On 23rd February 2021, Baringa was delighted to welcome guests for the virtual launch of our ‘Operational Risk Survey & Report 2021’, entitled Resilience Put to the Test.
At the event, Baringa’s Adele Turner and Salina Ladha from our Finance, Risk and Compliance team outlined the key findings from the report, which you can download here.
This was also an opportunity to hear reactions from those at the frontline of managing operational risk and resilience.
We have captured some themes of the main remarks and observations expressed by our attendees (under the Chatham House Rule), as well as the results of some event polling.
Are experts helpful?
Recruiting technical risk subject matter experts is indispensable for some, and recruiting expertise is taking up significant resource. But for others, hiring an expert merely creates a new vulnerability – reliance on a single person. The PRA requires second-line oversight and challenge around multiple aspects, including resilience, cyber, vendor and information management, so each organisation will need to decide what models suits their specific circumstances.
COVID-19 – a normal-normal…?
We asked attendees whether they have reprioritised their key risks in response to COVID-19. For the majority, the answer was no.
But the verbal nuance offered by attendees here was revealing. While few saw a need to re-order priorities, new challenges were presented that resisted simple re-calculation: the impact on morale, changes to motivation, productivity, all the way through to misconduct. But for the most part, the changes were subjective and anecdotal, and therefore not easily or simply addressed.
We also asked how well organisations managed to maintain a strong culture of risk management and accountability during a largely working from home environment?
Here, confidence was high, with everyone reporting success in this area, and a third of attendees considering their organisations ‘very successful’.
Once again, our attendees provided helpful nuance. While organisations have coped well, the longer the situation prevails, the more such risks compound and begin to change culture. Attendees cited turnover as a key risk metric to watch.
Juggernauts for turning
As in previous years, our survey looked at the use of risk and control self-assessments (RCSAs) in some detail. There was an ambition among attendees to build linkages between controls and risks, in order to develop true front-to-back self-assessments. But this can’t be done overnight. For some, it will take several years to ‘turn the juggernaut’ – regardless of COVID.
Aside from the pandemic, there was intriguing divergence on why RCSAs were not as useful as they might be. For some, RCSAs were far too high level. For others, they were far too granular to be of use as a management reporting tool. Attendees also noted challenges around avoiding duplication, ensuring consistency and how to perform RCSAs faster so that they can be more responsive and timely tools during periods of stress. Trigger-based updates were also seen as a desirable evolution by several attendees.
A consistent finding through our annual surveys has been that no more than half of respondents have ever had a control library in place, which is essential for informing a consistent control structure and comparable application in different areas of the business. There is also a pertinent distinction to be made between libraries and taxonomies – the latter providing an aggregated picture that is indispensable for identifying patterns of problems and correlations of risks across control types, particularly in times of extreme change.
Management info – no consensus!
We asked attendees whether they feel MI is effectively used to report on and identify emerging risks, with very mixed returns.
For some attendees, the key challenge is not quantitative (“rubbish in, rubbish out") but qualitative. The foundation of good management information is unavoidably judgement-laden.
A focus on data and analysis can also create myopia. Our attendees reported that boards increasingly expect ‘blue sky’ thinking in order to encompass emergent risks as well – which neatly brings us back to the taxonomy, and ensuring that information doesn’t narrow your field of vision.
Meanwhile, the data structure must be usable, with consistent formatting and risk ratings. Attendees deploy a wide variety of different third-party data sources, which prompted discussion of the utility for a potential collective data hub.
Where resilience fits
The event concluded with one of the industry's hottest debates: how to accommodate resilience coherently within existing operational risk management structures.
While there remains a plurality of approaches, incorporating resilience as an impact category feels closest to the regulator’s view of resilience as an outcome.
Then there are practical considerations, such as how resilience aligns while sitting with front-line. Should there be separate resilience frameworks with touchpoints into operational risk frameworks? And how do ‘important business services’ fit in? This is where things get complex.
RCSAs can be leveraged to varying degrees when mapping out ‘important business services’. However the degree to which they can be leveraged will vary depending on whether RCSAs are undertaken on a process or functional basis. Firms that have front-to-back RCSAs are well-placed, as they will be used to having visibility of all risks along the chain, without necessarily being responsible for all of them.
If any of this sounds familiar and you’d value a conversation - please get in touch firstname.lastname@example.org