The tangled web of global operational risk management standards, and the inability of firms to embed them effectively in first-line business practices have been causing heartache and frustration for a long time. 

When introduced as a risk discipline in the late 1990s and the early noughties, operational risk management intended to create transparency and visibility around the management of business risk.

The initial aims were to define how a robust management should function and to create ring-fences, through layers of defence. 

Unfortunately, over time, these have developed into a maze of fiendishly complex processes, some of which potentially dilute effective management and oversight. 

On their part, financial institutions continue to interpret the multitude of regulations, and apply operational risk frameworks, processes and risk-control disciplines in the hope of preventing risk incidents - even as blind spots surface.

The epistemology of operational risk

A little rewind would be in order. 

How was operational risk defined at the outset? From a consideration of ‘all risks other than market and credit’, the Principles for the Sound Management of Operational Risk released by Basel Committee on Banking Supervision in February 2003 specifically defined operational risk as, “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events”. 

Quite a broad description that “includes legal risk, but excludes strategic and reputational risk”. 

Which begs the question, is reputational damage a risk, or merely the consequence of failure to manage risk? 

Having this broad starting point to identify and manage operational risks makes sense. 

For one, it addresses a number of common elements across various types of risk disciplines and operational risk categories.

 
Two, it provides the industry agility to adjust management techniques according to their size, complexity and nature.

Three, it serves the purpose of regulatory bodies by ensuring that majority of incidents are adequately covered by the definition.

The Basel principles have been revised many times since, and continue to receive attention as the global financial industry keeps falling short on adequately managing risks.

The principles are leveraged by global regulators to develop standards that are enforceable in their regimes. But the standards, which dictate the way firms design - and act on - their operational risk management structures, are varied and disparate.

Further, the inability to embed these principles in business practices questions the methods used and the capability of risk resources within financial institutions. 

These differences, and challenges in implementation, have spawned copious documentation by risk theorists - in some cases, leading businesses to lose sight of the original objective of the Basel Committee on Banking Supervision to create transparency and visibility around the business management of risks.

Lost in a sea of risks

Many firms, driven by caution, tend to identify all manner of risk imaginable, rather than focus on the material ones.

Such practices have severely influenced target-operating models for the management of operational risk. Consequently, the classic three lines of defence often have multiple layers that require hordes of resources to fulfil the stipulated processes.

All these magnify risk-transformation initiatives – such as restructurings, GRC (governance, risk management and compliance) system implementation, control remediation, and remediation following regulatory reviews – and some firms still end up copping penalties for inadvertent infractions.

The variations due to geography, regulatory nuances and differing capabilities have only led to unresolved issues, and perplexed businesses and risk practitioners.

Citi Revlon, DB, UBS and Aussie financial institutions. What do they tell us?

Today, the financial size and impact of reported operational risk incidents and losses are rising. That shakes customer and shareholder confidence.

 
In the recent Citi Revlon case, legacy systems requiring manual checks resulted in a mere clerical error amounting to more than half a billion dollars of loss. The incident saw all the key elements that could go wrong – people, systems and (control) processes, as per the operational risk definition - going wrong.

The same can be said of the costs and fines imposed by Australia’s Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, which had resulted from failed internal control processes and systems.

The upshot here is that investments in technology and automation can help prevent operational risk breakdowns.

Post-pandemic truths

As we begin to emerge from the global pandemic, it is clear that the risk profile and business practices of many financial institutions are transforming. Firms now need to be thinking much more than before in terms of how they ensure compliance, appropriate conduct, and management of reputational, legal and people risks, especially given the considerable focus on working from home.

This changing ecosystem forces us to reflect on whether we have defined or correctly understood the scope of operational risk management to start with, and whether we have the right resources to address the changing environment. Financial firms are already acutely aware of the importance of this, and how that combines with their own response to the pandemic, to alter their view of operational risk management.

Art of the matter

If this is all so clear, what is not working then? What have we not learnt from past and present failures?

 
Operational risk management is about the ability to influence. And to be able to influence, you need to be relevant. To be relevant, you need to understand the business and its drivers. Only then can you influence.

We need to recognise that risk management is also an art. A risk manager’s experience, expertise and judgement needs to overlay processes, systems and frameworks.

There is nothing wrong with sound practices manuals, which are merely about common sense. But it is their implementation – and embedment within businesses - that has failed.

Put another way, could they have worked if the manuals were discussed in a relatable language, and embedded effectively in legacy business practices?

Pressing reset

The industry, regulators, business and risk professionals need to pause and reconsider the direction they have been taking over the past two decades. 

With supervisors sharpening focus on non-financial risk management, now is the chance for us to work with the regulators and the broader industry to ensure that new standards are well considered and designed with the right outcome in mind.

Simultaneously, stop adding layers to policies, processes, systems and redundancies to an already failing ecosystem. It consumes bandwidth via ineffectual pursuits, absorbs a considerable number of inappropriate and ineffective resources.

It is time to bring new methods, appropriate operating models, and resources that ensure material risks are at the front and centre of the operational risk management paradigm.