When we talk about risk in the context of exchanges, it is important to differentiate between emerging risks and immediate risks — and to remember that we do get some notice of the former.
Immediate, or daily, risks can arise as early as tomorrow and range from the manageable to the significant. But, because of the more immediate danger, people tend to focus too much on them. This is something you can avoid if you take a bird’s-eye view — and build up a more holistic picture. It is possible to recognise patterns and correlations, and combat many of these threats.
By contrast, emerging risks can be more medium or long term — and their effect all the more profound. So, first, let us consider the threats we can see emerging, and then return to daily risks.
We define emerging risks as new or unfamiliar threats that will come in new or unfamiliar conditions. Any well-run organisation will discuss the implications that these emerging risks have for their strategy, and whether they can be addressed early. Often, though, the timeframe of emerging risks can be longer than the typical corporate strategic cycle, of three years.
For example, take artificial intelligence and the threats that may arise from quantum computing. Future computing power could mean that encryption standards — such as 64-bit — are not safe any more. It might take five years; it might take longer. But it is a topic that needs to be addressed now.
Other emerging risks include uncertainty over future monetary policy — in particular, concerning the impact of a turning interest rate cycle.
Also, the new requirement for sustainability — this is what everyone is talking about but how it will manifest itself is not yet fully clear.
Then, last but not least of these emerging risks is competition from large technology companies. They are already starting to invest in stock exchange players to get access to data, and to financial technology.
You might have read Google’s announcement: it has invested $1bn in CME Group as part of a deal in which the exchange operator will shift more of its trading operations into Google’s cloud data centres. But the result might have a negative effect: the crowding out of competition. Fewer players in the market could mean less competition and less specialisation.
Immediate risks are much more apparent. That means they can be managed using existing controls and mitigation measures, although these require continuous investment.
For example, for exchange players like us, there are daily risks to operations and security, such as the outage of a trading system. Third parties also bring cyber security risks — if a supplier gets hacked.
Similarly, we have immediate risks in areas of credit — for example, the loss of cash collateral. Then, there is the risk of non-compliance with EU and US regulations and employee conduct — a topic that has become prominent in the past few years.
Legal risk can also include unforeseen loopholes, such as a custodian default not being covered by terms and conditions.
Finally, the other daily risk we care about is the unlevel playing field: the different regulatory treatment of newcomers and incumbents.
New trading platforms — for crypto assets and other securities — do not have the same conversations as we do in terms of regulation, so they can develop rapidly. They do not face the strong regulation that we, as a critical infrastructure provider, have to comply with. For us, the use of these platforms brings a risk of disintermediation — we could lose touch with our customers.
It is important that we achieve a balance between these two worlds. On one hand, we have a business that is highly regulated and, on the other hand, we want to march into a future that is quick and innovative. The art is bringing those two worlds together without killing innovation.
Which of these is the main type of immediate risk, for us? Security — the external threat from cyber attacks. We don’t want to play down financial risk and market risk but they can be managed much more easily. External technology and cyber security is a different angle.
We do have several cyber security projects running but it is not enough to conduct a project, close that project and say “the world is good!”. It requires continuous investment in security because the external threat changes — and changes fast.
We started our state of the art security centre five years ago but we have to continuously invest. We have been making an ongoing investment in ransomware protection and mitigation because it is a complex topic requiring a long term focus, and one that will evolve as the threat evolves.
Another long-term investment that exchanges need to make is integrating security into their IT architecture. You can program your technology in a flexible way so that, if you later realise you need another layer of protection, you can add it. But you need to have the system architect sitting next to a programmer and a risk guy. That way, they can challenge each other and build for the next five-to-seven years.
Jochen Dürr is chief risk officer and a member of the executive board at the Swiss Infrastructure and Exchange (SIX) Group