The Renaissance of Operational Risk Management

https://www.linkedin.com/post/edit/6542392260816842752/

Over a decade ago, Basel 2 introduced operational risk into the capital regime for banks and investment firms. A series of high-profile scandals, including the collapse of Barings Bank due to the rogue trading of Nick Leeson, alerted regulators to the importance of the risks arising from peopleprocessessystems and external events. Unlike credit and market risks – which had previously been the focus of regulators and risk managers – operational risk had the potential to be catastrophic – as in the case of Barings. 

In the following years, firms created operational risk functions, introduced new tools including RCSA and scenario analysis, started collecting operational risk loss data, and created new operational risk committees to provide governance and oversight. By the late 2000s most regulated firms in the UK employed operational risk managers and had established operational risk frameworks. This contrasted with the early 2000s at which time when the UK Financial Services Authority wanted to engage with the industry on the nascent Basel 2 and CRD regime, it had to engage with staff from compliance, finance and regulatory reporting functions within firms – operational risk functions simply didn’t exist! The European Commission Working Group that did the work on the operational risk elements of the new regime was called the Working Group on Other Risks!  

Unfortunately, after the initial energy, optimism and fanfare, in the decade following the introduction of Basel 2, operational risk management as a function and profession has stagnated. The value derived from the core identification and assessment tool, RCSA, has diminished, and become little more than a compliance exercise in many firms. The attention of practitioners has all too often focused either on ensuring compliance with the processes (without sufficient regard to the quality of the risk assessment or the ‘so what’ of the actions drive from it) or on making the framework into a highfalutin overly-complex cottage industry, completely divorced from risk owners, and unintelligible to anyone outside a small circle of operational risk experts. 

Despite the introduction of operational risk frameworks, including Advanced Measurement Approaches (AMA) by the most sophisticated firms, we also suffered the devastating Global Financial Crisis (GFC) from which the global economy is still recovering, and subsequent conduct scandals, many of which had misconduct by people – surely a key focus of operational risk management – as the root cause. The regulatory response to the GFC included highly prescriptive and intrusive rules, and supervision on topics including remuneration, competence and capability of staff, and new conduct rules – SMCR in the UK is a clear and damning indictment of trust in the ability of firms to manage their own affairs. These are all drivers of operational risk that should have been core areas of focus for operational risk managers.  

Many predicted that the decision by the Basel Committee to kill-off the AMA, a signal to many practitioners of the diminished status of operational risk, might be a final nail in the coffin for operational risk management as a distinct function altogether! Especially so, given the trend post-GFC of fragmentation, whereby firms created new functions (often with separate risk frameworks) to consider hot topics like cyber, conduct, vendor management, market conduct, fraud, financial crime and so forth. Operational Risk Management as a distinct function or even as an umbrella seemed to be redundant! 

To paraphrase the great Mark Twain, the report of operational risk’s death was grossly exaggerated!

Two key drivers have encouraged a remarkable resurgence in the importance of operational risk management: the 4th industrial revolution whereby new technology is transforming the industry, but also introducing material new operational risks (e.g. cyber, data/ information security, IT systems risks, model risks and so forth), and the related global regulatory focus on operational resilience. 

The PRA’s Lyndon Nelson, in an excellent speech in June 2018 on operational resilience at OpRisk Europe (‘Resilience and continuity in an interconnected and changing world’, 13 June 2018), recounted how he had addressed a group of new Operational Risk Managers and he had explained that they would be ‘pioneers’.  Lyndon explained that operational resilience will establish itself on a par with financial resilience and be a key part of the firm’s risk profile. Regulators have made clear, and will reiterate in the eagerly anticipated CP due in the 4Q, that operational resilience is an outcome and that it is delivered through leveraging the operational risk framework (in contrast to some who have irresponsibly advocated creating new ‘resilience’ frameworks, repeating the same mistakes of conduct, whereby firms created parallel conduct risk frameworks that introduced duplication, confusion and inefficiency). 

Operational resilience will present challenges for firms, operational risk practitioners and risk frameworks. As Lyndon Nelson noted in the same speech ‘operational resilience is hard’. A particular challenge for the framework is the necessity to consider operational risk horizontally across critical business services rather than the traditional vertical functional silos. Another challenge is that many large firms have in recent years sought to refocus their risk identification efforts on material risks. This move, to less granular risk assessment, was in response to the obvious problems of making sense of and using literally thousands or in some cases tens of thousands of so called ‘material’ risks and ‘key’ controls (not to mention thousands of ‘key’ risk indicators). This problem generally arose from an extremely granular approach to RCSA assessments, which focused on risks associated with processes rather than material risks to achieving business objectives. Ironically, operational resilience may require a more granular process-based approach to RCSA and a number of firms are already reintroducing these assessments.

There are also challenges for risk systems/ GRCs which will need to support the ability to cut risk data along the critical activities rather than in traditional functional silos and hierarchical aggregations, and to support new impact tolerances.

Nonetheless, for the first time, operational risk frameworks will be front and centre, have high profile in the Board Room and will be used to deliver something of critical importance to the financial system (resurrecting the unfashionable but most important concept from Basel 2 of the use test). No longer will operational risk be the poor cousin of the financial risks. It is now top of the regulatory agenda.

Operational risk is one of the few areas where it has been relatively common to hear practitioners say they would like to see more regulation and guidance (with the PRA’s handbook longer than War and Peace, it might be surprising for anyone to want more rules!). It’s a source of frustration for many practitioners that after a decade there is still enormous variability in approach between firms – even in relation to the basic tools such as RCSA and to core concepts such as appetite and tolerance – and this highlights a lack of standardisation and maturity. The regulator’s focus on operational resilience may deliver what’s needed and what’s more this is a global regulatory focus under the Basel Operational Resilience Working Group, so we can expect a large degree of global consistency in approach (countering the worrying trend of fragmentation in regulatory approach whereby regulators have all too often ploughed their own furrow, creating an enormous challenge for global firms trying to establish a consistent global standard).

Cometh the hour, cometh the practitioner! It’s now time for operational risk managers to grasp this opportunity to demonstrate the value of their frameworks and tools and to ensure the regulatory-driven renaissance in operational risk management is not wasted again!