Best Practices for Effective Risk Assessments

A series of operational risk events across the world have given rise to a number of regulatory measures that have increased the complexity and cost of managing operational risks. While the impetus for effective operational risk management has grown significantly, organizations have been unable to evolve their processes to tackle these risks from a practical and proactive standpoint.

Many organizations continue to view Operational Risk Management (ORM) as an immature discipline and a regulatory, box-checking exercise that creates administrative and financial burdens, providing minimal benefits.

However, if executed effectively, ORM can lead to considerable financial and regulatory benefits: it helps organizations increase their profitability, financial stability, and visibility into the operations of business processes.

To achieve this, organizations need to define a consistent and comprehensive approach to manage operational risks, and during the MetricStream GRC Summit, 2015, held in London, risk experts discussed their thoughts on building a mature, effective ORM program.

Panelists David Ragan, Director of Risk and Compliance, Steamship Insurance Management Services; Umar Zaman , Chief Administrative Office, Risk and Control, AXA; and Richard Flood, VP, UK Risk Management, State Street, talked about their perspectives, key challenges, and best practices with Brenda Boultwood, Senior Vice President of Industry Solutions, MetricStream.
 

Q. 1. What are the top three priorities of your risk management program?

Umar: There is tremendous pressure from regulators to define the organization’s risk culture. Regulators want to look at risks from a business perspective rather than from the risk officer’s viewpoint. To gain a clearer picture, regulators prefer to understand, from the business line managers, the risks that the organization faces, the corresponding mitigative controls, and the risk management approaches.

Another key priority is to be able to aggregate risk data from different locations and ensure we have real-time visibility into our business processes.

Richard: Similarly, for me, a priority is to manage all kinds of risks such as vendor risks, non-financial risks, technology risks, cyber risks, and BCM in addition to operational risks in a single place. ORM acts as a bridge between all these risk areas as it deals with the operational aspect of these areas. With a federated data model, we are able to integrate data from all these areas, which helps us carry out deeper risk analyses.

David: We have a strong risk culture and compliance processes in place. To comply with regulations and align ourselves to the organizational risk culture, we had to relook at the entire risk register, which helped us manage minute details of risk data, and map them to multiple levels.

Q. 2. What are the challenges in setting up risk assessments?

Umar: Risk assessment approaches vary depending on the business processes within an organization. However, as a global organization, one needs to look at risks from a holistic perspective, and in a consistent manner. To address this challenge, we have identified key processes across business areas where we can use the same risk language. We were also able to define a methodology and approach that emphasizes this language, allowing us to address risks from multiple perspectives.

For example, we have various asset classes, and the risks in each of these classes are very different. However, the basic risk assessment process would be similar such as initiation, review, and approval, etc. This allows us to aggregate risks at process levels, and highlight risks that are common across business functions.

Richard: I would say this is an opportunity for the risk function to touch base with the business. We don’t own the risks. When the business lines provide us with a set of risks, we are able to conduct a deeper analysis and help them manage those risks.

David: As we migrate towards first line of ownership of risks, it becomes critical to not only be a facilitator but also an influencer, persuader, and thinker. It is important for us to use technology to bring together all the necessary data in a risk register.

Q. 3. How do you ensure different perspectives to drive business performance?

Umar: Everything boils down to defining a strong risk culture within the organization, and setting a tone-at-the-top and top-down approach is an important first step. This is followed by defining risk and compliance objectives with multiple perspectives for each function, which helps drive business performance. This risk culture has to be ingrained into every business function to be able to make an impact at an overall business performance level.

Richard: It’s very important to include a risk culture within the risk management approach at the early stages of a new product or process rather than adding them later on. This will help you make changes, based on feedback, to the risk management approach.

Defining a risk appetite at an early stage helps business users to take calculated risks. Calculating the cost of risks would help users analyze the operation cost against the risk cost, helping them make better business decisions. Though calculating these costs are difficult because it is influenced by various external factors, it helps in creating awareness and risk acceptance. Additionally, it is important to calculate not only financial capital but also economic capital to be able to manage operational risks efficiently.

David: For small organizations, the difficulty lies in garnering enough financial resources to quantify risks. However, with the use of technology they can quantify risks at a smaller scale.

Q. 4. Could you throw a little more light on how you can tie in your operational risk program to a broader enterprise risk framework or GRC program?

Richard: Considering the nature of our business, managing operational risk is very important for us. When I look at some of the key governance committees, most of the discussion happens around operational risks rather than financial risks, proving that operational risk is an integral part of ERM and the overall GRC framework.

Umar: Since we need to comply with various regulations such as Solvency II and ICAAP, we need to quantify our risks. Therefore, operational risk management is a critical part of the overall risk strategy, contributing to various other elements such as ERM and compliance which are key aspects of the GRC framework.

David: Operational risks have to be linked to other types of risks for example, cyber risks and credit risk as some of them could be potential causes of operational risks. Monitoring them effectively can give a lot of insight into the actual causes of operational risks and risk events.

Q. 5. How do you think the advances in technology will enable effective operational risk management practices?

Richard: According to me, we need faster information flow. We have sufficient data for market risks and credit risks that help us make faster and better decisions, and we want similar technology for operational risks. We have data from the previous years in various forms and areas such as vendor risks, cyber risks, compliance risks and operational risks. With technology, we can collect all this data, analyze it, and derive actionable insights to make better, informed decisions.

David: Technology has to be very simple and intuitive. Small and mid-sized organizations may not require complex data and methodologies. Moreover, they are not going to use the system as frequently as larger firms do. Therefore, for smaller firms the technology has to be scalable, and the UI has to be simple and intuitive.

Umar: People should be made aware of the benefits of technology. For example, reporting, data aggregation, and slicing and dicing through data are very important aspects for an equity firm. These firms deal with huge amounts of data, and storing this data in a spreadsheet will make it difficult to aggregate from its multiple locations. Technology can help us store and analyze this data to provide a more meaningful set of information and even early warnings.
 

Conclusion

Operational risks are inherent in all banking and financial services products, processes, systems, and people. Therefore, effectively managing these risks should be the fundamental objective of an organization’s risk management program.

Traditional ORM is designed to be implemented at granular levels which makes it a huge resource-incentive process. On the contrary, ORM frameworks today profess top-down approaches which focus on the major risks at an overall level, and drills-down into granular levels, if required. This also helps in conducting tactical and strategic decision analyses.

By leveraging technology for Operational Risk Management (ORM), organizations will be able to adopt faster ways to store, analyze, and manage operational risk data, gaining the information they require to make better business decisions and realize financial and regulatory benefits.