Over the last decades, operational failures and fraud have resulted in major losses to large banks. Despite a broad economic impact, many banks have a difficulty in understanding, measuring, and managing factors that contribute to operational risk. The complexity is caused not only by the variety of risks covered under the umbrella of operational risk. It has become more complex to manage the risk in organisations driven by progress in technology, globalization, and increased competition. Automation, artificial intelligence, and even implementation of APIs generate risks that have to be well understood and managed.
While banks have developed sophisticated models and systems for controlling credit, market, and liquidity risks, they have struggled to deal effectively with operational risk. Organisations end up managing operational risk with reactive, short-term measures, without an integrated approach in mind, still struggling with a backward-looking way of assessing operational risk based on past losses.
Serious operational incidents continue to occur triggering severe regulatory penalties against banks, despite efforts to strengthen operational risk management. Regulators seem to be losing patience with banks’ long-standing failure to establish effective operational risk management. Is it about a framework, better tools, or maybe mindset?
Framework and Tools
While control functions have evolved in recent years, often management has not considered how to integrate operational risk management with the changing enterprise risk management. The boundaries between operational risk management and other control functions such as compliance have become fluid, creating overlaps and blurred responsibility. Despite extensive control-testing processes were created, many Boards still lack a clear picture of the greatest risks and critical vulnerabilities to the organisation. The extensive control activities sometimes are perceived as excessive, bureaucratic check-the-box exercises with little business value.
Many Boards see an increase in control activities and reporting without an equivalent rise in insight on risks and how to manage them.
Banks need to take specific actions to integrate operational risk management in broader enterprise risk management and eliminate overlaps. It is necessary to move the function from reacting to business priorities and reporting of first-line controls to providing expertise on emerging risks, and business process resilience using technologies and forward-looking approaches.
The functions that rely only on extensive control-testing processes may have limited insight into the strength of operational processes and are not well-positioned to identify critical vulnerabilities. Along with increased data availability, the transition to real-time monitoring gives the ability to more effectively detect cyber, fraud, and anti-money laundering threats.
The question remains as to whether management is able to capture all critical risks in this way. Open, constructive risk discussions help to identify and manage critical risks, however this requires a proper mindset of management on all levels and self-awareness of biases.
Currently, a bias towards short-term rather than long-term performance is stalling corporate actions. The pressure to operate with extreme cost-consciousness is considerable. In organizations with weak risk accountability, understanding and escalation of risk, management focused on profitability in the short-term may be less inclined to analyse potential risks, assessing them often as remote. A backward-looking approach maybe still preferred as opposed to a forward-looking way and focus on identifying critical vulnerabilities.
What could go wrong in normal and stress conditions in a dynamically changing organisation driven by advancements in technology, globalization, etc.?
Operational risk management is a challenge for leaders and management as it focuses on threats rather than successes. It requires to support the processes that identify the risks to the strategies they formulate. Leaders need to be prepared to adopt a forward-looking approach to have better insights into risks and more informed risk-taking. Changing mindset and breaking down barriers of biases commonly occurring in organisations, such as short-termism, over-confidence, group and silo thinking are key to good, constructive risk discussions.
Effective Operational Risk Management – a way forward
Proactive risk management can be achieved by enhancing risk anticipation, enabling technologies that improve decision making and performance (data analytics and real-time detection) and moving towards integrated reporting with a clear picture of key risks and deeper insights.
None of these will work without a sound risk culture, clear risk accountability, escalation, and understanding of risks. This is not only about creating formal rules and governance, but also about having right attitude and personal ethics. Effective risk management requires discussing risks openly with an appropriate management mindset at all levels and self-awareness of biases.
In today’s world, the Board plays a more active role than ever before in setting the tone for changing mentality and overseeing how management drives the right behaviours and reports risks.
Some questions for the Boards to consider in relation to operational risk management:
- Does the Board receive an integrated view of how an organisation manages its operational risks?
- Is it difficult to reconcile the views the Board receives from various information sources?
- With control functions enhancing their capabilities, is there an equivalent rise in insights?
- Do only control functions communicate operational risk to the Board?
- Is a bias towards short-term rather than long-term performance observed?
This article was written by Beata Cymerys, an ICDM Board-Ready Affiliate and former Chief Audit Executive of Citibank subsidiary in Poland; a passionate audit professional with over 20 years of experience in banking, insurance and manufacturing sectors. Beata partnered with senior management and Board members, in particular the Audit Committee members, to identify current and emerging risks, ensuring the safety and soundness of the organisation.