Quantifying Operational Risk

Quantifying operational risk is not an easy task - especially without a methodical approach. Poor measurement is getting increasingly expensive for many organisations, so we would like to discuss solutions using integrated risk management. 

In our previous roles, all of the Alyne founders supported organisations - mainly in financial services - in identifying, managing and reporting various aspects of operational risk. We were in a unique position to observe some commonalities between different organisations’ approaches to these topics and also identified some common challenges. In the following post we would like to outline our vision of how operational risk management processes can be transformed through integrated risk management.

Oprisk on the rise   

The Alyne team has had the privilege of working with some of the senior financial services experts in London by being selected for the Barclays Techstars program. We had conversations with more than 90 individuals over the past 5 weeks and one common theme is the steady rise of operational risk as a focus point in internal risk functions as well as for regulators. This also means increased scrutiny on the capital reserves held for exposure to operational risk for regulated financial services companies. Unfortunately, processes for identifying and quantifying these risks are often very manual in organisations of all sizes.

Welcome to the main stage

There are a number of reasons for the consistent increase of operational risk. One of the main causes is the increased reliance on vendors to provide services supporting the core business. Read more on this risk in our blog series on Vendor Governance. Growing cyber risks and continuous digitisation of processes are further large contributors to this trend. Many organisations and regulators alike are recognising that currently established manual processes are no longer sufficient - or economical in managing this level of risk and creating an active risk culture throughout the organisation.

One of the main reasons making oprisk processes so tedious is the fragmentation of the risk management tools. Programs and projects use their own spreadsheet based risk registers, business units might report core risks in a quarterly presentation, line 2 risk might operate a GRC (Governance, Risk & Compliance) tool and audit tracks their risks in an audit management tool. Gaining real time risk insights is nearly impossible in this structure. A final weakness is the lack of context of identified risks to established controls and relevant regulatory and legal requirements, further complicating compliance processes.

Integrated risk management

Gartner’s John Wheeler and Alyne seem to have come to very similar conclusions on what smart oprisk management solutions need to look like to solve these problems. John summarises these solutions under the term “integrated risk management”. We believe this requires a solution to be easy and fun to use in order to engage risk stakeholders on an ongoing basis. It needs to convey a tone from the top emphasising and encouraging an active risk culture within the organisation using agile methods of interaction. The solution must also be able to provide a methodical approach for quantifying operational risk exposure and appetite - without being too rigid. In identifying operational risk, the solution needs to support scalable assessment capability, rather than relying on manual sample based approaches. Executed correctly, integrated risk management will enable organisations to focus their spend on risk mitigation rather than risk identification and management.

At Alyne, we believe we have a compelling solution to provide integrated risk management. Watch this space for a use case video demonstrating our capabilities in a product video.

Karl Viertel
Autor: Karl Viertel
About the author
Founder & CEO of Alyne, IT security professional, gadget enthusiast.