Perpetual topic of embedding and increasing ownership in the first line is yet again topping the chart.
What’s on your agenda for 2023? Best Practice Operational Risk forum comprised of risk executives from 50 international financial services firms discussed and ranked key priorities for this year.
Embed risk management and empower 1st line
Perpetual topic of embedding and increasing ownership in the first line is yet again topping the chart. Exercising prudent decision-making by managing risks that may prevent areas from achieving their own objectives seems intuitively the right thing to do. Yet, participants agreed it remains a challenge – disputes over accountability remain; risk assessments at times are an afterthought to decisions already taken; risk management is seen as an additional task of risk administration.
Drawing parallels with Credit risk management, organisations are unlikely to lend money to a client without conducting a credit risk assessment. Similarly, Operational risk assessments, well timed and well executed, should simply become second nature. The measure of success is business wanting to use risk management tools as they add value; and governance committees rejecting business propositions without clear articulation of Operational risks. Significant progress has been made however we are not at the point of arrival yet, and need to collectively continue being the change agents instilling good practices.
Further mature framework and tools
Despite organisations being at different stages of their Operational risk management maturity, common areas of focus included
- Enhancing Operational risk appetite and quantitative measures – this area continues to actively develop;
- Simplifying and creating more meaningful risk reporting;
- Focussing on RCSA methodologies, and moving towards assurance and control testing, whether conducted by the 1st or 2nd line units.
Evolve Operational Resilience
Starting pre-Covid and continuing post-pandemic, the topic of Operational Resilience gained momentum, also following the publication of Basel Committee’s principles. Multiple participants acknowledged the focus on enhancing practices, embedding resilience group-wide and focussing on client experience. It is Important for risk professionals to be present at the table, integrate Operational risk and Resilience effectively, avoiding parallel frameworks and silo approaches.
Automate & Invest in Risk Systems
There is a notable shift towards the use of Operational risk software. While a decade ago Excel-based loss and risk&control databases were somewhat common, this is no longer the case. With data accumulated over the years, even small to medium-size organisations opt for systematic solutions. The use of AI in risk management is also increasing, with many GRC system providers now offering functionalities such as predictive analytics.
Priorities included:
- Implementation of a new GRC system;
- Improving existing technological capabilities to reduce reliance on Excel;
- Expanding the use of Operational risk system to first-line users;
- Automating parts of risk reporting.
Enhance Risk team’s capabilities
Participants aimed to strengthen core skills and capabilities, especially in IT-related areas, to address Cyber and Information security related concerns. 2nd line ability to oversee and constructively challenge these technical areas is vital. A viable alternative to expert recruitment is periodic commissioning of an external specialist firm to carry out deep dives, eg cyber maturity assessments.
Focus on specific risk-type management
Five risk sub-types were of particular focus this year, namely
- Cyber
- Financial Crime
- Third-party
- Change
- ESG
First two are specifically called out in the recent European Banking Authority (EBA) Risk Dashboard Q4 2022,where EBA notes that overall, ‘Operational risk remains a key concern’. Times of financial market volatility are the perfect backdrop for criminals who will aim to profit from instability in any way possible. Risk professionals need to note EBA’s opinion with all the seriousness it deserves, reviewing risk and control environment and doubling defences. Proactive and robust risk identification, control testing, and focus on the company’s risk culture – or, collectively, risk management embeddedness, will enable firms to remain resilient.
In conclusion
This year’s Operational risk priorities are not drastically different from previous years. The primary focus remains on embeddedness, instilling and cementing sound practices in our organisations. Despite slowly, we are collectively headed in the right direction, with Operational risk professionals being the agents of change.
Change will not come if we wait for some other person or some other time. We are the ones we’ve been waiting for. We are the change that we seek.
Barack Obama