This article was written by Neeti Bhardwaj, Aykut Duman , and Mudit Dawar. The original article was published by Kearny. You can find the article here.
There was a period of several weeks, in March 2023, when the world’s financial system teetered on the brink of collapse. Silicon Valley Bank imploded, and then, First Republic Bank, Signature Bank, and Credit Suisse followed. Only the intervention of the Federal Deposit Insurance Corporation and US Treasury prevented the problems from spreading.
Now, more than a year later, we can see the common threads in this near-catastrophe: a lack of governance, undefined risk appetites, and ineffective control measures among the banks involved.
Operational risk is still a puzzle for financial institutions. They have certainly poured money into risk mitigation and compliance, but in some cases, these investments haven’t been part of a cohesive plan, leading to poor risk mitigation and controls.
By being more strategic in defining their risk frameworks and more forward-thinking in their use of technology, financial institutions can mitigate many of the biggest threats they face. Of course, it isn’t only banks, asset managers, and insurance companies that need to do a better job of managing their operational risks; companies in other sectors—from pharmaceuticals to transportation—have exposures of their own and are doubling down on their risk management. But risk management is especially high-profile for banks because of the connectedness of the global financial system and the speed at which things can unravel.
Here’s where we think banks and other financial institutions may want to focus their efforts, based on the growing number of risk projects we’ve been handling.
One of the things that makes operational risk management so complicated is the gap between regulations in different jurisdictions. In Europe, oversight authorities such as the European Banking Authority, the UK-based Financial Conduct Authority, and the Prudential Regulation Authority (also in the UK) have made for some of the strictest financial-institution regulations in the world. The US regulations for financial services companies (primarily from the Securities and Exchange Commission and the Office of the Comptroller of the Currency) are lighter, leaving multinational banks debating what to do.
A bank with operations in both the United States and Europe (or in any two regions with sharply different regulations) might be tempted to implement a one-size-fits-all strategy—resulting in excessive paperwork that, in its more lightly regulated regions, no one would look at. But such a company could go equally wrong by having distributed operational risk teams, whether by region or business unit, and not enough central guidance. There’s a fine line between going too deep and not going deep enough.
Part of the challenge is the non-prescriptive nature of operational risk regulations. Unlike investment risk regulations (the topic of the second article in this series), operational risk regulations tend to be very broad and require interpretation. There has to be some kind of central guidance—a set of processes that organizations follow for different risk types or exposures—if operational soundness is to be achieved.
It falls to the chief risk officer (CRO) to provide this guidance. They’re the one in charge of putting in place well-defined processes and risk frameworks so that their organizations can react quickly and effectively to large-scale threat events.
CROs have several tools at their disposal to create uniform risk-management processes across businesses and jurisdictions. One is to normalize the differences in risk appetite between different parts of their companies. This requires a bottom-up analysis of risks at the business unit level and at the regional level to see how those risks tie into the target risk at the enterprise level. Organizational alignment of the appetite for risk leads to a better understanding of risk expectations and can help avoid a needlessly strict application of risk standards.
Rethinking risk processes can also be a step toward a robust global risk framework. One potential process change is to harmonize the templates for risk and control self-assessments (RCSAs) across all regions, eliminating confusion due to differences in how regions handle their RCSAs. An update to risk-event escalation processes can also contribute to the goal of harmonization by streamlining and clarifying response protocols. This is especially true in cases where escalation processes were set up at a distant point in the past and the organization’s circumstances have changed.
It can be a bad sign when a bank department brings in an outside task force to address new regulatory requirements or handle compliance paperwork. It’s especially concerning when these task forces have no end date and effectively turn into the department’s 1.5 line of defense.
The problem with these arrangements is the signal they send to those in the business—the first line of defense—that the first line’s “ownership” of operational risk is now partial. With the 1.5 line handling many of the necessary sign-offs, some duplication of effort and dilution of accountability become inevitable. This can create silos within an organization and lead to a fragmented risk approach that undermines individual responsibility and awareness. First-line-of-defense workers may find themselves spending more of their time on ad-hoc tasks, including special projects assigned by the executive team. Their work may drift farther and farther from their primary responsibility of identifying and managing inherent business risks.
It generally makes more sense for all model and data governance, all four-eye checks, and all of the first-level sign-offs on risk assessments to shift back to the business. These responsibilities should be clearly identified as belonging to the business itself—to the first line (see figure 1). The department of the CRO—the second line of defense—could then be structured as a central, flexible resource that could pivot between different business units depending on the business unit’s needs. The CRO’s team could focus on operational soundness, risk event recording and escalation, control testing, the monitoring of key risk indicators (KRIs), and RCSAs.
With a more centralized structure, and with an elimination of the 1.5 line of defense, some companies we’ve worked with have been able to reduce their risk-management activities by more than 40 percent.
Information security and cybersecurity are good examples of areas where these organizational adjustments can lead to efficiencies. If there are common risk categories and taxonomies for information security and cybersecurity risks, organizations can minimize redundancy in reviews and share monitoring tools. Either the first or second line of defense can use the tools to ensure compliance with the latest information security requirements. And in many cases, the 1.5 line of defense can be eliminated.
For financial institutions, a big part of compliance involves sharing information and data with regulatory authorities. The information in these documents is often mundane, and there’s no reason why the work can’t be automated—at least in part. In addition to adding efficiency to this compliance activity, automating parts of it would mitigate the risks associated with manual processes.
Automation can also add to a firm’s efficiency in doing KRI reviews and quality checks and handling risk event action items.
AI could have an even deeper impact on organizations’ resilience in the face of dynamic and unpredictable risks. By layering predictive analytics into their governance, risk, and compliance software platforms, companies can get an enterprise-level view of the risks that are coming their way in different categories. They can also use AI (natural language processing, in particular) to eliminate some of the noise in their data and become more confident about the insights they’re getting.
AI’s ability to quickly recognize patterns in vast troves of data might shed light on the risks that are real and on the controls that would best mitigate them (see figure 2).
It’s early days for this use of AI in operational risk management. Eventually though, such technology will make banks more effective at identifying, assessing, and responding to operational risks.
No bank—no matter how well-run—can eliminate all operational risk. Nor should risk-elimination really be the goal. Instead, the goal should be to have systems in place to spot and respond to both internal problems and systemic threats.
This is no time for complacency. Rethought processes, leaner organizational designs, and up-to-date tools should be in every bank’s playbook.
Tailored B2B information solutions. We collect and integrate vital intelligence, empowering your growth strategies and competitive edge. Accelerate your pathway to success.
© 2024 Calleo Solutions (Pty) Ltd. All Rights Reserved.
© 2024 Calleo Solutions (Pty) Ltd. All Rights Reserved.