The Uomo Universale or ‘Universal Man’ of Renaissance Italy embodied the humanist ideas of the time, with man at the centre of the universe, limitless in his potential, and in capacity to evolve. The ‘Universal Man’ should embrace knowledge in all its wondrous variety, to seek continuously to expand understanding and to embrace personal development. Leonardo DaVinci epitomises the idea of the Uomo Universale, a master of art, science and engineering. The Next Generation Operational Risk Manager (NGORM) should be the Renaissance Man or Woman of banking.
If there has ever been a time for the NGORM it is now. We live in a time of extreme uncertainty with economic, political, social and powerful new technological forces changing dramatically the landscape for financial services, and threatening traditional business models and practices. Mis-conduct scandals also continue to plague the industry, harming customers and market integrity, tarnishing reputations and destroying wealth. Significant regulatory challenges continue, including a high volume of regulatory change, record fines for mis-conduct, increased personal accountability through the new Senior Managers and Certification Regime (SMCR), and more intrusive but more unpredictable discretionary and judgment-based supervision. Following the financial crisis, the then head of operational risk policy at the FSA, the hugely respected Andrew Sheen, said that regulatory change was in his view the biggest operational risk facing firms. Regulatory risk continues to score highly in surveys of ‘top risks’. It is time for the NGORM to engage with enterprise regulatory risk.
A combination of market, competitive, technological and regulatory pressures are driving down margins in banking and forcing firms to abandon traditional capital-intensive business lines in favour of fee generating activities. To cut costs and improve margins, firms are employing new technology, or outsourcing to third parties or off-shore, or in many cases cutting back non-core staff. All of these developments will tend to increase the operational risk profile of the firm. The NGORM has never been needed more, as the operational risk profile of firms increases.
‘Conduct’ is arguably the biggest operational risk facing firms, and according to regulators perhaps the biggest contingent risk that banks face, yet so far it has not been well managed – hence the endless scandals leading to billions in fines and redress. The ‘compliance’ approach to conduct has failed, and what’s needed is a new approach based on considering conduct from an operational risk perspective. Conduct is an impact that may arise from any of the 7 Basel operational risk event types (similar to reputation risk) driven mainly by the people element of the People, Process, Systems and External Events (PPSE), and the tools of operational risk management should be applied to its management. Of course, no amount of 2nd line resource, however effective, will prevent mis-conduct if the risk culture is rotten, and the NGORM, with their understanding of the wider business and of risk and control, can be an engine of risk culture change and evolution.
The Global Financial Crisis (GFC) seemed to stop the development of ERM in it tracks, and indeed in recent years the trend in many firms appears to have been in the opposite direction – towards silos and fragmentation. There are signs, however that ERM is now on the rise again, driven in large part by the need to achieve efficiencies, remove duplication and to cut costs. The NGORM should be at the centre of this resurgence, providing the holistic enterprise view of risk and control, and providing the CRO with the assurance that is more vital than ever in a post SMCR world. The CRO’s neck is now truly on the block, exposed more than ever before in the event of failure and not being able to demonstrate ‘reasonable steps’.
Ten vital things that the NGORM can contribute to the firm:
- The NGORM has a holistic understanding of the business. Banks increasingly operate in silos, with each area focusing only on its own narrow function. But due to the nature of operational risk, the NGORM must know and understand the whole business.
- The NGORM has an expert understanding of risk and control. Both a theoretical understanding but also a practical approach, including the ability to identify causations, identify risk clusters and linked events, and to understand what controls are likely to be most effective, taking account of the firm’s risk culture and observations from psychology and behavioural economics. The NGORM must also understand other categories of risk – some estimate that as much as 70% of what is generally considered to be credit and market risk is actually operational risk, and it’s vital to be cognisant of this.
- The NGORM brings a strong sense of judgement and the ability to be proportionate in their response to issues, events and problems. The NGORM should be the one to counter the Corporal Jones’ frantic cries of ‘Don’t Panic’ with a measured and calm response and a focus on resolution and action rather than crying over spilt milk or pointing fingers/ blame culture.
- The NGORM has a masterly command of the operational risk tool-kit, including performing scenario analysis (including leading workshops), RCSAs, for analysing KRIs and events to identify trends and patterns, and for producing concise, informative MI that can drive decision-making and action. Even in a post AMA world, the business need for sophisticated analytics will continue, modelling of operational risk is in its infancy and there are huge advances just waiting to be made, including from behavioural economics. In particular the modelling of qualitative data e.g. from BEICFs, is potentially far more valuable for business management than modelling historic loss data. Regulators are also likely to continue to demand sophisticated approaches to measuring operational risk through Pillar 2, especially for larger and more complex firms. The NGORM must strive to push the boundaries on analytics, demonstrating the business value and the ‘use test’ in modelling for Pillar 2, and win the business case for continued investment.
- The NGORM has a challenging mindset and the confidence to not be phased by the most belligerent of business heads. The NGORM should also be prepared to tackle and break down the silos, and expose the cliques and disruptive organisational politics that can poison an organisation’s culture.
- The NGORM has a desire to engage with all areas of the business and support functions, and to provide support, challenge and oversight. Too often operational risk functions (as with other control functions) have been too remote from the business. More than anyone in the firm, the NGORM must be highly visible and be out talking with business areas, observing, understanding and challenging. What is written in a policy or procedure is one thing, but the ‘what actually happens’ is key to understanding risk and the effectiveness of control. The NGORM must also have the ability to engage with technical and non-technical people alike. The NGORM must be able to engage people of all levels and in all areas of the business.
- The NGORM has highly developed forensic skills of investigation, analysis and the ability to manipulate, and assess data and sift evidence, getting to the root of the problem, understanding complex causal chains and recognising patterns.
- The NGORM is a great communicator and deliverer of training, with the ability to demonstrate the business value of operational risk management and to educate and inform all staff.
- The NGORM must be a driver of risk culture change through continuously demonstrating and promoting the value of a strong risk culture and strong risk management. The ‘demonstrating’ bit is absolutely crucial – ‘tone from the top’ is important, but the example that senior managers set to the rest of the organisation by their own behaviour is far more important.
- The NGORM brings a strategic outlook to issues, problems and risks and the ability to see the big picture, not getting lost in the details. The NGORM should be front and centre on current hot topics like Brexit, leading scenario analysis and assessing the plausibility and impact of different outcomes, and helping to generate mitigation strategies.
We should not be unrealistic; after all, even operational risk managers are only human. But the operational risk manager is almost unique within the firm, in having the breadth of knowledge and understanding – necessitated by the pervasive nature of operational risk – to address the big emerging challenges, which require an enterprise perspective. The pending demise of AMA is regrettable, it is tantamount to an act of vandalism by policy makers as they throw out 15 years of investment in operational risk capital modelling and analytics. But amid the pessimism from the demise of AMA, there is a reason for optimism. The demise of AMA is a watershed for operational risk management, but it may mark the beginning of a renaissance. It is now time for the Next Generation Operational Risk Manager.