Operational Risk Management in Financial Institutions
Operational Risk is a generic term officially coined in 1991 by COSO. In the early days of its conception, it was simply a hard-to-define category for residual risks that fell outside of market risk and credit risk in financial institutions. This new label covered a scope of risks that result from the likes of cyber or information technology (IT), business disruption, legal liability, human motivation, fraud and even infrastructure. Some banks use the term Operational Risk synonymously with non-financial risk. Today, it has since extended itself into a large focus area for internal risk functions and regulators, resulting in increased scrutiny on the capital reserves held for the exposure to operational risk. Operational risk is high up on the management agenda (both inside financial institutions, and out), and titles like ‘operational risk manager’ are now commonplace. Growing cyber risks, reliance on vendors and continuous digitisation of processes are further primary contributors to the focus on Operational Risk Management.
The creation of Basel ll, although published in 2004, was only implemented in most major economies post the financial crisis of 2008. The purpose of Basel II was to improve the international banking standards, through establishing capital management requirements, which ensures that a bank has adequate capital in order to be protected from the risk it exposes itself to. Basel II uses a concept of three pillars:
- Minimum Capital Requirements (Addressing Risk)
- Supervisory Review
- Market Discipline
We will dive into more detail on these topics in the next article of this series. Basel II reformed banking supervision and placed a focus on the policy effectiveness of operational risk, along with its implementation. Hotly debated then, and perhaps still today, are questions around its definitions, data collection and the limits of quantification.
Post the financial crisis, the Risk Management scope widened beyond merely market risk and credit risk, to place great focus also on operational risk. You can read more about this shift between Internal Controls over Financial Reporting (ICFR) & Operational Internal Control Systems, in this previous article.
The challenge lies in the fact that Operational Risk Management, for many organisations, still remains distributed across many tools, with many still reliant on manual processes to identify, quantify and manage these risks. Organisations and regulators alike are recognising that the currently established manual processes are no longer sufficient, nor economical, in managing this new level of risk. Another core contributor that aids in tedious operational risk processes is the fragmentation of an organisation's Risk Management tools:
- Different internal programs and projects likely use their own spreadsheet-based Risk Registers.
- Business units might report on core risks only in their quarterly review.
- Second line risk managers may operate a separate GRC tool.
- The audit team likely tracks their risks in an audit management tool.
- This approach to managing risks makes gaining real-time risk insights nearly impossible. A final weakness is the lack of context of identified risks to established controls and the relevant regulatory and legal requirements – further complicating compliance processes.
Real-Time Operational Risk Management
In the growth of many businesses, there is an inflection point where the need to manage risks in a more formal way arises - either driven by organisational growth, regulatory pressure or more demanding customers. With more complex technology, higher regulatory focus and more project-based work, spreadsheets can be an option and last for a little while, but there is often a tipping point where they are no longer viable. There are a few indicators that tell you when it is time for a change:
- Every question you ask about current Risk Exposure requires waiting for a manual consolidation of data for an answer.
- Your risk spreadsheets are on a network drive with multiple versions in the same folder.
- There are different formats and templates for capturing risks across your business.
- Risk Control Self Assessments are a significant burden for the business every time they are due.
The symptoms for inefficient Operational Risk Management processes commonly include teams not using the defined tools or spreadsheets and attempting to circumvent risk and compliance processes. A risk system that is not sufficiently flexible to adapt to organisational changes will also result in further avoidance of processes and oftentimes, additional manual effort. Lastly, if your Risk Register is populated by the stakeholder yelling the loudest in a meeting, you know you are not identifying unbiased risks sufficiently.
Successful Operational Risk Management will enable real-time risk insights for stakeholders and the Risk Management team. A structured risk identification approach is essential rather than relying on gut feel. Overall, aim to set up processes that:
- Save Time
- Keep Risk Management Lean
- Focus on Core Business Objectives
- Foster a Culture of Risk Awareness across the Organisation
- Integrated Risk Management
Traditionally, Risk Management is a top-down approach, which leads to activity silos and decisions being made in ivory towers. Integrated Risk Management is a term that showcases the importance of Risk Management being at the forefront of corporate governance. It is focussed on having everyone access to the right level of information for their job function, and values having each business unit responsible for Risk Management across the enterprise. An Operational Risk Management solution should be easy and fun to use in order to engage stakeholders on an ongoing basis. It needs to convey a tone from the top, emphasising and encouraging an active risk culture within the organisation using agile methods of interaction.
Furthermore, the solution must also be able to provide a methodical approach for quantifying operational risk exposure and appetite - without being too rigid. In identifying operational risk, the solution needs to support scalable assessment capability, rather than relying on manual sample-based approaches. Executed correctly, integrated Risk Management will enable organisations to focus their spend on Risk Mitigation rather than Risk Identification & Management.