By Daniel Nunes-Vaz, Senior Research Executive, Center for Financial Professionals.
In recent years operational risk has grown as a discipline and is now viewed as an integral aspect of any risk management department. This is predominantly a consequence of the most recent major financial crisis where the management of operational risk was partly blamed as a significant contributory factor in the collapse of global markets. Since then, the risk management and operational risk landscape has changed significantly with increased regulatory burden to strengthen practices. When this is coupled with the constant need to increase efficiency of operational risk processes, procedures and frameworks, and the need prove that operational risk is truly adding value to the institution, it is no surprise that operational risk has been seen and is still seen as one of the key risk areas going forward.
Due to the clear challenges that operational risk professionals face currently, and over the next year, The Center for Financial Professionals conducted extensive research with senior industry professionals to discover the most pertinent areas for discussion. This piece will review three of the key areas that emerged from the research as key upcoming focus areas: Aligning departments and functions, conduct risk and the GDPR. These and much more will be addressed at the upcoming 4th Annual New Generation Operational Risk: Europe Summit, taking place on March 13-14, 2018 in London.
What became apparent from initial research was the constant need to increase efficiency throughout departments, and from an operational risk perspective constantly prove that it is adding value to the business. After the financial crisis, a lot of mandatory investment was assigned to operational risk to comply with the influx of regulatory changes. With the risk function becoming more stabilised, new regulatory requirements are less burdensome, therefore budgets are decreasing. With a decrease in budget, it is incumbent on operational risk departments to maintain a level of efficiency and compliance with limited or depleting budgets and resources, posing the question as to how to satisfy regulators with limited investment or management buy in?
One area of debate is around the set-up of the operational risk function; the research indicated a general direction of travel towards aligning the more traditionally non-financial risk departments. For instance, should the operational risk function be joined with the compliance function or the financial crime function and can they all be joined together for one unified function? It was suggested that perhaps the functions could use single risk assessments, single systems, frameworks and policy teams. Although quite a drastic proposal, it is logical the concept of aligning functions, or ensuring they work in a more simplified environment, would make them more streamlined and enhance efficiency. This poses many challenges and obstacles for institutions with a global footprint and variations in processes across country lines, aligning these teams and restrictions from legacy systems makes this a mammoth task. In many institutions, a range of tools, terminology and systems for capturing similar risks can be utilised in different ways, producing varying interpretations and responses. The challenge lies when grouping non-financial risks teams together and ensuring a more collaborative approach, bringing synergies between the regulatory compliance, operational risk and financial crime functions. Institutions are constantly grappling with alignment and disparities between departments, working towards using common tools to increase efficiency from an output and resource perspective – It will be interesting to see developments over the coming years and the first out the traps towards this advance in practice.
Whilst ensuring greater efficiency is a key goal, the regulators are continuing to place increased focus on conduct risk, an area prominent within our research. This is proven by the fact that in April this year the FCA released additional guidance on where institutions are struggling to implement their conduct risk frameworks and advice going forward. There has been increased regulatory focus on conduct risk which seems a trend set to continue, with regulatory fines increasing for firms failing to manage effectively. The regulatory implications bring an increased potential for monetary loss, both from the regulators, but also as a result of a reputational fallout and the unquantifiable reaches of reputation damage.
Another area of contention is around the differences in the UK regulatory approach to conduct risk, versus the rest of the world. The FCA focuses very heavily on conduct risk and are further ahead than most, although other jurisdictions are beginning to catch up, for example the HKMA recently published guidelines on what they expected member banks to be doing around conduct. However, the US regulators are much further behind in terms of issuing guidance and guidelines on the topic. This has an impact on international banks who do not have one single framework and approach in all regions. With varying regulatory requirements across jurisdictions, how do you implement a unified process with different subsets across jurisdictions? It also becomes problematic for risk managers to gain buy-in for resources to build their conduct risk programmes if head office is based outside of the UK where requirements are limited vs. in the UK where the FCA have placed a large focus on it. In the US, there is a different culture and therefore different expectations from the regulators, meaning it can be harder to fight for resources internally. Not only this, but institutions have to educate staff members throughout the firm to show the importance of good conduct, something that can be harder for an international firm in a region where the culture is different, and legacy systems/employees are increasingly difficult to change. In its entirety conduct risk is an area that will seemingly continue to grow in importance, with many areas to be addressed and solidified before the regulators and industry are at the desired level of management.
With regulatory focus partly on conduct risk, there is no doubting that the upcoming implementation of a regulatory initiative, the General Data Protection Regulation (GDPR), on May 25th, 2018 is one that will also keep many institutions busy coming into 2018 and beyond. From an operational risk perspective, the GDPR brings about fundamental changes to institutions’ underlying processes and procedures. Any changes to systems and processes poses a large risk from an operational perspective, ensuring this is done effectively will be a focus over the coming months. Similarly, firms will have to make sure they are compliant by the May 25th date, with so much work to be done for such a large regulatory initiative this will prove problematic. Not only this, but IT vendors in the space seem to have been quite slow to market in reacting to the GDPR. This means that firms need to ensure they build robust interim solutions in-house to capture the GDPR requirements in the short term. Once IT vendors become more established in this space institutions will have to ensure an effective transition to more stable and robust platforms in the medium to long term. There is no doubting that the GDPR poses many challenges for institutions over the coming year and operational risk professionals will have to be on guard pre, and post implementation.
In its entirety, operational risk looks set to continue to be an essential focus for institutions over the coming years, with an ever-increasing regulatory focus, not to mention media attention. As operational risk departments evolve, the question of increasing efficiency and showing that operational risk is adding value will no doubt continue to linger. There is therefore no doubting that operational risk professionals will be kept busy in the near future.
These are only a snapshot of some of the challenges within the operational risk space. The findings of this research will be illustrated on March 13-14, 2018 at The Center for Financial Professionals 4th Annual New Generation Operational Risk: Europe Summit in London. There will be discussions around aligning departments and functions, conduct risk, the GDPR and much more. We invite you to join your peers for two days to discuss embedding operational risk as a value adding decision making tool and utilising approaches for the measurement and management of risks.