Operational risk management in financial services
April 2018 | FEATURE | RISK MANAGEMENT
Financier Worldwide Magazine
April 2018 Issue
Over the course of the last decade, operational risk management has evolved into one of the biggest concerns organisations face. In the financial services industry, as a result of technological advancements, organisations have grown in both size and complexity, developing multifaceted networks of products and services. These networks present both opportunities and challenges for companies to overcome, both internal and external. Issues must be managed correctly if companies are to avoid incurring losses from operational risks.
Inadequate processes, inefficient hardware and failure of existing systems can cripple operations. Communication breakdowns, employee error, cyber crime, political upheaval and fraud also present potential risks.
Financial institutions (FIs) must have processes in place to deal with such risks and foster the right approach. An FI’s attitude toward and relationship with risk has a significant bearing on its ability to generate revenue. It influences behaviour, which has both intended and unintended consequences. Moreover, risk considerations can determine an FI’s business model, strategy and culture.
Operational risk management exists to add maximum sustainable value to the activities of an organisation. According to the Basel Committee on Banking Supervision, operational risk can be defined as “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. As such, operational risk captures business continuity plans, environmental risk, crisis management, process systems and operations risk, people related risks and health and safety, and information technology risks”. Under the Basel Accords, operational risk can be broken down into seven areas: internal fraud; external fraud; employment practices and workplace safety; client’s products and business practice; damage to physical assets; business disruption and systems failures; and execution, delivery and process management. Outside of the Basel Accords, other areas of risk must also be evaluated, such as legal, reputational and market risk.
One of the most important aspects of an FI’s approach to risk management is its risk appetite statement. This statement acts as a bridge between an FI’s strategy and its day-to-day operations. It can lead to more effective business decisions. However, operational risk appetite needs to be an integral part of the overall risk framework, and must be measurable. Indeed, for some analysts, poor management of operational risk is precisely what led to the collapse of global markets in 2007 and the subsequent financial crisis.
A holistic approach
The financial crisis, the rise of cyber criminality and the emerging tech and data revolution, have reshaped risk management. In the aftermath of the crisis, FIs have been subjected to more regulation, much of which has been burdensome. To cope with these regulatory demands, FIs have been forced to introduce additional and specialised operational frameworks, rather than a core framework that can accommodate risk management with common attributes. For George Clark, chairman of the Institute of Operational Risk, much of the recently-introduced regulation is duplicative and lacks coordinated thinking.
Prior to the crisis, few institutions took a holistic approach to risk or fully understood the impact of their strategic decisions. In the post-crisis reality, a solid operational risk management framework creates a relationship between an FI’s strategic goals and operational activities, and the decisions of its management team. This can help protect against losses, liabilities and brand damage.
The right risk strategy will encompass everything about an organisation. A ‘root and branch’ analysis is required to design an effective operational risk management programme. Factors such as security, safety, internal controls, policies, procedures, employees, cash handling, inventory and liability coverage should be considered. The potential damage that each risk factor could cause to the company should be explored. Then, efforts must be made to mitigate transfer those risks.
Leading from the front
Since the crisis, more is expected of boards of directors and senior executives when it comes to risk management. The emphasis is on leaders to understand, articulate and manage risk across the enterprise. Part of this means defining the organisation’s risk appetite and transmitting that message across the company.
As Mr Clark, explains, “It is critical to involve senior management as they drive the ‘tone from the top’ conversation which others listen to and which sets their daily agenda. When building and implementing an operational risk programme it is vital to understand the difference between change management and project management. It is a reality that operational risk frameworks are atypical across the financial services industry. Some are more automated, some have better indicators or are better in other features. Tailoring the framework to the organisation helps buy-in, but at a cost in design, build, implementation and maintenance. It is the quality of the implementation that is the key differentiator. Understanding change management theory and the need to build influence with all stakeholders, who in turn become advocates, defines the opportunity to achieve adoption and maturity. That is often not a core skill for risk practitioners and the downside is that it will add substantial time to the plan. I would simply state: fail to plan, plan to fail.”
FIs must develop a change management plan to reduce disruption. If they fail to truly get to grips with change management, they will be unable to properly assess risk management challenges. Digitising the change management process, for example, and guaranteeing that all changes to the FI’s operations are documented and stored electronically for easy access, can be advantageous but requires strong leadership from senior management.
Risk management function
FI’s need to systematically and objectively identify, analyse and evaluate risks. They must also design and implement activities to manage risks within defined parameters. Those tasks should also inform strategy and development plans. This risk management function plays an important role in directing the company’s operations. It should be regularly reviewed to ensure that corporate values are being maintained and ethical and social responsibilities are being met.
Ultimately, business leaders need to accept and acknowledge the existence of the risk category, its related discipline and toolset, according to Mr Clark. “Within financial services, this is recognised by regulators seeking evidence of the ‘use test’ and the need for a ‘tone from the top’ which drives acceptance, adoption and ownership by everyone involved,” he says. “Certainly a function can give this focus, but the expertise it brings will be dependent upon the organisation’s understanding of operational risk, which then defines the level of competency that it thinks it needs. Companies’ management of operational risk is dependent upon that interpretation and many do not yet fully understand the richness and depth of competency needed to identify and manage the sources of operational risk. Specific technical areas such as fraud and information security, for example, are well understood. The main gap is differentiating between risk managers and process or control experts,” he adds.
Moving forward, operational risk management must improve. Digitisation, automation and outsourcing are increasingly important to the world of financial services, so organisations must continue to evaluate their changing risk profile. Digitisation has become deeply embedded in banking and financial services, as it offers advantages with respect to customer experience, revenue and cost. Advancements including process automation, decision automation, digitised monitoring and early warning systems are being used to good effect. According to McKinsey, utilising digital risk initiatives to improve the efficiency and effectiveness of risk management can reduce operating costs for risk activities by 20 to 30 percent.
Though gains can be found in efficiency and productivity, as well as enhanced risk effectiveness, cyber threats will continue to keep chief risk officers awake at night. Cyber criminals have evolved. With the sophistication and magnitude of attacks increasing, FIs must develop new and innovative approaches to cyber security. FIs must coordinate and align their cyber security provisions and their operational risk function. Creating greater links between these functions, as well as improving communication at board level and developing an appropriate response plan, will allow FIs to become more resilient.
One thing is for sure, managing risk is not getting easier. “I would argue that we already misunderstand the rich competency needed to be an operational risk practitioner but in the future I would expect to see more social engineers, psychologists, strategists and master degree students in operational risk,” says Mr Clark.
Today, more than ever, companies must be aware of their risks and their relationship to those risks. Operational risk management has a crucial role to play in helping FIs meet their strategic objectives. This requires establishing a strong operational risk management framework, supported by performance indicators. Senior leaders must continue to cascade risk tolerance levels throughout the company.
“An effective framework improves the flow of data, which in turn allows for better and often quicker decisions,” says Mr Clark. “An understanding of how the data is influenced along the way also helps. An effective framework that is aligned with the organisational customer-value-service-profit chain and is dynamic to that chain, will undoubtedly deliver value-added benefits. It can stop bad things from happening, inform better and safer ways of achieving the desired outcome, improve accountability, offer challenge and governance to change and track risk objectives and appetites,” he adds.
Setting the right ‘tone at the top’ is key to successfully managing operational risk. The board and senior executives must tie together operational risk, compliance and IT functions. However, effective risk management cannot be developed in a vacuum. The right ‘tone at the top’ is only part of the puzzle. There must be an effective and risk-aware culture throughout the FI, and though the board and senior managers set that tone, it requires the buy-in of the entire organisation. Middle-managers and employees ‘at the coal face’ have an important a role to play, as they are the ones implementing decisions made at senior level. FIs need to ensure their culture develops effectively.
Operational risk is one of the biggest challenges facing modern FIs. With the diversity of risks increasing, as cyber becomes ever more prominent and additional regulatory burdens weigh heavily, it is becoming harder for FIs to remain compliant. Institutions need to understand the latest threats and changes to operational risk to ensure they limit future penalties and potential reputational damage. Key areas such as analytics, risk controls and risk culture must be strengthened if operational risk management is to prosper.
© Financier Worldwide