Financial services firms have put a lot of focus on operational risk over the past couple of decades – and more recently, on operational resiliency. However, some operationally complex industries have been formally managing operational risk and resiliency for decades, and so have a significant amount of experience to share about these disciplines.
At a recent MetricStream breakfast in London, risk executives – both speakers and audience members – came together to talk about the potential lessons that financial institutions could learn from organizations in other industries. Below are 10 important insights the gathering discussed during the event:
1. There is no “one size fits all” approach to managing either nonfinancial risks or to operational resiliency.
Every organization is different, and so every op risk or resiliency framework will be as unique as the organization’s operating strategy. Certainly, standards and regulatory guidance are available as a place to start from. However, fleshing out any risk framework begins with understanding the risks the firm faces, the appetite it has to take risk, and how the organization’s strategy should align with its risk framework and appetite. If another part of the organization is charged with looking at strategy and strategic risk, it’s important to have an open dialogue with them. Also, boards, audit committees, and senior managers might have different perspectives on the impact that risks can have and the levels of resiliency required. These differing perspectives contribute to the uniqueness of the organization’s operational risk and resiliency picture
2. In making decisions around operational risks and resiliency issues, executives need to become more comfortable with ambiguity.
Operational risks cannot be measured with the same level of precision that financial risks – such as credit risk and market risk – are able to be. While this has long been viewed as a challenge within the discipline, financial firms should embrace this ambiguity, and learn to think about operational risk and resiliency differently. It’s important to understand that quantitative indicators can be helpful, but they are only indicative and not exact depictions of reality. Think about the risk framework and risk reporting as prioritization tools. They can help executives understand the relative impact a risk might have, the accountability within the organization for the risks, why the level of risk has changed, and what the new, emerging risks are. Avoid talking about financial risk and operational risk side-by-side, to side-step the common error of perceiving op risk and financial risk data as the same kind of information.
3. An operational risk framework shouldn’t be comprehensive, static.
Today’s world moves faster than ever before – technology, regulation, and other important aspects of a firm’s ecosystem are evolving at accelerating rates. Gone are the days when frameworks had to be considered comprehensive – today new risks are emerging all the time. As a result, operational risk management and resiliency teams need to be nimble, and so do their frameworks. The framework should be a set of guidelines – it does not codify a decision-making process, or provide “the answer.” It should be constantly updated and refined.
4. Risk assessment is more helpfully thought of as a spectrum
Certainly, there are times when risk should be thought of as binary – for example, when life could be at risk, or when certain ethical or regulatory standards are involved. However, the rest of the time, it’s much more useful to think about risk and resilience as being a spectrum, which organizations can dial up and down. Operational risk teams should look at operational risk and resiliency reporting they produce for the business, senior management, and the board and consider how the reporting reflects and supports the way the organization should be making strategic and tactical decisions. For example, does the reporting box executives into binary thinking about risk, or does it provoke a more nuanced exploration of non-financial risks?
5. It’s enriching to consider an operational risk from different perspectives.
It can be very easy for a group to consider a risk from a limited number of perspectives – it is a natural human response to want to be in agreement with others. To bring a diversity of perspectives into a room, think about assigning individuals the task of considering a risk from other perspectives, such as those of a customer, or a third party vendor. Encourage the individuals to share these alternative perspectives so that the whole group can gain a fuller understanding of the potential impact of a risk, and what important elements of an operational resiliency approach might be.
6. The risk framework must have buy-in from the whole organization.
The risk framework should align the board and senior executives behind it. Much is said about the importance of the “tone at the top” for achieving engagement from the whole organization. It’s all true. However, the framework must also have acceptance all the way down to the front line, customer-facing employees, and the tone from the top will only help to a point. Operational risk teams should be sure the right policies, processes, tools, and training are in place to align the whole organization with the cultural values the risk framework represents.
7. There are upsides to managing risk and resiliency well – this could unleash value for the organization.
Risk management as a discipline can often seem to focus exclusively on the “what not to do” things – how not to buy a company, how not to do a process. It’s important when talking about risk and resiliency to discuss the upsides these disciplines can create as well. Questions to ask include: What are we trying to achieve as an organization – what are our goals? How does the way we take risk reflect our strategic priorities as a business? What does managing risk and resiliency well enable the company to do? What value does it help generate? Applying these questions could help the organization see operational risk and resiliency in a new light.
8. It’s important to be mindful of replicating bias.
Organizations tend to create frameworks that reflect previous experience and actions – this is human nature. However, taking this approach – either consciously or unconsciously – can result in bias. A real-world, high-tech example of this concept is the Amazon automated CV processing gender bias incident. Amazon wanted to automate the initial stage of processing CVs for many of the roles it hires for, and so it created an artificial intelligence program that would sift through CVs. It trained the tool by feeding it past CVs as well as previous decisions about whether to take the candidate forward. When the project was done, Amazon discovered that the tool was making gender-biased decisions about candidates – because the information that had been fed into it was biased. The AI program simply magnified the level of bias that human beings were making to begin with.
Organizations can be unintentionally biased in their decision-making, including decisions about risk and resiliency, and this can be hard-wired into the organization by the risk framework. Operational risk teams should be asking themselves what unintentional biases their risk framework and resiliency programs are amplifying, before they emerge as loss events.
9. Cultures where it’s OK to deliver difficult news are more risk aware and resilient.
Open and honest discussion about risks and resiliency requires individuals to be able to be candid in their views with others, particularly those in positions of authority. Organizations that “shoot the messenger,” for example, are unlikely to be places where individuals feel comfortable flagging risks or pointing out resiliency issues. Within the firm’s culture, having the ability to challenge is essential – intelligence about risk and resilience needs to flow up and down the organization fluidly. Overall, of course, the nature of the culture that a firm has is extremely important. Within the financial services, accountability for culture is now being hardwired into the industry in the UK through the Senior Managers & Certification Regime (SM&CR). This is already in force for banks and has a December implementation deadline for other types of financial services firms. Other countries are considering implementing a similar regulatory approach. With individual executives now formally accountable for certain risks, a failure to be open to “bad news” that might alert an executive to potential risk could eventually have career-ending consequences.
10. Ultimately, the risk framework is about what you do with it.
It may sound cliché, but an operational risk framework really should be an ongoing journey. What it should not be is a manual that gathers dust on the shelf. The framework should come alive through the sharing of risk intelligence and having lively discussions around that intelligence. So, the operational risk team should consider carefully how it brings the risk framework to life within the organization today, to support everyone on that journey. Better risk management processes, enhanced reporting, improved communications and other steps can all contribute to a vibrant, successful culture and risk framework.
Subscribe for Latest Updates
Subscribe Now