By Karl Viertel
Until recently, perhaps many financial services institutions viewed operational risk as a “side project” to the market and credit risks these organizations manage on a daily basis. The rise of new types of operational risk, increased reliance on a more complex supply chain of vendors, and the speed at which threats materialize have led to an increased focus on operational risk management by ISPs as well than regulators. Unfortunately, identifying and quantifying these risks is still a very manual process in many cases.
The continuous increase in operational risk is a direct consequence of various factors:
- Increase in the number of third parties and vendors that provide business support services.
- Data growth and cyber risks.
- Digitization of previously manual processes, among others.
Many financial services institutions and regulators recognize that the manual processes currently in place are no longer sufficient or cost effective to address this level of risk. Additionally, the fragmentation of GRC tools deployed in many organizations adds a huge burden to risk management processes, making it very difficult to obtain real-time risk insights.
So what exactly is so unique about operational risk?
Operational risk can result directly from many potential sources, unlike market risk. They can have a widely varying impact, ranging from human health and safety to reputational damage. Moreover, quantification can be particularly difficult. The expertise and skills needed to accurately quantify operational risk are as varied as the sources. Historical values require an enormous amount of context to be relevant enough to be correlated.
Some financial services institutions refer to operational risk as non-financial risk. It is important to mention that fraud, data privacy protection, cybersecurity, ESG and infrastructure risks fall into this category.
Operational risk is manageable as long as the organization maintains its losses within the same level of risk tolerance (risk appetite), determined by balancing the costs of risk mitigation against the expected benefits of outcomes.
Operational risk management consists of five individual steps that will most likely equip your organization with an effective risk management process:
- Identify Risks: Review the task at hand, list all relevant risks, understand the scope of those risks, analyze and review current and future business strategy against the potential risks listed, and finally create a library of risks and related elements including policies and procedures, regulations. controls, tests and indicators.
- Risk Assessments: Assess your organization’s level of risk exposure as well as the severity of the worst possible event, determine the likelihood of the event occurring, and finally establish the level of risk. This should include risk qualification based on probability and potential impact and quantification which may include potential for financial loss as well as minimum, maximum and probable loss scenarios.
- Treatment strategy: define and implement the appropriate treatment strategy (acceptance, transfer, avoidance or risk reduction).
- Mitigation: Define and implement a mitigation strategy that includes control measures. Identify the control measures for each hazard, modify the process to eliminate the hazard (improve job design, limit exposure, provide additional training, establish warnings or cautions) and finally determine the effectiveness of the measures control by assessing the residual risk remaining after the implementation of said measures in place. Controls should be in place to limit the organization’s exposure to potential threats.
- Review and update: Risks should be reviewed regularly to ensure that the appropriate treatment strategy and mitigation measures are in place.
Essentially, these steps would repeat each time a new major risk event occurs.
Implementing the five steps outlined above into your risk management framework will guide your organization towards a much more effective risk management process. Other key elements of any financial services institution’s risk management framework should be:
- Risk and Control Self-Assessments (RCSA)
- Identifying risks
- Risk Quantification
- Internal and external loss events
- Scenario modeling
Ensuring the effectiveness of a fully integrated risk management framework requires continuous monitoring and it is the organization’s responsibility to ensure that the risk management process in place provides comprehensive coverage of the different types of risk events. risk (including operational risk) in order to perform ongoing assessments of not only the individual components, but the success of the overall framework.
It is essential to select an easy-to-use solution that guarantees high user adoption in order to engage key risk players on an ongoing basis. It should convey a tone that emphasizes and encourages an active risk culture within the organization using agile methods of interaction. Additionally, the solution must also be able to provide a methodical approach to quantifying risk exposure and appetite, without being too rigid. Additionally, when identifying risk, the solution must be able to support a scalable assessment capability, rather than relying on manual, sample-based approaches.
Done correctly, integrated risk management will allow organizations to focus their spending on mitigating risk rather than identifying and managing risk.
About the Author:
Karl Viertel is responsible for by Mitratech global GRC business as General Manager of the business unit. After working in the technology and risk divisions of Accenture and Deloitte, Karl co-founded one of the first RegTech companies – Alyne, in 2015. At the end of 2021, Alyne was acquired by the leader in legal and risk software Mitratech.