As firms return to some semblance of normality, there is a shift in focus from firefighting, back towards business as usual operational risk management and an emphasis on enhancement. We explore two key challenges currently faced by operational risk teams: Risk appetite and key control identification.
Overall, we see a good level of confidence around board engagement and governance of operational risk appetite. However, challenges remain in making operational risk appetite statements more meaningful as a day-to-day risk management tool. A strong risk management culture starts at the top of the organisation, yet quality is often diluted as it cascades throughout the business.
We identify some practical ways for firms to improve their operational risk appetite framework and associated business engagement:
Leverage the power of KRI’s to better manage operational risk
- Connect qualitative statements with quantitative measures such as limits and triggers at an increased level of granularity, so that concepts are genuinely measurable
- Employ a ‘pyramid’ structure of key risk indicators (KRIs), such that at the lowest level it can be rolled up into a thematic view of key risk exposure versus appetite
- Blend universal KRIs along with more specific KRIs, by legal entity for example. This helps support senior managers to provide sufficient challenge over the areas for which they are directly responsible
- Move away from the concept of zero appetite or tolerance to risk, which does not reflect reality and may encourage reporting apathy and a failure to identify real issues requiring action
Define risk limits that supports improved engagement with the Executive Risk Committee
- Establish live processes to formally document business-level risk acceptances, which are then taken into appropriate governance for awareness and ratification of the risk landscape
- Develop a clear rationale for operating outside appetite, the ‘path to green’ and timeframe for this
- Tier risk appetite limits and breaches, e.g. distinguishing notifiable regulatory breaches versus regulatory breaches overall
- Utilise amber ratings as a warning indicator to notify management of potentially impending breaches and enable more proactive management of emerging risks
Review and evolve the organisations risk appetite framework as the business matures
- Support the embedding of the operational risk appetite framework e.g. by ensuring business areas clearly understand the operational risk taxonomy relative to their specific areas and reviewing the applicability of indicators and thresholds to different business areas
- Frequently refresh and iteration of indicators, to ensure a clear and reflective set of top KRIs to report at board level and inform risk appetite decisions
- Devolve risk appetite statement processes to business areas, having them define their own tolerances (for board to appropriately approve)
- Use language that is better connected to the daily activities of the business, rather than using terms like ‘risk’ and ‘key indicators’, to facilitate greater understanding and accountability
Baringa’s latest Operational Risk Survey revealed an increase in the prevalence of control libraries, with 58% of respondent firms having this structure in place. Whilst this represented an upward trend, 28% of participating firms still have only a risk library and continue to struggle with the control side. In addition, consistency across controls libraries remains varied, with certain pockets more developed than others, such as regulatory pressures increasing focus on conduct, driving better quality control data collection.
There are 3 key challenges firms face in establishing and managing their organisations control libraries:
Focused data quality initiatives that drive better quality risk analysis and reporting
- Standardisation and rationalisation of controls is being undertaken by many firms, as they look to reduce duplicate controls and therefore improve business engagement with the RCSA process. This is reinforced by adopting a single system with mandatory fields and data validation techniques
- A combination of quantitative analysis and qualitative judgement is employed by many firms when aggregating risk and control profiles. This avoids biases towards more material geographic locations or business lines, which could mask material risk and key control issues in other areas
- Aggregation of risk and control ratings is an important consideration for firms, to support more thematic management and board reporting. Firms are building on their control libraries to develop control taxonomies or hierarchies to support such aggregation
Streamline tooling and frameworks to create greater transparency and consistency
- Adopt a single system across all three lines of defence for reporting operational risks, controls and incidents/events allows for greater transparency to appropriately challenge the accuracy of inherent and residual risk assessment ratings, as well as control weaknesses. This in turn supports the definition and implementation of remediation plans by the busines
- Rationalise non-financial risk and control assessments drives consistency and efficiency, and creates more opportunities for thematic reviews which leverage other disciplines relevant to operational risk, e.g. conduct and compliance
Using process mapping as a management tool for effective risk mitigation
- Utilising an end-to-end process led approach is becoming more popular with firms as an effective mechanism for managing key risks and controls. By making processes more visible, business owners can better understand the processes and controls associated with identified risks, and manage these
- A process-led approach is being used by firms to support compliance with incoming PRA and FCA operational resilience requirements. Incoming regulatory requirements around operational resilience require firms to map supporting resources (processes, people, premises, technology and third parties) and to understand the vulnerabilities associated with these. A process-led view of risks and controls can support this analysis
- Process maps should be maintained and linked to the dynamic risk and control environment (potentially supported by GRC tooling) to prevent their value being diminished over time
- Effective process mapping is hinged on use of a consistent process taxonomy whereby firms should unify language to categorise business areas and corresponding processes, so that users across the organisation are consistent
Our insights are informed by Baringa’s market leading Operational Risk Survey and Report, as well as our regular client roundtable series. If you would like to discuss this, or broader operational risk in more detail, please contact OpRisk@Baringa.com.