Insights and News /

09 December 2012

Operational Risk Management

Effective identification, measurement, quantification and mitigation of Operational Risk requires an equally effective governance structure and framework. Operational Risk often emanates from myriad sources across the organisation, with a vast materiality spectrum. This makes it particularly elusive and difficult to manage. Continuously simplifying the operating model and increasing transparency across the organisation will facilitate a more comprehensive approach to managing Operational Risk.     

Financial Services firms are challenged in this regard and require innovative, yet pragmatic and attainable solutions. The scope of potential risk is extremely wide and requires a well-defined methodology and approach. Fundamentally, the policies and processes underpinning Operational Risk need to be consistent and all encompassing – including specific idiosyncratic and more common scenarios. In addition to a holistic set of processes, a well-defined and established operating model and, an equally robust supporting infrastructure will also be paramount.

The level of buy-in and adoption across the firm is essential for an effective Operational Risk program; the OR discipline must be embedded within the organisation. Internally, it needs to be marketed as a core pillar of risk management and promoted as a business facilitation unit. Such status requires it to be entrenched in the ethos and culture, promoted from top to bottom. An isolated and/or segregated program and siloed execution will undermine what is already a complex and demanding undertaking.

Achieving an elevated level of awareness and continuous communication across the organisation will ensure that the array of Key Risk Indicators (KRIs) is timely, comprehensive and representative of the key issues. These indicators and scenarios should evolve over time to reflect on-going and anticipated risks and requirements. These will need to be tracked and managed, so that risk can be captured and quantified accordingly. Development of meaningful and relevant KRIs will ensure the management and mitigation techniques are also fit for purpose. 

Expanding on this, banks should pay equal attention to instances where breaches (limit or otherwise) have occurred and the population of trades have generated a profit as when a loss results. Whilst losses arising due to operational failure are more likely to be brought to light, “profitable" failures are often not subject to same level of scrutiny, leaving open potentially dangerous gaps in the firm's OR profile. Irrespective of impact severity, all operational failure needs to be assessed, reported and remediated so that appropriate control measures may be implemented.  

Developing sophisticated MI tools and a meaningful reporting capability will ensure that senior management is made aware of Operational Risk, the key issues and the control measures. Facilitating senior management buy-in will ensure that Operational Risk is at the forefront of Risk management discussions, historically not always the case. The Operational Risk function also needs to establish and maintain an on-going relationship with the business – with the aim of facilitating business conduct in a timely manner, whilst maintaining the appropriate level of control.      

An element of uncertainty is inherent and will always remain when managing Operational Risk. Nevertheless, there is a need to minimise reactive response initiatives and develop a robust capability that allows for more proactive management of risk. In order to do so, Financial Services firms need to increase the overall level of process transparency, develop robust and valuable set of KRIs, an equally sophisticated set of policies, processes and controls, implement a centralised operating model and ensure that there is interest and buy-in from key stakeholders across the organisation.