Research by the world’s largest operational risk association, ORX, finds that operational risk is increasingly the top focus of Chief Risk Officers and Boards of financial institutions globally as they undergo digital transformation.
Simon Wills, ORX Executive Director, explains: “What we’ve seen over the last 10 years or so is that the focus has shifted for financial institutions towards effective management of operational risks such as conduct, cyber and outsourcing.”
These days, according to Wills, financial institutions are as concerned with protecting their highly valuable digital assets and reputation with customers as they are about protecting against financial market or credit losses. He believes that this focus on digital is the next big structural change in the financial services industry, representing a huge shift in how banks and insurers provide services, who they provide them to, the channels they use and the legal environment they operate in.
Mark Cooke, ORX Chairman and Group General Manager at HSBC adds: “If you look at banks and insurers today, they are largely technology companies that provide financial services. As we move to change the way we operate with our customers and as we use new digital channels, we are in effect changing the nature of our business. We’re changing the pace, we’re changing the availability, and we’re having to manage the consequences of that to ensure we provide those services reliably to our customers, protect our customers’ information and make sure we remain compliant to regulations.”
It’s for this reason that operational risk is becoming such a big differentiator between those financial institutions that succeed in their digital transformation strategy and those that don’t.
Focus on operational risk
“It’s even more important for a bank or insurer than most companies to be focused on operational risk when trying to achieve digital transformation”, Wills argues before adding: “We’re talking about highly sensitive and personal data involved here, and people’s whole lives can be impacted if things aren’t managed effectively. Unlike many industries which have adopted a ‘move fast and break things’ model to innovation, when people’s pensions, bank accounts or livelihoods are at risk – and when you operate in a heavily regulated environment – you just can’t afford to change without operational risk involvement.”
Operational risk is not something that can be bolted onto the end of a strategy, however. Cooke emphasises, “it has to be part of your original strategy.” He adds, “if we want to enter a market or provide certain services, we need to understand what can go wrong and take a considered view of how much we can control those uncertainties. Operational risk is about balancing the cost of controls with the opportunity that’s presented, and that should be central to any strategy.”
What we’ve seen over the last 10 years or so is that the focus has shifted for financial institutions towards effective management of operational risks such as conduct, cyber and outsourcing.
Whereas it is positive that operational risk is a key concern for Chief Risk Officers in business change, ORX believes that financial institutions should be considering operational risk differently.
Wills explains: “Achieving your digital strategy will be far easier and you’ll have a much better outcome if you’re good at proactively managing operational risk. As a discipline, however, we’ve grown up quite organically because the risks flux more than traditional financial risk types and are therefore much harder to monitor and predict.”
Operational risk is changing to address what ORX describes as the modern needs of financial institutions and the prerequisite to keep up with the fast pace and volume of change. Whereas previously the discipline tended to be backward-looking – following textbook methods and frameworks to measure past risk events – a recent trend noted in ORX research is that many organisations are seeking to become more forward-looking with their approach. For example, deployment of advanced data analytics, artificial intelligence and machine learning tools is becoming increasingly popular for pre-empting activities such as fraud as the volume of available data increases.
Wills notes: “What we’ve seen recently in our membership is Heads of Operational Risk stepping back, looking at their practice and considering what to keep, what to leave behind and what to do that’s new in order to do operational risk both more effectively and more efficiently.”
Breaking up silos
One of the biggest challenges faced by businesses is how broad operational risk is as a discipline. Wills adds: “This can cause different silos managing specialist areas of operational risk such as cyber, conduct and outsourcing, and means that everyone is talking different languages. When this happens, you’re trying to manage huge operational change with silos working independently, making it very hard for senior executives to keep track of the big picture view.”
ORX says operational risk is becoming an umbrella function, which it explains is about the discipline making the move to providing an overarching framework and consistency across specialist areas of operational and non-financial risk.
Cooke adds, “The umbrella approach allows organisations to identify the risks that matter to their strategy and then coordinate how to go about controlling them in the most efficient way possible, which often requires trading off one risk type versus another.”
The future of operational risk
What’s clear is that the next five years will see a big shift in how financial services are delivered and with this, a big shift in what needs to happen in the operational risk space to keep pace. Wills highlights three key things that the discipline needs to do better: “Firstly, there’s a big demand across the industry from senior management to give them a better picture of the risk horizon so that they can understand what’s coming towards them. Certainly, using artificial intelligence and unstructured data is important, but so too is leveraging the people skills you have in order to identify those risks more effectively”.
“Secondly,” he continues, “we need to become more dynamic in the way we manage operational risk. Instead of just running programmes because it’s on the schedule, it’s about standing back and deciding when, where and how to intervene based on the need as opposed to just doing operational risk exercises for the sake of it.”
Wills’ final point is that the discipline needs to evolve to achieve a better trade-off between the risks themselves, and the cost to control these risks. He comments: “At the moment, we are focused on understanding the risks. The next big challenge for the future is to really get a grip of the control environments and their costs.”
Checklist for Change
To conclude, effective operational risk management is vital for effective business transformation, but in order to best support the change agenda, operational risk needs to evolve. By being a platform for the world’s operational risk community to come together, ORX is supporting this evolution. For example, they have recently produced a ‘Checklist for Change’, which is available from the company’s website. Born out of a research piece about how to transform safely, the checklist provides a list of key questions for Heads of Operational Risk and their teams to consider when they address business change.
Wills’ culminating thoughts are that: “the pace of change isn’t going to slow down and the business is not going to wait for the operational risk team to catch up.” One of the ways organisations can keep ahead of this curve, he continues, is by collaborating with a peer group. “This is ultimately why ORX exists; we help the industry come together to find common solutions to common problems more quickly.”
ORX’s next major piece of work in 2020 is supporting senior risk professionals to undertake a strategic review of how the operational risk discipline needs to advance in order to support transformation across the financial services sector. All of this points to the fact that there’s a real opportunity with effective operational risk management to safely deliver digital transformation.