Operational Risk Management (ORM) - Key Challenges and Making ORM Work

Many banks have a tough time understanding, measuring and managing the interconnected factors that contribute to operational risk including human behavior, organizational processes and IT systems. They find it challenging to create cultural, governance and management structures that can systematically control these risks. Instead of taking a deeply integrated, proactive and long-term approach to ORM, they end up managing operational risk with reactive short-term measures.

As banking becomes more customer-centric and customers increasingly use digital channels, banks can gain greater visibility into what their customers, employees and IT systems are doing and better insights into what could go wrong. With digitalization and straight-through processing, banks can reduce or eliminate human intervention in many transactions, thus containing the risks of employee error and fraud.?

?Managing operational risk: Four areas to watch

Banks that take a comprehensive approach to ORM recognize four broad areas that need attention. The first is people. Even in a digital age, employees (and the customers with whom they interact) can cause substantial damage when they do things wrong, either by accident or on purpose. Problems can arise from a combination of factors, including intentional and illegal breaches of policies and rules, sloppy execution, lack of knowledge and training, and unclear and sometimes contradictory procedures. Unauthorized trading, for example, can cause billions in direct losses and multimillions more in regulatory, legal and restructuring costs.

The second area is IT. Systems can be hacked and breached; data can be corrupted or stolen. The risks banks face extend to the third-party IT providers that so many banks now rely on for cloud-based storage and other services. Systems can slow down or crash, leaving customers unable to access ATMs or mobile apps. Even the speed of technological change presents an operational risk. With the cyber landscape evolving so rapidly, banks can have trouble keeping up with new threats.

The third area is less tangible than the first two, but no less important: organizational structure. By setting aggressive sales targets and rewarding employees for how well they meet them, bank management can encourage, and, in some cases, explicitly condone inappropriate risk taking. Such activity, when exposed, can lead to management changes, shareholder losses and regulatory fines.

The fourth area that vexes ORM planners is regulation. Since the global financial crisis, regulators have increased the number and complexity of rules that banks must follow. Banks that operate in multiple jurisdictions can face overlapping, inconsistent and conflicting regulatory regimes. Lapses can be expensive and embarrassing, triggering regulatory sanctions and customer defections. As is the case with technology, the speed and magnitude of regulatory change can be daunting. Even as banks are trying to contain costs, they must invest in the people, systems and processes that foster compliance.

Taking a comprehensive approach to ORM

Banks that understand the critical areas that drive operational risk can build an ORM framework buttressed by four guiding principles:

• They fully implement ORM across all business areas and integrate it into the bank’s overall ERM structure.
• They clearly define ORM roles throughout the bank and fill them with the right talent.
• They embed feedback loops in the ORM organization to ensure continuous learning, from both success and failure.?
• They regularly validate their approach and recalibrate metrics and incentives when necessary

The first step to building an effective ORM capability is to fully assess the bank’s existing risk profile and then construct a database and a map of all internal and external OR risk events. The bank then develops key risk indicators (KRI) that serve as early warning signs of potential problems. Management publishes some of these KRIs within the organization, and it uses others as part of its ongoing ORM surveillance. Once the bank identifies and categorizes each risk, it can decide on mitigation options.

Next, the bank clearly articulates its overall appetite for risk. This is partly an exercise in setting goals for financial measures, such as the amount of capital the bank is willing and allowed by regulators to have at risk, but it is equally a matter of establishing the bank’s cultural and governance priorities. Management sets the tone with its behavior, decisions and actions.

The key to effective ORM is training people to anticipate what could go wrong, especially when a business unit is about to do something new, such as introduce a product, change a customer interface, alter the way employees are compensated, or outsource part or all of a core business process.

Anticipating and proactively deterring operational risk events becomes especially critical as banks reorient themselves around the customer experience. Any change to the way a bank onboards customers, creates and launches new products, or targets new customer segments has the potential to create new operational risks or mitigate existing ones.?

Operational risk is driven by complex, interconnected factors that can be difficult to disentangle, including human behavior, organizational processes, change agendas and cultural issues. Banks that formulate a winning approach to ORM create a risk culture based on formal rules on governance and capital requirements, as well intangible elements such as training and leading by example. They make use of advanced analytics and machine learning to constantly monitor or/and to continuously learn from experience.

Banks that are integrated and proactive about the way they manage organizational risk can realize real financial benefits and, more important, help prevent the kind of catastrophe that can have consequences for years to come.

?

?