Here are FIVE ways to step up and create value for your employees, customers, stakeholders and investors!
And by the way . . . the regulators will like you too.
Operational Risk Management (ORM) (or lack of it!) was largely blamed for the financial crisis, yet, nearly a decade later; many banks are still operating as though ORM is just another flavour of market or credit risk. That approach favours no one as many banks shuffle along with insufficient expertise in ORM. Banks are missing the opportunity to create value in how they relate to customers, suppliers, investors and regulators; if only they were looking through the ORM lens.
The five-step overview discussed here is considered ‘Best in Class’. A complete framework will not come into focus overnight, yet once it is fully systematized, evidence of growth and increasing profits are achieved consistently.
I. Align your risk framework to the uniqueness of ORM:
a. Don’t confuse a framework for credit and market risk with one for operational risk;
b. Align your objectives to corresponding strategies and outcomes.
These two concepts are distinctly different and not interchangeable.
For ORM to make a difference, it must reflect operational objectives (the what), the strategies (the how), and indicators of progress (KPIs). Each different objective must be highlighted and aligned to different strategies and outcomes.
One of the key failures of ORM is the inability to specifically state which strategy is at risk of failing; which of the patterns that cause failure will repeat again, and which operational gaps will turn a risk into a noticeable problem (fire fighting, yet again).
When a systematized approach is used, the objectives, strategies and risks are aligned to allow the gaps and patterns to surface. This is unique to ORM. When gaps and patterns are continually showing up they become central sources of operational risks.
II. Assign clear roles, accountabilities and responsibilities: Beyond the traditional roles and responsibilities for risk, accountability is added so as to ensure that a governance structure is created.
Let’s not kid ourselves; most descriptions of roles and responsibilities are silent on risk. ORM needs to be translated into how it is part of the job, the processes, the use of technology, to interacting with fellow workers, with customers and external sources, such as 3rd party suppliers.
Next, employees need to understand what their part of the ‘responsibility’ is and how to escalate, when necessary. If there is ambiguity, it will challenge the bank’s ability to consolidate ORM information.
III. Creating consistency with risk assessment and mitigation: Having a common and consistent methodology for the assessment of risk is critical even though mitigations will differ. Every assessment should consistently identify the patterns and gaps that continually show up. A consistent risk assessment process will identify how certain patterns in the bank are interdependent and contribute to a domino effect between what appear to be disconnected activities. This is what complexity has created.
Once a risk assessment is completed and mitigations have been proposed, often what has failed is the execution of that mitigation, due to the assumption that it can actually be done. To achieve consistency, it is important to highlight the bank’s ability to withstand the test of capability and capacity to mitigate within a specified or committed timeframe. This will reveal the competing priorities. With a consistent methodology the Board and Senior Management are alerted to key issues that highlight the decisions necessary to ensure mitigation is successful.
At no point is there any added value to copy a mitigation that has worked before. Circumstances, people and technology shift far too rapidly to be able to count on “this is how we did it before, and it worked.” It probably won’t. Repeat at your peril.
IV. Making ORM decision focused: For too long key decisions were made on the basis of backward looking processes and experiences. Not enough time is spent on managing the gaps that create risk. How is your decision impacted when you become aware of an important gap in a key project? Ask what risk is created if a gap is allowed to persist. The responses may surprise you and lead to less than optimal decisions.
This occurs far more often than banks may admit. I see this happening in organizations on an on-going basis. Gaps in capabilities are allowed to go on. Decisions are made with outdated assumptions. Many things fall through the cracks because of persistent operational gaps. The decisions made without a full forward looking view into risk will impact cost, relationships, reputation, performance and effectiveness of the business, and more.
V. Quality of your talent must be greater than the quality of your controls: Knowing you have good risk controls is not enough! The best risk controls will fail if you can’t rely on the ‘risk managers’. The skills and experience necessary to have successful ORM is a combination that is relatively rare and takes time to develop. As the importance of ORM continues its rise, banks will be forced to play catch-up in developing a sufficient group of top-notch professionals.
Banks that have successfully managed their operational risks have felt the positive impact of lowering their losses, increasing revenues and reducing their cost of operations. In 2017 and going forward, new regulatory requirements for data protection add a whole new dimension to risk. Failure of banks of all sizes to continually update their ORM frameworks may experience regulatory intervention if only to maintain banking integrity.
Don’t let your bank miss the opportunity to step up to the new levels of excellence in ORM.