Article by Richard Pike, Non Executive Director at Permanent TSB. Richard Pike will be presenting at our New Generation Operational Risk 2016 Summit talking on Effectively Reporting Accurate and Complete Reports to the Board.
Operational risk has been around as a discipline in Financial Services since early the 2000s. Over those years it has grown to be an important part of any risk department in most financial institutions. Operational risk has also brought new tools and techniques to risk including RCSA, Loss recording, and Op Risk capital calculation.
While there have been many successes for the Op Risk community over the years, the discipline is still fighting to prove its strategic value to senior executives and board members. Due to recent events it is now clear to all financial firm executives that operational risks can have very serious consequences in terms of direct losses (including fines), regulatory & client relationships and reputation. So if Operational Risk managers can show that they can in fact assist in limiting these effects they will have earned that treasured seat at the top table.
As Op Risk is a second line of defense function in most firms, its focus has to be on providing clear and concise information to the business in order for them to make decisions about managing the risks. When the business considers Op Risk to have most of the relevant information to help them make a decision they will ensure that Op Risk is at the table when those decisions are being made.
Op Risk has made great strides in terms of capturing and processing data. Loss event recording programs, RCSA workshops, KRI maintenance projects, etc. have all been implemented successfully across the industry. Unfortunately, not enough time and effort has gone into the analysis and clear reporting of this data in the correct context.
There are a number of challenges that the discipline is facing with current tools and techniques that I suggest have to be overcome before Op Risk can claim to be proactively analysing and reporting Operational Risk.
We have all struggled with the problem of too much or too little information in reports. The nature of Op Risk means that there will never be a one size fits all report, however we need to set the bar a lot higher in terms of making reports that show the right information to the right people and that are presented in the context of the business decisions being made.
There are too many units of measure in Op Risk and within individual firms. Op Risk teams will provide results in terms of RAG status, OpVaR, Loss amounts, KRI limit breaches, issue numbers etc. It is also often not clearly defined how material these values are in respect of the business objectives of the firm. All of this makes it very difficult for the business to answer the ‘So What’ question.
Capital Calculation Challenge
The issue of Op Risk capital is a very thorny one, but in general the capital calculation has to be more relevant to the business as too many business executives feel that the process has no relevance to any business decisions they make and is simply a regulatory exercise. The current debate needs to be focused on coming up with models that can be closely related to and be effected by the business.
Op Risk is replete with situations where individual risks have multiple causes and effects that manifest themselves across multiple reporting dimensions (legal entities, processes, regulations, etc.). Often risk people and/or business people will identify these interdependencies but as they cannot be recorded in the risk systems they are noted in an informal manner or at worst forgotten. This sort of information is of huge value to the business as it is normally not clear to them from their individual silos and so it needs to be identified and captured correctly.
Line of Sight Challenge
Op Risk has, in general, failed to give a ‘line of sight’ to senior executives into the risks that they are taking and how they might affect the attainment of their objectives. This is mainly due to the fact that there is no clear manner in which to aggregate data across the various reporting dimensions. This challenge is partly created by the ‘materiality challenge’ set out above. The result is that when the business asks to look behind a particular report or result they are told that it is a mixture of different metrics (often subjective and from different systems) and therefore there is no clear way to ‘drill down’. This leaves business people with a feeling that there is ‘hocus pocus’ going on somewhere and that the reports cannot necessarily be trusted.
As the recent financial crisis starts to fade into the past (hopefully) and focus turns to capital levels and ROE there is a great opportunity for Operational Risk to show the business that it has the information and the analytical capabilities to add real value to business decisions at the most senior levels. In order to achieve this Operational Risk practitioners have to focus on upgrading the tools and techniques they use to analyse and present the data they have. If the New Generation Op Risk can surmount the challenges set out above it can earn an important role in the strategic future of financial institutions.