018, we conducted a survey where we asked professionals in the financial sector about what they identify as the top financial institutions risks that will impact their organizations. While the answers varied widely in scope depending on the industry of the specific respondent, there were a few common responses that we continued to come across. Below are the top 12 financial institutions risks should be aware of as identified by risk managers.

1. Damage to Company Reputation

One of the most commonly cited fears was damage to their company’s reputation. This is not surprising, as reputation is a vital ingredient to business success, whether in regards to customer trust or employee loyalty. Companies that inspire employees and customers alike find great success today, as was the case with the Massachusetts-based supermarket chain Market Basket, which has continued to flourish following mass protests in 2014 involving the ousting of a beloved CEO.

While key ingredients for acquiring a good corporate reputation, such as high quality, outstanding service, and competitive prices, are relatively well understood, there are seemingly countless ways in which a brand might be damaged. It could be the result of unethical conduct, like what happened to the Volkswagen brand following the reveal of its so-called emissions scandal in 2015. Reputational damage could also result from poor security practices, as evidenced by the 2017 Equifax data breach, which exposed the sensitive data of over one hundred million people and caused heavy damage to its reputation.

2. Cybercrime – As One of The Major Financial Institutions Risks

Speaking of data breaches, the fear of cybercrime also commonly appeared as a separate response in our survey. And that is no wonder, as cyberattacks like distributed denial of service (DDoS) attacks are increasing in frequency every year. Such attacks can wreak havoc on a company’s internet infrastructure, potentially sending domains and web-based services offline for hours at a time and breaking functionality for their users.

Cybercrime can have serious consequences for a company’s bottom line in several ways, whether measured in lost time and productivity, cost necessary to fight the attacks, or simply in the loss of customer trust following a leak of sensitive data or failure to provide services according to expectations. The above-mentioned Equifax breach resulted in considerable brand damage, and DDoS attacks can easily result in thousands of dollars in damages stemming from a lower credit rating or higher insurance premiums.

3. Economic Slowdown

It seems that no matter where you turn for news, there is discussion about worldwide economic stagnation. Whether focusing specifically on Europe or China, Japan or the United States, the one constant seems to be the belief in some kind of synchronized global economic slowdown.

In modern financial theory, a firm’s exposure to general market risk is known as its “beta.” Although the betas of banks and financial service companies are relatively low compared to other industries, they are still correlated in a positive direction, meaning that they are still expected to be negatively impacted in response to a fall in the overall market.

Few financial organizations outside the biggest banks can hope to achieve any kind of influence over fiscal and monetary policy, making the signs of an impending global economic slowdown concerning for financial professionals who are otherwise mostly powerless in the face of an economic downturn. With that said, there are ways for a company to prepare for widespread economic turbulence.

Useful strategies include addressing the possibility of facing a poor economy well in advance, maintaining a long-term orientation despite rocky short-term performance, and making decisions based on growth prospects as well as cost reduction. Planning well in advance and building financial buffers will go a long way towards mitigating the effects of a coordinated economic downturn.

4. Regulatory/Legislative Changes

Similar to fears of general economic slowdown, a good number of financial professionals responded that regulatory and legislative changes pose a risk to their companies in 2019. Much talk has already been generated about the exceptionally high costs of compliance for companies in the financial industry, with overall regulations seemingly doubling every few years and costing banks upwards of one hundred billion dollars annually.

For an example of legislation significantly impacting the business operations of financial institutions, look no further than the Dodd-Frank Wall Street Reform and Consumer Protection Act. Passed in 2010 while still on the heels of the financial crisis and rolled out over several years, the legislation placed restrictions on the way banks could engage in investments and speculative trading, and once again eliminating proprietary trading altogether.

While the ostensible purpose of the legislation was to reduce systemic financial risk and protect consumers, it also strained the profitability of small community banks and drove some out of business altogether, with the US losing 14% of such institutions between 2010 and 2014. An understanding of these consequences resulted in a partial Dodd-Frank rollback in 2018, where small lenders were exempted from certain loan disclosure requirements.

Looking outside the US, the European General Data Protection Regulation (GDPR), enacted in 2016 and implemented in 2018, is perhaps the most high-profile example of online data privacy regulation. The GDPR places many requirements on how companies are to treat consumer data, individually costing companies millions of dollars in compliance worldwide and imposing serious costs on small and medium-sized businesses. Now, many believe that the US will soon follow suite in enacting data privacy legislation, especially on large technology companies like Facebook, undoubtedly adding further to compliance costs.

5. Increasing Competition

In an economic system marked by competition, successful companies cannot simply sit on their laurels, lest an ambitious industry upstart appear and offer superior products or lower prices to entice customers away. This is no different in the financial industry, with the advent of financial technology and new means to invest and save appearing along with the proliferation of smartphones and other mobile internet-connected devices.

Indeed, traditional financial institutions have encountered competition in recent years from smartphone stock trading apps like Robinhood, as well as from online loan and impact investing platforms. Meanwhile, tech giants like Amazon and Google always pose an outside threat to disrupt virtually any industry, including financial services. Just look at Apple Pay, which allows iPhone users to achieve common banking functions like swiping a credit card or sending money to family or friends.

And this is all to say nothing about the potential for cryptocurrencies to one day gain more traction and cause a huge upheaval in the way financial intermediaries operate. While anyone who has followed the cryptocurrency scene over the past few years can attest to the significant volatility in the sector, that has not stopped large financial institutions like Bank of America from expressing worry about their growing popularity and seeking ways to stay ahead of potential developments in blockchain technology.

Learn how to prove the value of an ERM program. Watch the webinar on-demand

6. Failure to Innovate

In the face of such increasing competition in the financial sector, it is necessary for companies to be able to innovate to continue to prosper. In technology, Apple was a dominant force for innovation during the time of Steve Jobs, but sales decline has come along rumblings concerning a lack of innovation coming out of the company.

Of course, Apple is still an industry giant and will not be going away anytime soon, as has been demonstrated by the reveal of the Apple Card, a partnership with Goldman Sachs and Mastercard that offers a credit card integrated directly into the iPhone’s Wallet app, as well as new subscription services in news and television programming. Apple stock has continued to rise despite poor headlines earlier in the year, serving as a reminder that even the most successful companies must innovate to stay ahead of the competition.

7. Disruptive Technologies

Innovation that lets one company stay ahead of the competition could end up changing the way the entire industry operates, leaving those slower to adapt behind. Disruptive technologies can take the form of service ecosystems like Apple Pay, new investing platforms like the Robinhood app, or even would-be money of the future like cryptocurrencies.

In such a constantly changing industry as finance, there is always the threat of new technologies that could draw consumers away from traditional practices. For organizations to be successful and survive long into the future, such changes must either be anticipated or adapted to as well as possible. Apple Card, for instance, promises to attract existing Apple users with its ease of use and lack of annual fees, which has undoubtedly already spurred other major credit card companies to evaluate and improve their own offerings where they see fit.

8. Failure to Attract/Retain Talent

The problem of attracting and retaining quality talent was another common refrain from the financial professionals we surveyed. High turnover rates require resources to be devoted to hiring and training employees rather than put towards other valuable business development goals. It also can affect employee morale and make it difficult to create a positive company culture, where employees understand and share the organization’s values and mission.

With unemployment low across the US, companies must work hard to attract the best and brightest, offering perks such as professional development program, an appealing workplace culture, and sometimes simply just more money than competitors.

9. Business Interruptions

“Time is money,” and nowhere is this more true than in the financial sector. Business interruptions result in lower productivity, lower profit, and, depending on the situation, potential brand damage. Such interruption could come as a result of cyberattacks, as outlined before, or may be simply caused by extreme weather events.

Purchasing business interruption insurance is one option some companies use to mitigate such a risk, although such policies cover only loss or damage to tangible items and not lost profits. In any case, there is no doubt that business interruptions are best to be avoided.

10. Political Risk and Uncertainty

Similar to the fear of regulatory or legislative changes, political risk and uncertainty also factored among the twelve most common survey responses. Sudden changes in the political winds can have very real consequences for companies, as has been illustrated clearly with the arrest of Huawei’s CFO in Canada.

Furthermore, recent threats of tariffs to be imposed against China and Europe by the United States also impacts business prospects for many companies operating within their borders. As with the fear of economic slowdown, the best way to deal with political risk is to make contingency plans well in advance regarding how to deal with potential disturbances to certain markets or supply chains. While no single company can control such systematic risks, those that position themselves to be resilient in the face of external shocks have the best chance to handle political uncertainty in stride.

11. Third Party Liability

Speaking of lack of control, respondents also mentioned third party liability as a major risk that they fear in 2019. While the exact situations where third party liability arises may vary between different industries, it can occur whenever a firm uses an outside company to provide some kind of service. Third party liability risk is especially important in the financial industry, where financial service firms face liability for the actions of vendors. As a result, it is vitally important for financial firms to thoroughly evaluate third parties before entering into official partnerships.

The banking industry in particular has been ahead of the pack in establishing systems for addressing third party liability risk. Motivated by the aforementioned increase in frequency and severity of cyberattacks, banks have increasingly integrated vendor risk management into their operations. Processes commonly used to address third party liability include preliminary risk assessments, careful drafting of contract provisions, and ongoing oversight and monitoring of third party vendors.

While it is impossible to fully eliminate third party liability except by deciding to not engage in partnerships entirely, the best way to mitigate third party risk is to select opportunities carefully and exercise prudence in all dealing with outside business partners.

12. Commodity Price Risk

Rounding out the list of the 12 most common survey responses is commodity price risk. Commodity price risk is defined as “the price uncertainty that adversely impact the financial results of those who both use and produce commodities.” Notable commodities that cause price risk for companies and consumers alike include oil, corn, cotton, aluminum, and steel. Firms facing significant commodity price risk usually engage in hedging through the use of futures contracts on global exchanges like the Chicago Mercantile Exchange.

The steel and aluminum tariffs imposed by the United States illustrate how commodity price risk may manifest and negatively impact companies involved. Following the enactment of the tariffs, publicly traded steel companies have suffered in terms of stock valuations and general company health as they face higher prices, lower output, and lower sales.

While few of these risks can be fully eliminated, having a complete risk management solution in place can go a long way towards mitigating catastrophic events.

Interested in how Resolver’s enterprise risk management software can help you? Request Your Demo Now

Cookie	Duration	Description
AWSALBCORS	7 days	This cookie is managed by Amazon Web Services and is used for load balancing.
BIGipServersj13web-nginx-app_https	session	This cookie name is associated with the BIG-IP product suite from company F5. Usually associated with managing sessions on load balanced servers, to ensure user requests are routed consistently to the correct server. The common root is BIGipServer most commonly followed by a domain name, usually the one that it is hosted on, but not always.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
datadome	session	This is a security cookie set by Force24 to detect BOTS and malicious traffic.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
XSRF-TOKEN	6 months	This cookie is set by Wix and is used for security purposes.
_mkto_trk	2 years	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
__resolver-ref	session	This cookie is set by Resolver to ensure visitors receive unique content after submitting a form on our website.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
sp_landing	1 day	The sp_landing is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content.
sp_t	1 year	The sp_t cookie is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content.
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.

Cookie	Duration	Description
ADRUM_BT1	past	This cookie is set by AppDynamics and is used to optimize the visitor experience on the website by detecting errors on the website and share the information to support staff.
ADRUM_BTa	past	This cookie is set by AppDynamics and used to optimize the visitor experience on the website by detecting errors on the website and share the information to support staff.
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.

Cookie	Duration	Description
ajs_anonymous_id	never	This cookie is set by Segment.io to check the number of ew and returning visitors to the website.
ajs_user_id	never	The cookie is set by Segment.io and is used to analyze how you use the website
CONSENT	16 years 2 months 17 days 10 hours	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_4655365_4	1 minute	Set by Google to distinguish users.
_gat_UA-4655365-4	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_ga_VCHH3SM1QW	2 years	This cookie is installed by Google Analytics.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjid	1 year	This is a Hotjar cookie that is set when the customer first lands on a page using the Hotjar script.
_hjIncludedInPageviewSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.
_hjIncludedInSessionSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit.
_omappvp	11 years	The _omappvp cookie is set by OptinMonster to distinguish new and returning users and is used in conjunction with _omappvs cookie.
_omappvs	20 minutes	The _omappvs cookie set by OptinMonster, used in conjunction with the _omappvp cookies, is used to determine if the visitor has visited the website before, or if it is a new visitor.
_uetsid	1 day	This cookies are used to collect analytical information about how visitors use the website. This information is used to compile report and improve site.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
MUID	1 year 24 days	Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
personalization_id	2 years	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
sa-user-id	1 year	StackAdapt sets this cookie as a Random Identifier for user identification, to display relevant advertisements.
sa-user-id-v2	1 year	StackAdapt sets this cookie as a Random Identifier for user identification, to display relevant advertisements.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps in differentiating between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
_uetvid	1 year 24 days	This cookie is set by Bing to store and track visits across websites.