Identifying Operational Risk at Financial Services Firms: Common Blind Spots and Cost-Effective Remedies

Published: August 2020


A holistic effort to assess and address commonly overlooked risk areas can help your firm reduce operational risks, save time and money, as well as focus on key areas for positive business impact and market perception.

In an environment where costs are being scrutinized amid the business and market implications of the COVID-19 pandemic, it is now more important than ever to understand how best to prioritize internal spend relative to key operational areas. Achieving optimal risk reduction and efficiency is one of the most powerful tools to weather the current volatile market, especially for CFOs and COOs who are looking to buy down operational risk. Although the breadth of operational risks that investors expect firms to consider is expansive and constantly evolving, the process to identify and address these risks does not always have to be costly.
Aon’s Operational Risk IQ platform considers a broad variety of risk factors across financial services firms’ operating environment, assessing as many as 170 factors ranging from governance to back-office processes and technology. Within the platform’s coverage of over 350 asset managers, more than 85% of firms have at least five areas of operational risk present, and 15% of firms assessed have 15 or more. For cyber security risk specifically, 80% of firms have up to five cyber risk areas identified. In this article, we share some common blind spots and easily obtained gains for firms to optimize resources to their advantage. Our risk identification process can pinpoint cost saving tactics and help clients prioritize risks, while focusing on areas of operational enhancements with the biggest impact.

Why Assessing and Managing Operational Risk Matter Now More Than Ever

Today’s operating environment is clearly an unprecedented time in our history. Considering the COVID-19 pandemic’s humanitarian and economic toll, asset owners who are subject to market volatility and uncertainty are seeking assurance from investment partners that their investments are secure and well-tended operationally. Questions abound, spanning from cyber security and potential for fraud to concerns related to remote work and operational resiliency. These potential risks impact both investment managers and the vendors with whom they engage. While market risk is uncertain, operational risk may be mitigated proactively when firms are armed with insights to address potential risk areas. Below we discuss two key trends that make keeping a close watch on operational risk all the more critical.

Automation and Outsourcing Trends Will Continue

As firms seek to reduce fixed costs, we have seen greater reliance on third-party vendors and automation to decrease human error and realize efficiency gains. According to a 2020 CFA Institute survey of over 13,000 of its global members, outsourcing and automation are here to stay. When asked to predict the biggest long-term impacts of COVID-19 and market conditions on the financial services industry, nearly 40% of survey respondents pointed to an acceleration of automation and scaling through outsourcing to reduce fixed costs.[1]

With this growing reliance on technology and outside vendors comes a greater breadth of potential operational risks. The evolving risk environment for firms and the third-party service providers they rely upon creates a dynamic, expanding set of risk challenges within the broader ecosystem. “Firm leadership must address not only today’s operational risk areas, but also proactively address tomorrow’s threats,” comments Shana Gotlieb, a director in the Rewards Solutions practice at Aon. “These range from existential items that cause reputational risk to alpha degeneration risks that lower investment returns.”

Despite growth in the use of third-party service providers, Aon’s Operational Risk IQ platform suggests there are broad pockets of risk related to how these relationships are onboarded and managed. For example, 33% of firms within the platform have responded that they do not have a formal, documented policy to guide service provider selection and monitoring. Just over 50% of firms lack Service Level Agreement (SLA) requirements for cyber security risk from key service providers, and 20% of firms may allow third-party vendors non-chaperoned physical access to internal systems. In addition to the risk presented by these scenarios, firms with these limitations come with a risk factor that may be considered problematic to an institutional investor client. The good news, however, is that remediation of these items should not require material investment from an asset manager to implement.

There are also other risk areas associated with vendors. As the range of risks that require assessment grows, investment management leadership must continue to monitor historical risk areas, such as compliance, audit and business resiliency, while expanding the purview of areas to topics such as ESG and cyber security. Although asset managers have implemented credible approaches to assess these factors internally, many firms are not as comprehensive when assessing these issues with third-party vendors.

Increased Competition to Attract and Retain Assets

Recent conditions come amid a backdrop of industry challenges for asset management firms, wealth managers and the financial services sector as a whole. For example, passive, lower-cost strategies have been favored as investors scrutinize net returns and fee structures. We are also seeing an increasingly competitive environment to attract and retain institutional capital, with some indication that asset owners are allocating larger mandates to fewer firms as they consider their own cost structures. Consider the following examples:
  • The University of California decreased the number of external managers in its portfolio from 280 to 98 — a 65% drop from 2014 to January 2020.[2]
  • Since 2019, (CalPERS) has cut ties with more than 30 external fund managers and redeployed $64 billion, saving the pension more than $115 million in annual fees, as reported by The Financial Times.[3]
In addition, costs for compliance and regulatory concerns have increased, while fee negotiations have escalated the need to generate alpha and increase assets under management to preserve healthy operating margins.

Improving the Due Diligence Process

While fees compress and costs increase, investors are asking for more due diligence and client service. When being evaluated for institutional mandates, firms can spend hundreds of hours completing requests for information — but what do they get in return for all of the details provided? They may get anecdotal feedback and the outcome of winning or losing the mandate can certainly be indicative, but let’s face it — the due diligence process has historically been a classic black box scenario. Virtual meetings instead of on-site visits from investor clients during the pandemic create even less margin for error in how a firm presents itself in completing requests for information. The recording of virtual presentations also elevates the importance of understanding best practice.

“We know that due diligence questionnaires can command a huge amount of time and resource commitment, but there are reasons we ask each and every question,” explains Rian Akey, a partner at Aon, who leads the Operational Risk Solutions and Analytics business. “Consolidating some of the repetition from multiple questionnaires that ask for the same information is a good starting point for finding efficiency, but beyond that, I think managers should be asking what else they can earn – or learn – from the process.”

More transparent, consistent and objective feedback that identifies and quantifies risk areas can provide a road map to help optimize remediation priorities. This approach not only helps create a value proposition for the investment manager by providing business intelligence, but it also reduces operational risk, which is the overall goal of due diligence efforts in the first place.

Notwithstanding the opaque feedback from diligence evaluations, firms that demonstrate operational resilience during these challenging times will earn greater trust, while those that underperform will be remembered negatively. Here are a few updates to keep in mind:
  • Amid market volatility, ongoing pressure on fees and consolidation of mandates, the stakes for being optimally positioned in manager diligence reviews are high — you never know which area will be scrutinized as a focus of your evaluation.
  • Initially, operational due diligence focused on pre-investment risk, but now you are often evaluated on an ongoing basis.
  • Firms have both a regulatory and fiduciary requirement to monitor operational risk.
  • With increasing reliance on technology and outsourcing to third-party service providers, asset owners acknowledge that the breadth of operational risk areas has grown. The threat of not actively engaging in risk mitigation is greater than ever.
Poor operational infrastructure can drag down firm investment performance and service level. Managers cannot afford to underperform in either area, especially in the current, high-stake environment for optimal positioning in diligence reviews. There is clearly greater incentive to de-risk proactively. In short, it is important to understand your full range of operational risk areas and to be perceived in the best light possible.

Two Common Blind Spots to Avoid

In order to assess important risk areas, particularly ones that may be overlooked, below we highlight just two commonly missed blind spots from data within our Operational Risk IQ platform. In both scenarios, addressing these requires relatively limited resource commitments, but each has the potential to help a firm save time, money and improve its overall risk profile and reputation.

Formal re-bidding of a firm’s key service providers

According to research from our Operational Risk IQ platform, among the firms that have retained service providers, 75% do not require systematic re-bidding of terms for these relationships. However, it is best practice to re-bid periodically to ensure that your firm receives competitive rates and service. With the increasing trend of firms using third-party service providers, how you screen them becomes that much more important and can introduce opportunities to save money through competitive bidding or taking advantage of price compression from certain vendor types. This risk area is not only a common blind spot, but it can save money when addressed properly. For service providers that are an expense to a commingled fund (such as fund administration), investors can be particularly sensitive about optimizing fee rates.

Implementing stronger cyber security

While cyber threats from unknown entities are a pervasive fear, our analysis finds cyber risk present within a range of firm policy and procedure deficiencies. For users accessing systems remotely, 10% do not require multi-factor authentication for remote access, approximately one third do not require users to change their primary network access password regularly (a smaller number of firms don’t enforce password complexity requirements), and just over half have cyber risk that could be easily obtained gains, including the permission to use removable media and the rotation of penetration test providers.

Addressing these examples individually does not require a significant resource commitment, however, they are often considered critical tactical components of an overall cyber security framework. Tending to these issues can certainly help protect a firm from cyber security risks, and in an environment where cyber risk is top of mind for most asset owners, the perception payoff can add incremental value. Investors want to see a comprehensive and thoughtful approach to technology and cyber security risks.

How We Can Help

Identifying blind spots is a productive first step to mitigate operational risk at your firm. During the current volatile environment, it is especially important to balance your firm’s priorities effectively and to allocate spend accordingly. While some tools and services focus exclusively on specific risk areas, such as business continuity, Aon’s Operational Risk IQ platform provides a view across business functions. 

As firms are expected to spend differently in the ‘new normal’ to reduce operational exposures resulting from the COVID-19 pandemic, we must remember to ask: Where will this budget come from, and how do we prioritize internal spend? Our risk assessment platform helps firms understand which parts of their business are well-tended and pinpoint other areas that may demonstrate weakness. The tool is designed to provide firms with transparency in understanding operational best practices along with areas that may be subject to additional scrutiny from those conducting diligence. This approach contributes to operational risk reduction through objective metrics, rather than an exclusive reliance on qualitative subject matter expertise. Gaining such strategic insights can ultimately help optimize your overall resource allocations for the future.

Understanding how to best prioritize internal resources to improve key operational areas is crucial. A broad, cross-functional assessment can help optimize resources and ensure you are not over-allocating to an area due to subjective rationale. With the ability to save, prioritize and strategize on internal spend to achieve optimal risk reduction, efficiency and perception, utilizing an effective risk platform can arm your firm with powerful insights to help steer the course through whatever obstacles lie ahead.

To learn more about Aon’s Operational Risk IQ platform and how to submit data to receive a complimentary sample report or subscribe to the platform, please reach out to one of the authors or write to


  1., Page 44, “Is the Coronavirus Rocking the Foundations of Capital Markets?’ CFA Institute, June 2020
  3., June 14, 2020

Related Articles

General Disclaimer
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

Talk to an Expert

Let us know how we can help and a member of our team will be in touch shortly.

Aon group companies will use your personal information to contact you from time to time about other products, services and events that we feel may be of interest to you. All personal information is collected and used in accordance with our privacy statement.

If you do not wish to receive these communications, please check here: