A lesson many businesses learn the hard way is that in today's ever-changing and complex regulatory and political environment operational risks appear to be increasingly exponentially. In order to take control of Operational Risk leaders of the company and risk managers need to have the answers to many questions. Can I profitably grow my business? How do I effectively monitor my outsourced activities? Am I paying enough attention to the risk I am taking on?
With every business having its own risk tolerance there is no common approach or framework to operational risk management. However, following these 7 steps to take control of operational risk, most companies can meet their fiduciary and regulatory responsibilities.
Operational Risk Management
Operational Risk Management (ORM) sets the framework for managing operational risks such as product liability, information security, IT system failure, frauds and even natural disasters. The ORM team performs analyses on operational risks and monitors operational risk loss and capital.
Operational risks relate to areas such as integrity and fraud, crime prevention, human resources management, information and communications technology, information security (including the risk of innovative multimedia), business continuity management, physical security, and outsourcing.
Operational risk management as the function and as the process is at the crossroads.
On the one hand, you have this heightened risk profile or the perception that financial institutions around feel the pressure on that side. And at the same time regulators are heightening their expectations of financial institutions in terms of the processes to have in place; the governance, the data that they're supposed to be gathering and just the overall efficiency of the risk management process.
That translates to a lot of pressure on the operational risk function and on the process itself:
to be more efficient,
to help prevent or at least detect in the advance the next big operational risk event;
to do more with less;
to help institutions really meet their regulatory obligations and their regulatory deadlines.
When you put those things together it becomes very clear that the recipe that we've used in the past has been to throw more resources at these type of problems may not work this time.
There are three types of things that most organizations, most financial institutions are focusing on right now.
First of all, it's making that transition from a reactive to a proactive stance in terms of risk management. It is moving away from reacting to the latest operational risk. Organizations are no longer in a position to be constantly in crisis mode so that is one big area.
The second area is to strike the right balance between the first and the second line of defense between the business, the revenue producing side of the institution and the oversight of that institution.
Thirdly, in order for operational risk and compliance functions to be really effective in this new environment, we have to ask themselves the question: “Do we have the right capabilities in terms of data, in terms of supporting systems, in terms of processes that they execute from a risk management perspective and, sometimes, in terms of talent.”
Here are two examples of projects that institutions can and should probably start thinking about today if they are not already working on them.
First of all, transforming risk and control assessments, taking a new look at why we're doing these risk and control assessments. And more importantly, how we're actually executing them right. There is lots of good work happening in the industry around new approaches to risk and control assessments and projecting them in a process-based view.
The second type of project that institutions are working on has to do with risk aggregation and reporting. It is creating both the data structures that enable that and the infrastructures that support that. It's not an easy undertaking, it takes a lot of consensus building and data model building. Ultimately, that is the price for being able to construct an integrated view of risks and exposures and for having actionable management reporting.
______________________________________________
Are you interested in learning more?
Join hundreds of your peers in studying the online course:
Mastering Operational Risk: Theory and Practice in a Single Package
______________________________________________
7 Steps To Take Control Of Operational Risk
As a financial risk manager, one of the risks you need to consider is uncertainty within your own organization. Institutional or operational risks are many – employee wrongdoing, computer errors, attacks (physical or cyber), for example – and too numerous to list.
In managing operational risk, look to see how tight or loose the workplace is. Too loose a workplace leads to errors, inefficiency, bad discipline, frustration for talented employees, and damage from lazy or incompetent ones. Too tight a workplace leads to people hating their jobs, stress, and barriers to innovation; it can attract people who like to boss others around rather than do any work themselves.
To help change operational risk to opportunity, concentrate on business practices that make work fun, build a useful business, meet social needs and contribute to employee career development, personal growth, and financial security.
There is no one-size-fits-all approach to operational risk. However, by taking these 7 steps you will have more control of operational risk of your business.
1. Evaluate the types of risk you are exposed to and to assess your risk tolerance, and then perform a top-down analysis to determine where to focus your program. Essential outputs of the program should be KRIs, KPIs, and a thorough understanding of where your organization wants to concentrate its efforts. With limited scope for automating this process, you need to invest in time and resources to perform a proper evaluation.
2. Establish a formalized process for assessing inherent operational risk and the appropriateness of mitigating controls when the complacencies undertake significant changes. The operational risk assessments made as part of the change management process should generally be performed by the first line of defense. This risk assessment process may consider:
inherent risks in the new product, service, or activity;
changes to the compliances regarding operational risk profile and risk appetite;
the required set of controls, risk management processes, and risk mitigation strategies to be implemented;
the residual risk (unmitigated risk); and
changes to the relevant risk limit/threshold.
3. Perform scenario analysis. It is a process of identifying potential operational risk events and assessing their potential outcome and impact on company’s operations. Scenario analysis can be an effective tool to consider potential sources of operational risk and the need for enhanced risk management controls or mitigation solutions.
In order to effectively use scenario analysis as part of a risk management program, operational risk scenarios developed should consider both expected and unexpected organizational response relative to an operational risk event or event type. If scenario analysis is used as an input into the quantification/estimation of operational risk exposure, the second line of defense review whether the chosen scenarios are appropriate and consistent with the scenario analysis program.
______________________________________________
Are you interested in learning more?
Join hundreds of your peers in studying the online course:
Mastering Operational Risk: Theory and Practice in a Single Package
______________________________________________
4. Cybersecurity is an important aspect of controlling your Operational Risks. With heightened regulatory pressure, cybersecurity risk is high on the radars of most managers’ and investors’ minds. Many companies have implemented internal programs such as penetration and social engineering testing. In the last few years, as regulators increasingly look to protect the industry and stay ahead of cybersecurity threats, guidance on responding to risk has been released by FINRA, the SEC, and DFS, to name a few.
5. Take a good control of outsourcing. Outsourcing becomes more and more frequent operational risk.
Many companies are only worried about the top 10% of outsourced arrangements – the ones that they spend the most money on. That is not necessarily reflective of their risk profile. They may be spending millions with a global outsourcer, but it may be a small outsourcer with not-very-mature controls that is holding some key customer personal data where you suffer a loss.
In many cases, outsourcing providers actually outsource to other organizations, so it becomes a massively complex ecosystem. Companies still have overall responsibility for ensuring that the data is controlled and secure.
Companies need to know exactly where their customer data is held at all times and be able to present this data on demand in a portable format. That will require a thorough understanding of a complex web of relationships with various outsourcers.
6. Taxes should also be viewed as an operational risk, not just a compliance function. Effective risk management programs involve the C-suite regularly assessing tax risks, and reviewing local tax changes in the context of business operations. Incorporating tax into your risk management program, and engaging the organization in the tax discussion not only provides institutional buy-in but fosters an understanding of what exposures could exist for simply missing a business or tax law change.
7. The election of Donald Trump as US president, along with the UK's vote to withdraw from the European Union, have combined to push geopolitical risk into the top 7 this year. Excluding the biggest overall risk for business – the changing environment in the financial industry itself – as a strategic risk, the biggest remaining risk results from our rapidly changing world order and its implications for the financial sector.
No company can be sure that an investment or market entry into foreign countries that makes sense at the moment will not backfire in a couple of years. To ignore this reality and not think about possible scenarios might prove very costly for international branches in the upcoming years.
Risk managers and company leaders should take a fresh look at their operational risk programs. Focus on the essential processes that underlie your business and the inherent risk that they drive. These 7 steps to take control of operational risk will help you get a clear oversight of your systems, processes, and people to prevent failures that lead to costly financial and reputational damage.
I hope that this blog post will help you to assimilate risk management practices into processes, systems and culture. Please share your comments, your views and case studies on what works and what doesn't in your practice.
______________________________________________
Are you interested in learning more?
Join hundreds of your peers in studying the online course:
Mastering Operational Risk: Theory and Practice in a Single Package
______________________________________________
Comments
Peter,
Thank you for your comments. I checked your company website and I see that you're doing a ground-breaking development like implementing AI in the Risk Management space.
Please share your experience on our blog in a separate thread as I believe many members would be interested to hear about this development.
What are the major challenges in implementing the AI approach, do you have some case studies?
Boris
Hi Boris,
Very much enjoyed reading your blog and totally agree that company's need to take a more integrated approach to managing and monitoring their operational risks. But I'd like to correct your comment about there being no common approach or framework to operational risk management. This once may have been the case, but recent advancements in AI technology is now making it possible for companies to accurately monitor and control their operational risks within a common risk appetite. Indeed my company has developed such a system; and there are many more trying to do the same. If you want to know more visit www.compliance-master.com. Regards, Peter