Banks and financial institutions are on the cusp of a new operational risk paradigm. Technological breakthroughs, new business models, changing customer expectations, macroeconomic conditions, geopolitical developments, and evolving risks and regulations have brought a tectonic shift in the way banks and financial services organizations operate – particularly in the post-COVID-19 era.
The recent upheaval in the banking industry has underscored the urgent need to modernize the approach to operational risk management (ORM). While the main reason for the closedown of a US bank might have been its liquidity risk or the portfolio concentration risk, a closer look reveals that effective operational controls would have helped to proactively identify and mitigate the risks.
How can chief risk officers (CROs) and risk managers rethink ORM to ensure its relevance and effectiveness? How can they revise their approach to best tackle competing risks and priorities? How can they improve organizational preparedness and resilience for what’s next?
Before we explore that, let’s look at how the scope of ORM itself is evolving.
ORM is not a new concept. It emerged as a formal discipline in the early 2000s when the Basel Committee on Banking Supervision (BCBS) published the Sound Practices for the Management and Supervision of Operational Risk. Over the course of the past two decades, ORM has steadily gained importance as a conventional practice with financial institutions actively identifying and managing operational risks.
Traditionally, ORM involved the process of identifying and assessing risks, defining risk mitigation and remediation strategies, implementing controls, and reporting to the top management and the board. However, with the evolving business environment and fast-moving risks, banks and financial services organizations today are expected to not only manage risks but also ensure operational resilience.
Operational resilience is the ability of an organization to protect and sustain critical business competencies when faced with major operational disruptions. It requires going beyond risk management and business continuity and building the ability to not just prevent and mitigate risks, but to respond to and recover from risk events and also learn from them. The focus is growing on risk preparedness and business continuity, both from regulators’ and organizations’ perspectives. From a practical standpoint, CROs need not undertake a radically different strategy - they can build upon the traditional ORM approach:
We’ve come a long way since the financial crisis of 2008. The COVID-19 pandemic and the most recent banking crisis served as real-world tests of the risk management programs and operational capabilities of the banking and financial services industry. The post-2008 regulatory efforts have helped the sector establish necessary controls to effectively mitigate risks and stop them from becoming systemic. But there’s still room for more.
From the regulatory standpoint, the line between operational risk and resilience appears to be blurring. Some of the notable developments include the EU’s Digital Operational Resilience Act (DORA), UK BoE/FCA/PRA Discussion Paper “Operational resilience: Critical third parties to the UK financial sector”, Australia’s new prudential standard aimed at managing operational risks and responding to business disruptions, Hong Kong’s Supervisory Policy Manual (SPM) module on Operational Resilience, among others.
In an interagency paper, titled “Sound Practices to Strengthen Operational Resilience,” U.S. financial regulatory authorities, including the Board of Governors of the Federal Reserve System, the OCC, and the FDIC describe operational resilience as an “outcome” of an effective ORM program:
“Operational resilience is the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard. It is the outcome of effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions.”
In its “Principles for Operational Resilience,” the BCBS has organized the principles in seven categories – governance, operational risk management, business continuity planning and testing, mapping of interconnections and interdependencies of critical operations, third-party dependency management, incident management, and resilient information and communication technology (ICT), including cyber security.
Today, CROs are not only tasked with risk management activities in the traditional sense but also expected to be abreast of market trends, industry best practices, and regulatory developments, and align their risk and resilience strategy accordingly. It’s time for CROs to rethink their operational risk management program so that it is agile, forward-looking, and resilient.
Here are the key considerations for modernizing the ORM approach:
It's important to go beyond the traditional risk types to include more relevant, recent, and emerging risks, such as economic uncertainty, digital risks, human-factor risks, environmental risks, geopolitical instability, and liquidity crises, among others. Equally important is to understand the interconnectedness among these risks to ensure a holistic and all-encompassing approach.
CROs today can leverage artificial intelligence, machine learning, and advanced analytics for predictive risk intelligence. The data-driven insights can help to quickly identify trends, patterns, and correlations, enabling organizations to effectively mitigate risks and reduce operational losses.
Risk quantification, i.e., quantifying risk in monetary terms, can help assess the risk exposure and impact, enabling risk teams to effectively prioritize risks for appropriate mitigation and remediation strategies. It also enables CROs to effectively communicate the risk posture with the executive management and board.
It is also advisable to maintain a playbook that details the response strategy pertaining to different risk scenarios. When faced with a high-velocity risk event, having pre-defined roles and responsibilities, knowing the corrective action and how to respond can go a long way to improve organizational readiness and reduce the severity of impact.
Today’s fast-moving risks warrant an agile risk and resilience strategy. Technology-based software solutions can support CROs in driving such a program by automating and integrating risk management processes, transforming risk reporting with advanced risk analytics, incorporating autonomous assessments based on asset value and business impact, and providing actionable insights in a timely manner. These tools also help create bandwidth for risk teams to focus on more critical tasks.
Managing operational risks needs to be in line with today’s dynamic risk, regulatory, and economic environment, technological advancements, as well as an organization’s strategic business goals and objectives. An agile and holistic operational risk and resilience strategy requires time, investment, management’s attention, and continuous monitoring. But when done properly, it can transform an adverse situation into an organization’s strategic advantage, enabling them to drive business value.
The MetricStream Operational Resilience solution is purpose-built to support CROs in their efforts to effectively manage operational risks and prepare for potential disruptions. It helps organizations meet complex business needs by automating workflows, driving integration and collaboration, and enabling real-time reporting. By embedding risk management best practices into business continuity planning, it helps boost organizational readiness and resilience.
Request a personalized MetricStream Operational Resilience solution demo to learn how it can help your organization.
Metrics such as Recovery Time Objective (RTO), Recovery Point Objective (RPO), downtime, incident frequency, incident response time, and Mean Time to Recover (MTTR), among others help measure an organization’s operational resilience. Other key considerations include ensuring risk exposure is aligned to risk impact tolerance levels and that business impact analysis (BIA) results are well within the limits as per the business continuity results.
To learn more about Operational Risk Management and Resilience, check out the Ultimate Guide on ORM.