KNect365 is part of the Knowledge and Networking Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 3099067.

Informa

Operational Risk is back and at the forefront of Risk Management priorities

PWCFollowing a close examination of banks’ risk management frameworks, Rami Feghali, Partner, PwC France, FS Risk and Regulation Lead and Aurélien Borde, Partner FS Consulting, PwC France state that operational risk is now at the forefront of Risk Management priorities, over ten years since the financial crisis.

Since the financial crisis, banks have dedicated significant costs to operational and non-compliance risks. While credit risk and market risk are perceived as relatively stable within a mature risk management framework, Operational Risk is growing in importance.

New risks are emerging in the context of increasing digitalisation, connectivity and social sensitivity: IT, Cyber, Third Party, and Conduct Risk to name a few.

The regulatory environment has increasingly become more demanding and intrusive. For instance, the European Central Bank (ECB) has performed detailed examinations on banks’ Operational Risk management frameworks, including ICT (Information and Communications Technology) risk management, along with deep reviews of the comprehensiveness and efficiency of their internal control frameworks. This has led banks to invest in significant financial and human resources to overhaul their Operational Risk frameworks.

From what we have observed at large European banks, we believe three main areas require specific attention:

-          The organisational model that fits the new needs of the risk management function.

-          The effectiveness of risk and control assessment and monitoring.

-          The opportunity offered by data and IT innovations to better monitor risks.

Building a new organizational model to achieve the new needs of the risk management function

There are several challenges that underpin the organisational model of operational risk management: consistency between Operational Risk and other second line of defense functions such as Compliance, managing the scarcity of specific skills, such as cyber-risk management, and the necessity to spread Operational Risk culture across the three lines of defense.

Consistency is needed between Operational Risk and Compliance, so that both functions have a common taxonomy of risks, the Compliance risk assessment and risk and control self-assessment exercises are connected, incidents are managed using a consistent process, and coherent consolidated reporting is available. While very different levels of integration exist in large institutions, at the very least, one function needs to define and steer a common framework for all non-financial risks and controls.

Since the financial crisis, banks have dedicated significant costs to operational and non-compliance risks. While credit risk and market risk are perceived as relatively stable within a mature risk management framework, Operational Risk is growing in importance.

With the emergence of new risks, Operational Risk functions need to adapt their resources by hiring subject matter experts. Managing specialized skills often leads to the creation of specific departments within Operational Risk, such as an Information and Communications Technology (“ICT”) risk (including cybersecurity), Fraud, Third Party Risk Management, etc. These require finding the appropriate organisational structure to ensure coordination and consistency across these specialised teams.

In addition, clarifying and streamlining tasks and responsibilities across the three lines of defense is needed. Risk management happens in the first line: the business must be proactive in self-identifying the inherent risks within its activities and seek solutions that would address and prevent them. This requires a robust governance in the first line of defense, where the heads of business lines are accountable for the risks they take while dedicated supporting functions within the first line can help facilitate the risk management processes.

On the other hand, the second line of defense should have the ability to challenge the first line’s assessments and to ensure the Operational Risk framework evolves and remains relevant when new risks emerge (new threats, business changes, etc.).

A more valuable risk and control assessment and monitoring

In certain organisations, the Risk and Control Assessment is viewed as a reporting exercise, and not as a risk management tool. It typically provides a snapshot of the organisational risk profile at a given point in time and is not updated before the next cycle (generally between one and three years).

Instead, a more frequent Risk and Control Assessment should be designed and implemented, in such a way that it helps heads of business lines with day-to-day risk management. This requires a tool that can collect and process data from various sources (losses, incidents, transaction data, control monitoring KPIs, etc.) in an automated manner, and provide standardised and meaningful assessment outputs.

Consistency is needed between Operational Risk and Compliance, so that both functions have a common taxonomy of risks, the Compliance risk assessment and risk and control self-assessment exercises are connected, incidents are managed using a consistent process, and coherent consolidated reporting is available.

Defining an appropriate granularity in the taxonomy of risks as well as in the supporting taxonomies of processes and activities is a real challenge which requires a right balance between the needs of the business vs. the needs of the other lines of defense to monitor them.

New data and IT investments to monitor risks

Data plays a vital role in effective and efficient risk measurement. Regarding Operational Risk, internal loss data has been collected, stored and used for years but the quality of data often needs improvement (e.g., allocation to the correct event type, documentation).

As part of Basel IV, the Advanced Measurement Approach is proposed to be replaced by the Standardised Measurement Approach for the calculation of Operational Risk capital requirements and internal loss data plays a major part in the calculations. This change may lead regulators to shift their attention to loss data collection processes and quality of the data supporting these processes.

The sharing of databases and common tools between control functions and across the lines of defense has become another major challenge in the transformation of the Operational Risk function.

Human and financial investments are necessary to adapt the Operational Risk function as a whole to meet increasing expectations from regulators and stakeholders. In spite of the current context of cost pressure, it is essential to invest in robust systems to build strategic solutions. This is how banks will manage their risks effectively, and also save costs in the long-term.

Get articles like this by email