If you were Marty McFly steering a flying DeLorean, how would you like to change the mistakes of the past for a better future of operational risk management and of business itself?

Risk is about chance, and the twin posts here are about giving risk professionals and the discipline we are so passionate about – a second chance.

As risk professionals, we see an ever-expanding role for operational risk management (ORM) in the financial markets.

We also acknowledge that the existing standards and approaches have failed on multiple occasions.

Given silo processes, flawed models, legacy systems, enhanced regulatory scrutiny and inadequate resources, this is our chance to take the bull by the horns.

The four themes we explore in this two-part post are inspired by these emerging threads from our recent webinar:

• Do existing ORM standards adequately cover the management of operational risk?
• Are there opportunities for better scoping and integration of various elements of ORM – technology risk management, business continuity management, transaction process risk management, cyber and compliance?
• How do we ensure sustainable solutions and operational resilience in a constantly changing business environment?
• And finally, what are the challenges in implementation of ORM and opportunities for improvement?

Do existing ORM standards adequately cover the management of operational risk?

They do not.

The refrain was that ORM requires principle-based standards. Existing ones are insufficient, as they do not address the challenges faced by the business and merely define the subject and/or describe the standards.

Two, there’s a lack of standardisation, globally. Organisations can choose from a raft of models and methodologies for managing their ORM needs – ranging from Basel to the Office of the Controller of Currency, the Prudential Regulation Authority, the Australian Prudential Regulation Authority and ISO. Not to mention all the consulting interpretations across the globe by the Big Four and beyond.

Ergo, many firms struggle to find which is most suitable for them or deploy an adequate risk strategy.

One could view the need for standards itself as a lack of capability in the risk function. But remember, ORM is a fairly new discipline in comparison with its counterparts such as credit and market risk. It is like a young adult stepping out of teenage years, still learning the ways of the world, but ready to take it on.

But it is an unforgiving terrain. While ORM is still learning from major and not-so-major risk events, the playing field itself is constantly changing, with new types of operational risks being introduced every now and then for businesses to manage. 

Appropriate standards must be based on principles, leaving the development of the finer operational norms and procedures to each institution in scope.

They must focus on existing maturity, use test, lagging and leading indicators, and business challenges when reviewing these standards.

Standards do not need to change by industry and should cover all financial services. 

A one-size-fits-all approach will not work anymore. Implementation should be tailored to reflect scale and complexity of organisations.

Are there opportunities for better scoping and integration of component elements of non-financial risk management?

ORM has always had a knotty relationship with other control functions, especially compliance. This is still costing organisations grief in terms of risks falling between the cracks, leading to huge remediation costs.

Many organisations are creating complicated processes and systems to manage these risk interdependencies (both for financial and non-financial but also for various categories of operational risks), spending millions in restructures and remediation programmes.

On the other hand, many global approaches view operational risk from an integrated risk and assurance perspective. This involves looking at the organisation's risk profile holistically, and converging risk-assessment methodologies and programmes for both financial and non-financial risks. Such an integrated view helps picturise the risk-maturity more comprehensively, and allows efficient prioritisation of management efforts.

So is a risk-based standard of principles the solution? The answer can be found only by looking at what has worked well for organisations and where the gaps are. There is a need to use-test the ORM philosophy and methodologies for all risk categories.

There’s another crucial gap. Risk methodologies for each of the sub-categories of operational risks are generally driven by bespoke certification bodies or institutes, which have developed certification programmes for risk professionals who want to specialise in a particular risk domain. But regulatory bodies are still catching up with these requirements.

One such example is cyber risk. Various global regulators still lack of appropriate direction and alignment in thinking when it comes to cyber risk, whereas certification bodies and consulting organisations have already developed a plethora of methodologies and guidelines to address these concerns (and rightly so). The pace at which the industry is moving needs to be matched by the regulators and risk professionals in currency and efficacy of standards. 

How do we ensure solutions are sustainable and ensure operational resilience in a constantly changing business environment?

That was really the crux of our discussion. Whatever pathways we choose forward, the objective should be to make the change sustainable. Organisations are running an insane number of programmes to address existing requirements or gaps. But the business not only needs a breather but also some assurance that there is light at the end of the tunnel.

Fundamentally, what needs to be looked at is, how is ORM supporting operational resilience of an organisation, and more broadly, of the industry itself? For it is the response, maturity and resilience of organisations towards risk events, past and present, that will define the success of standards.

Regulators view operational resilience more broadly than operational risk management maturity.

But organisations are busy developing new frameworks and operating models to address their resilience targets rather than leveraging what they have achieved for ORM. One such example is the appointment of chief resilience officer(s) to take their agenda forward. But what is the agenda?

Any focus on resilience must integrate and leverage other control functions and standards – as we discussed in our previous theme.

Conclusion

As ORM and associated standards continue to evolve, we will require more sophisticated and complex insights into customer behaviour, emerging threats, greater data science capabilities, and enhanced understanding of emerging risk disciplines such as cyber and third parties. But when it comes to design, implementation and embedding effective ORM or any other risk standards per se, simplification, convergence and enablement must be the way forward. 

For sure, the ‘Doc’ configured a fancy time-travel machine. But at the end, it was a human’s presence of mind that saved him from getting shot.

To go through the details of our event 'Disruption in Operational Risk & Regulatory Compliance in Australia - Keeping pace with the changes', click here.