In a co-post, we looked at three of the four major Operational Risk Management (ORM) themes discussed at our recent seminar. The fourth – on challenges and opportunities in ORM implementation – warranted a separate focus, given the heaps of experience we had to share, and reflect on, over years of living and breathing this profession.

Holding a mirror to all those learnings helped us crystallise the most important challenges and gains in reimagining ORM. 

The first challenge we identified is the sheer language of risk – and how to simplify it

For many business users, ORM jargon can boggle. Standards and risk language are not in business terms and not easily understood in business-as-usual processes.

For instance, what we refer to as ‘probability/likelihood’ and ‘impacts’ for one category gets captured as ‘vulnerability and threats’ for another one.

These differences are real and important, but when it comes down to managing the business, what the user needs is less officialese and more direct speech.

Further, we use many technical terms interchangeably, referring to both the process and the overall risk management approach (transaction risk, operating risk, control risk, control environment, and ERM). While that goes for risk professionals, the confusion could actually make all the difference to organisations, hindering their decision making process of structuring, defining, scoping and managing the business risk that is commercial, compliant and effective.

The second is skills – getting the right people with a well-adjusted mindset

The operational risk manager’s profile is changing. Both, the demand for these experts and the tools that they develop as they fulfill their mandate, have evolved. 

Gone are the days the risk manager needed to be only a technical person dedicated to the risk function and consolidating data from all others. They are now expected to partner more with the business and other functions and also require understanding of all aspects of the business and other control functions.

In addition, technological capabilities are opening new horizons for risk professionals as well as disrupting markets. The advent of cloud computing, Big Data, Machine Learning, and cognitive are making some of the traditional risk manager’s functions obsolete or automated.

A new risk mindset must be developed, to enhance this capability. A mindset to partner with the business and be their trusted advisor.  The new risk manager needs to get involved sooner in the decision-making process than before. 

And ultimately, we are in the business of dealing with people, not just data and systems. So soft skills need greater focus. A risk manager is more of an influencer than a decision maker. What they can achieve by partnering with the business in real time cannot be replaced or replicated even by the best of technologies.

Are the lines-of-defence models working? That was the third challenge we deliberated upon

Current operating models are not optimum. The lines-of-defence and operating models for ORM has led to countless debates and restructures across global organisations with millions of dollars spent. Much of the argument centres around what the roles and responsibilities of the business are, and the risk function and audit when it comes to managing risks.

Multiple schools of thoughts wrangle on how an effective lines-of-defence model should operate. But strangely, all of them lead to the same conclusion – that organisations need to establish a transparent and seamless operating model when it comes to risk management and maturity. 

What works for one organisation might not work for another and that’s ok, as there is no one-size-fits-all approach to a target risk management operating model.

We have personally seen organisations with thousands of risk managers in the second line but still struggling with regulatory enforcements and undertakings.

Then, there are those with only a handful of employees in the second line but leveraging advanced data techniques and enabling the business make real-time decisions. 

What stands out about the more successful organisations are that they embed ORM in day-to-day business decision making. Not by creating a layer of first-line assurance professionals, but by educating the businesses and enabling them to have a growth + risk management mindset.

Upshot: too much emphasis on embedding risk resources in the business leads to lack of direct business ownership.

Creating structures to embed the three lines of defence and RACI – short for responsible, accountable, consulted, informed – models, without understanding the capability and capacity of business to handle the same, is a recipe for disaster. We will deliberate on some success stories in this regard in a separate post.

Our fourth stumbling block is the opportunity cost and legacy of large risk transformation programmes

These programmes (for instance, implementation of a new governance, risk and compliance – or GRC – system, a new operating model, or to address an enforcement action related to culture and conduct) are not the solution. Rather, they are a path to attaining risk maturity without absorbing the cost of effective risk management in the business. 

They not only require considerable resources and funding but again detract from business ownership. What looked good a few years ago, is relegated to history because of a regulatory enforcement. With that comes a new operating model or another restructure, and with it, the knowledge, the hardships and the learnings of the previous model is thrown away.

Thus, even after billions of dollars of spend globally on ‘maturing’ the risk management functions, the business does not see value in ORM practices.

Today, theoretical processes are getting in the way of practical implementation as part of business as usual. Business and risk functions are still unclear on what maturity looks like. Reactive and retrospective risk management practices are not value adding. There’s a lot to learn from how businesses are dealing with their customers.

There is definitely a need for a more precise definition of what constitutes maturity.

But even as we wring hands, customer journeys, real-time support, digital platforms and user experience are paving the way for the future of ORM.

Increased use of data and analytics to support decision-making is imperative. Real-time analysis, indicators and reporting are essential to business maturity.

The problem is not the system, the data, the process or the framework in isolation – but how these are aligned and leveraged – by the right type of people – to arrive at business decisions

Last, but not least…

Have we really learnt from some of the recent events, including the Royal Commission and APRA Prudential Reviews, or have we merely adopted a tick list remediation plan?

Incidents and issues persist and inadequate governance is not changing behaviours.

I’ll leave you with this thought: culture and conduct are key to enable any risk-positive shift. But they are not given their due. Businesses have, so far, only adopted theoretical approaches to address this. A good culture and strong conduct will implement standards. A weak culture and conduct will bypass or ignore them, no matter how good the standards themselves are.

We will share more on this, in an upcoming post.

Responses from polls conducted during the Discussion Forum 'Disruption in Operational Risk and Regulatory Compliance in Australia'
(Polls were posed to 95 senior risk professionals from 24 leading banks and other financial institutions in Australia)