In our previous blog, we explored two of the key operational risk challenges firms are facing, as discussed at our recent industry roundtable – team structures and the effective use of data. You can read this post here. In this blog, we further delve into two more themes which were prominent in the roundtable discussion.
As a basis, all participants of the roundtable event appeared to be in favour of deploying a common risk taxonomy and see it as a vital risk management tool. Many firms have invested, or are currently investing, in the development or refreshing of their risk taxonomies recently. This could include altering the language used to make it more understandable for non-risk professionals, ensuring it is meaningful to the business. The roundtable also explored the importance of developing a specific casual taxonomy, with favouring participants viewing them as crucial for proactive risk managers, arguing that a risk taxonomy benefits significantly from being aligned to a casual taxonomy, increasing its effectiveness.
Though participants largely agreed on the importance of the risk and casual taxonomies, there was notable debate about the handling of ‘reputational damage’ – whether this should even be classified as a risk, or in fact an impact. On one hand, participants viewed reputational damage as an impact due to it occurring from another risk materialising, such as a cyber threat or financial loss. On the other hand, it was argued that potentially, as reputational damage of such significance in the present day, that classing it as a (level 1) risk ultimately offers the best chance of successfully mitigating it, through direct identification and monitoring.
Firms should assess the prevalence of reputational risk for their organisation, and its potential impact, before considering the most appropriate way to classify it. This may also depend on factors such as the maturity of a firm’s taxonomy itself. However ultimately handled in the structure, firms need to ensure they have the necessary skilled resource to manage reputational risk – whether an existing risk management resource is upskilled, or a specialist is hired.
Risk and Control Self Assessments (RCSAs)
RCSAs are another key tool for risk managers and are generally used by most firms across the industry to assess and monitor their risks. However, as many participants agreed, obtaining business ‘buy in’ for them can be very challenging and many firms have invested heavily in integrating the RCSA process in to company culture. Methods to maximise business engagement was a prominent discussion at the roundtable – some firms have found success in running ‘risk discovery’ workshops, as not only does this act as a training session, it also helps bring key processes to life and builds risk awareness in BAU. Additionally, firms have used varying media to support internal campaigns on the importance of active, firm-wide risk management.
The challenges that firms face regarding RCSA engagement often stem from perceived effort required, with some respondents sharing feedback this is viewed as ‘time consuming’ and ‘arduous’ in their organisations. Firms can invest heavily in streamlining their RCSA process through adopting a single IT system, which when used can be a great asset. However, the benefits of such, and thus an overall strengthening of risk management, will be hindered without a cultural shift to change firm-wide perception of RCSAs, which should start with clear and visible engagement from senior management. To aid cascade of this, senior management should consider steps such as including maintenance of RCSAs in employee objectives and encouraging the updates to be part of ongoing, day to day processes through trigger-based management, in support of any frequent refreshes, avoiding this activity being seen as a regular ‘tick-box’ exercise.
Our follow up report for the operational risk survey has now been published, and can be accessed via the link below. Though the survey itself won’t open again until later on in the year, we are still able to offer key insight to firms in the way of running benchmarking sessions against the survey results to assess their maturity compared to their peers.
If you are interested in benchmarking your firm’s operational risk maturity against our dataset or for any wider discussions around Operational Risk, please contact OpRisk@baringa.com. Please also get in touch if you would like to hear about future operational risk events held by Baringa Partners.