A lot has happened since the early 2000s when operational risk management (ORM) was formally instituted as a risk discipline under the Basel reforms. The increasing threat of cyberattacks, coupled with high-profile incidents of fraud, and growing vulnerabilities in the third-party ecosystem have thrown up new challenges and priorities for operational risk practitioners. To shed light on some of these issues, and to discuss the ongoing evolution of ORM, the GRC Summit 2018 brought together a panel of risk experts, including Alex Gacheche, Director, GRC at Freddie Mac, Joseph Monks, CRO at MarketAxess, Bob Wordelmann, SVP, U.S. Operational Risk Management at TD Bank, and Stephen Woitsky, SVP, Operational Risk Management, at Bank of the West. The discussion was moderated by Brenda Boultwood, SVP, Industry Solutions, MetricStream.
Over the last decade, ORM practitioners have focused on implementing and strengthening ORM programs – establishing key risk indicators (KRIs), defining loss events, and conducting scenario analyses. Today, as these programs reach a mature level, ORM practitioners are beginning to shift their focus to how they can add more value to the business. The emphasis is increasingly on risk intelligence – how to leverage the risk data gathered from ORM programs to provide more credible challenge to the business, as well as to guide strategy and performance. A wealth of risk information exists, waiting to be tapped.
But how does one aggregate, filter, and interpret that data efficiently? Many banks are establishing common risk taxonomies, methodologies, and platforms to piece together risk information from across the lines of defense. Others are going a step further, and adopting robust analytics to transform raw data into actionable insights. Predictive analytics hold a lot of promise, enabling banks to anticipate operational risks in a way that wasn’t really possible before the 2008-09 financial crisis. ORM practitioners can now tell if there has been an uptick in foreclosures for a particular region; or, they can determine where the next potential defaults lie, and take steps to address the issue before it becomes a larger problem.
Artificial intelligence (AI) also offers tremendous potential to predict risks. A decade ago, it was near impossible to keep track of all the issues and risks that occurred across one’s global enterprises. But with AI and natural language processing, ORM practitioners can efficiently bring together all that information, and slice and dice it to identify which risk areas need their attention and resources.
Post the 2008-09 financial crisis, the second line functions in many banks stepped in to close the gaps in the first line. As a result, they ended up not only creating the risk management policies, methodologies, and frameworks that their organization needed, but also conducting the risk assessments themselves – an approach that may not have given them the objectivity to challenge risk findings, or even to gain a big picture view of risks.
That has changed though. Over the past few years, the responsibility and accountability for risk assessments has shifted more to the first line – to where the risks are -- be it in sales, marketing, or product development. And as business units take more ownership of risks, we’re beginning to see the emergence of “1.5 lines of defense” where risk specialists are deliberately embedded within the first line as an additional level of support. They provide training and advisory services to the business units, while also dealing with ground-level risk issues. That gives the second line risk management functions the independence they need to step back, look at risk more holistically, and objectively challenge the decisions of the first line. The third line or internal audit provides a final layer of oversight, identifying gaps in risk management processes, or questioning risk findings, and thereby helping fortify the whole risk management program.
Some large banks have a third line just to oversee risks, and to ensure that nothing slips through the cracks. Others are beginning to “thin” their third and second line functions, especially as more risk responsibilities descend to the front lines. Whichever approach banks choose, the important point is to ensure clear definitions and separation of responsibilities in ORM. Cross-functional collaboration is also key to ensuring that risk data is aggregated, shared, rolled up, and reported in a timely and streamlined manner.
The last few years have seen the rise of multiple new compliance requirements that directly impact how operational risks are managed. GDPR, MiFID II, BCBS 239, and the Federal Reserve’s Comprehensive Capital and Analysis Review all have implications for ORM practitioners. The key to staying compliant is to be proactive -- tracking regulations as they emerge, understanding their impact on the enterprise, embedding them into ORM and audit frameworks, and defining clear lines of ownership. These processes apply also to external risk incidents. A scandal or regulatory fine at one bank should be a wake-up call for others to re-examine their own risks and controls. From a Basel reforms perspective, a number of changes have occurred over the last decade.
Basel II defined operational risk as the risk of loss arising from four broad categories -- internal processes, people, systems, and external events. Today, other risk categories have become just as important, be itthird-party risks, cybersecurity risks, capital adequacy risks, fraud risks, or model risks. In other words, what were traditionally level 2 risks are now moving into level 1, so that organizations can give them the attention and scrutiny they need. As these new risk categories emerge, banks are beginning to build frameworks around them to ensure effective risk management. They are also striving to understand how operational risks map to other risks and to the larger business objectives of the organization. Siloed, inconsistent risk frameworks and approaches are on their way out. More banks are looking to standardize risk management – be it in their definitions of risks and controls, or in their risk scoring methodologies.
• Develop a strong risk department in terms of ORM capabilities
• Demonstrate the maturity and sustainability of the ORM program to regulators
• Shift the focus from ORM program implementation and administration to risk intelligence and how it can be used to drive change in the bank
• Put together an enterprise-wide view of each business function’s risk profiles on a consistent basis
• Define the three lines of defense more clearly to deal with increasing regulatory pressures
• Leverage statistical analysis techniques, AI, and predictive analytics to ask the right questions of the business
With risks around cybersecurity and outsourcing growing more critical, all eyes are on the ORM function. Their ability to assess, manage, and mitigate risks and losses in a timely manner will continue to have a direct impact on business performance and integrity.
While a great deal of progress has been made in terms of building ORM frameworks and processes, there are still opportunities for improvement – particularly in terms of enhancing integration across risk and assurance functions, ensuring more timely risk intelligence, and building a pervasive risk culture. Proactive action in these areas will go a long way towards strengthening the maturity of the ORM function, and enabling them to continue being a valued partner to the business