The Evolution of Operational Risk and Its

Real Challenges We See Today & Beyond

Over the course of the last decade, operational risk management has evolved into one
of the biggest concerns organisations face. In the financial services industry, as a result
of technological advancements, organisations have grown in both size and complexity,
developing multifaceted networks of products and services. These networks present
both opportunities and challenges for companies to overcome, both internal and
external. Issues must be managed correctly if companies are to avoid incurring losses
from operational risks. Inadequate processes, inefficient hardware and failure of existing
systems can cripple operations. Communication breakdowns, employee error, cyber
crime, political upheaval and fraud also present potential risks.

Financial institutions (FIs) must have processes in place to deal with such risks and foster
the right approach. An FI’s attitude toward and relationship with risk has a significant
bearing on its ability to generate revenue. It influences behaviour, which has both
intended and unintended consequences. Moreover, risk considerations can determine
an FI’s business model, strategy and culture.
The financial crisis, the rise of cyber criminality and the emerging tech and data
revolution, have reshaped risk management. In the aftermath of the crisis, FIs have been
subjected to more regulation, much of which has been burdensome. To cope with these
regulatory demands, FIs have been forced to introduce additional and specialised
operational frameworks, rather than a core framework that can accommodate risk
management with common attributes.

Prior to the crisis, few institutions took a holistic approach to risk or fully understood the
impact of their strategic decisions. In the post-crisis reality, a solid operational risk
management framework creates a relationship between an FI’s strategic goals and
operational activities, and the decisions of its management team. This can help protect
against losses, liabilities and brand damage.

The right risk strategy will encompass everything about an organisation. A ‘root and
branch’ analysis is required to design an effective operational risk management
programme. Factors such as security, safety, internal controls, policies, procedures,
employees, cash handling, inventory and liability coverage should be considered. The
potential damage that each risk factor could cause to the company should be explored.
Then, efforts must be made to mitigate transfer those risks.

We cannot forget operational risk remains a serious threat to the financial industry and
it’s been evidenced through material operational risk losses suffered by financial
institutions over the past decade. Enterprise risk management (ERM) is the overarching
process that provides a single view of all risks within an organization. Such risks include
financial, operational, and strategic risks. By definition, ERM employs a comprehensive
system to assist business leaders in identifying, measuring, prioritizing, and managing
risks that affect their strategic business goals.

Operational risk forms part of ERM, and it is defined as the risk of loss, or other adverse
consequences, resulting from inadequate or failed internal processes, people, systems,
or from external events. Operational risk includes legal risk but excludes business and
strategic risks. Over the past 10 years, financial institutions, in particular banking, have
suffered from very significant operational risk losses suggesting that this is a risk
discipline that simply cannot be ignored. Operational risk is pervasive and
manifestations of its risk can occur in large scale. Operational risk losses used to be
reported in the millions; now these errors are being quantified in billions of dollars.
Financial institutions like banks, insurers, hedge-funds, credit unions and others, must
continue to apply operational risk frameworks and risk control disciplines that allows for
business leaders to identify control gaps, improve processes, and focus on risk
remediation activities, irrespective of a specific regulatory mandate. I believe business
leaders have finally recognized the value of effectively managing operational risk
through more robust systems and a greater need for sound risk management culture.

It is clearer than ever that operational risk has moved from an interesting risk
management concept to an integral risk management practice. It is also important to
note there is a big difference between managing operational risk and providing risk
oversight. The duty of the CRO is to uphold risk policies, maintain integrated risk and
control frameworks, ensure sound governance and risk culture, and play a critical role in
the organization’s decision-making on business strategy. The CEO is the executive
responsible for an organization’s overall operations and performance. The CEO
establishes the company’s business strategy and priorities, along with setting the
corporate culture. This individual is held solely accountable for the organization’s
success, and its failures. Thus, accountability for the actual management of operational
risk ultimately lies with the CEO. Risk Officers define risk tools, deploy risk frameworks,
adopt risk policies, provide risk oversight, and form part of the foundational framework
that sets forth appropriate checks and balances that allows for businesses to conduct
operations in a well-defined risk and control environment. However, risk is ultimately
owned by the business executives (first line management), and it is the responsibility
and accountability of first line staff to manage all risks, including operational risk, in
accordance with each business’ risk appetite.

Operational risk remains one of the most crucial risks that financial institutions must
effectively manage and quantify. For this reason, challenges remain around loss
attribution, effective risk assessment practices, and integrating operational risk reporting
systems. But for all the challenges that exist within operational risk management, there
are also opportunities. For example, areas like cyber and conduct risk can benefit from
unified frameworks already in use to manage operational risk. Many institutions have
adopted operational risk methods to help them manage cyber risk, behavioral risk,
regulatory, and third party risk. We should expect to see more convergence of risk
disciplines over the next few years. I also believe that operational risk management will
continue to dominate the risk agenda for the foreseeable future.