Going Beyond Capital Calculations and Adding Business Value

The 15th Annual OpRisk Europe Conference hosted by Operational Risk & Regulation Magazine recently took place in London.  With record levels of attendees, the conference raised a number of interesting perspectives and discussion points, some of which we've shared below and would love to hear your views on.

Increased Focus on the Operational Risk Framework/Mechanisms

• Both financial institutions and supervisors alike claimed that there should and would be more focus on the organisation, its culture, individual behavior (particularly that of senior management), ethics and conduct, rather than the current predominant focus on capital calculation when it comes to the management of Operational Risk.
• As a member of The Basel Committee's standards implementation group (SIGOR) pointed out in one presentation, in general, loss experiences during the financial crisis suggested that banks using the Advanced Measurement Approach (AMA) were systematically undercapitalised and that the spate of rogue trading losses again were "at odds with the high confidence levels these banks used in their AMA models."
• It was also pointed out that SIGOR are actively seeking to address credibility issues and improve standards of best practices around internal capital models, as they recognize that, as Operational risk models are less mature, they allow a range of practices and suffer from a lack of credible benchmarks.
• The industry level SIGOR review, plus the examples of widely reported undercapitalised AMA organisations that were exposed following the recent large loss events, will likely lead to a deeper look at the overall mechanisms and frameworks used to manage Op Risk/Op Risk Capital by supervisors and less on the "comfort" taken by the figures themselves.
• In line with this, conference discussions indicated that, whilst the deployment of the three line of defense model and how it is being "lived" will continue to be a main area of interest for supervisors, there is likely to be an increased focus on Audit processes, systems and resources in particular - perhaps the least examined of the three lines of defence.  A point reflected in the increased client discussions we are engaged on how clients can systemically improve their risk based auditing, ensuring it is well integrated into existing Governance, Risk and Compliance solutions and processes.

Engaging Senior Management and Changing Company Culture and Scenario Management

• With the expected increased supervisory focus on behaviour (company and individual), ethics and conduct, there were many discussions and calls for actions such as the inclusion of appropriate cultural/behavioral/conduct type key risk and control indicators and greater embedding of the "risk footprint" across all three lines of defense through enhanced/improved engagement, training and documentation to support the rolling out of enterprise level risk management systems.
• Without the appropriate top down support, changing company culture is inherently more difficult if not impossible.  One potential area discussed at the conference to address this, is to actively engage senior executives through scenario management.  Getting the management teams to sit down with the Op Risk and Business teams to work through the potential major problems and possibilities often opens their eyes to issues and solutions they had previously little exposure to or engagement with.
• Linked to this topic, it was clear that scenario management itself is becoming an increasingly important focus area for regulators.  For example, following a recent major IT outage in the UK, the regulator contacted the bank involved to request all appropriate documentation surrounding the area of IT risk and Business Continuity Management (BCM).  This included risk and control reviews and assessments, management reports etc. and the appropriate IT Risk and BCM scenarios - all within a very short timeframe for examination.  A difficult task to complete without having a robust, complete, up-to-date and well managed framework that includes all the various components that a regulator wants and needs to see and can be consolidated and presented in a short space of time.
• As an incentive to change, money clearly still talks and organisations, in line with previous regulatory calls, discussed how they are increasingly exploring means to better link compensation to more "restrained" risk taking behavior and conduct.  If people don’t meet their "risk targets" and/or "conduct targets" then bonuses will not be paid.

Not All Technology is Helping!

• In various discussions, managing and making sense of the huge and varying data points within their organisation required to do their jobs was crucial and in many cases the systems in place to help achieve this were diplomatically put "less than helpful."
• Issues such as over complexity, poor usability, difficulties in making simple screen/workflow changes themselves, minimal integration at a system level between the three lines of defence, poor auditability and a lack of usable analytics were just some of the points cited as causing additional and unnecessary problems.
• In many cases,  one, or often a combination of these points had gotten so bad that this was causing the company to seek entirely new solutions and reassess their strategic view of what they wanted and needed their technology to achieve.
• These issues seemed to multiply in discussions with attendees who often had to work with multiple systems and/or in-house systems or spreadsheet based tools that were no longer capable of matching demands and requirements.

We would love to hear your views on the topics in this blog or any other topic related to how you manage Operational Risk, either as a standalone function or as part of a broader GRC or ERM framework.  For example:

Do you agree that organisations and regulators are currently focused too heavily on capital calculation and less on the risk management framework and company culture?  How do you define a cultural KPI/KCI that is both easy to understand and can be measured?  What are your challenges in actively involving senior management in the risk management process and what techniques would you recommend to really embed the "risk footprint" across all three lines of defense?