In this video, Membership Director, Roland Kennett talks to Research & Information Director, Steve Bishop and Executive Director, Luke Carrivick talk about the themes that emerged from the recent Regional Forums ORX has hosted in South Africa, in Singapore and in Australia. They also discuss the meetings they had with members and regulators in those regions.
falseTranscript
Roland: “Steve, we spoke to APRA and SARB. What were the main takeaways from those discussions?”
Steve: “Well APRA, with the introduction of the SMA, are moving away from risk measurement and focusing on integrated risk management as that's really crucial to them. I think the other notable thing from my perspective is in the new regulation in Australia – the CP230, where they're bringing together resilience and operational risk.
And APRA are pushing the mantra that resilience is an outcome of good operational risk management practice. They're not looking for resilience to be a separate silo. They really want an integrated approach and that's a really important point to note.
Roland: And Luke?
Luke: Not necessarily a specific comment about SARB, but something we saw there and elsewhere is I get the sense that the regulators want to get a little bit closer to the banks that they're regulating. There's a lot of good stuff going on, lots of innovation. They think they need to learn more about that but also potentially benefit from it as well. So, they want closer alignment, and I think ORX is a forum or a method for them getting a little bit closer.
Roland: So, you mentioned a focus on risk management, and I think that was true as we spoke to all our members across those regions. We heard that being forward-looking and trying to be predictive of the risks and helping the business get ahead of risks hitting is very difficult. No one's cracked that yet.
So, what are the main areas that people are focusing on?
Steve: A couple of things I'll pick up on in that forward-looking aspect. We're seeing organisations trying to repurpose or change the focus on some of those traditional operational risk tools. I think definitely to note is the focus on scenarios – using scenarios more for risk management, looking to game out certain situations, understand what the implications on organisations might be. Particularly a focus on emerging risk and using that information effectively within their organisations. And linking to that particularly a big focus on geopolitics and macroeconomic change. In Asia and Australia particularly, we heard about the thoughts around the outcomes they may see from China and global relations.
Roland: Luke, from your perspective?
Luke: These Regional Forums are the first that we've had for several years, and I think the big difference that we saw is the discussion around resilience. Pre-pandemic something that was primarily a UK thing. Now it's global, and it's top of most people's agendas. They're all having the same challenges: defining critical processes, getting the granularity right, and seeing how those interact with their 3rd parties (which is particularly challenging). On the critical processes, we are hoping to do some work – maybe later this year or next year – which may support that, so that should help people.
Other things – linking back to what I was saying earlier, there's a lot of change going on, lots of innovation. There are several reasons why risk would be interested in that: understanding the change, understanding how that will change people's risk profile where they can get involved. But also benefiting from it as well. A lot of this is around digital transformation. So, there are a lot of good things Risk can do to put itself in a good position by taking advantage of that.
And then I think the third thing I heard which again is a theme that we may have heard pre-pandemic was culture. But the big new thing for me is that people are actively thinking about how to measure that at the moment. So that links to data and technology to a certain extent, but it's something new for this year.
Roland: And I know they also talked about our old friend risk appetite.
Steve: Yes, the gift that keeps giving! We're going to take another look at this, which seems quite timely given the discussions that we had. People are trying to think about how they make risk appetite more meaningful – how they can actually begin to take it from the traditional regulatory exercise into something that's more of a strategic decision-making tool. And that's going to be the real focus of our Risk Management Working Group project this year.
I guess another area that we heard was controls. Lots of people are using the ORX Reference Control Library that we published last year and thinking about how they can enhance or develop their own control libraries. There’s lots of focus on key controls, thinking about how they can make progress with automating controls.
I think related to that, but more broadly, we heard lots of discussion about optimising their framework, lots of focus on standardising, simplifying, being more efficient, reducing the burden on the First Line of Defence. I think that's a theme that we've heard across lots of discussions over the last 12 months.
And then I think the other thing I'd mention – particularly in Australia where there's more of a focus in CP230 on control testing – people trying to think smartly about how they think about combined assurance models. Audit don't always play ball but they're trying to make efforts in that area.
Roland: And what about specific risks? Cyber and Climate were mentioned quite frequently, but what did we hear about those?
Steve: On the cyber front, we did the word clouds in each of the events and it came out on top as it is clearly a significant focus. There’s still lots of board attention, lots of management attention and rightly so.
But people are trying to move to a risk management focus, trying to think about their risk exposure, and using that to understand it and link it to their control environment, then trying to make smart investment decisions.
We're not hearing mass reports of significant events across the financial services industry at the moment, but I think that threat linked to resilience is something that will continue to keep the attention.
Roland: And Luke, from a climate perspective, what were you hearing?
Luke: Again, it's a top concern. It appears in an awful lot of things. I think part of the challenge with climate is it's very thematic, it's very broad. So not all of the things you need to think about with climate actually touch the operational risk team. So, they're trying to work out primarily how it fits in. Again, trying to avoid a silo creation. So, how it fits in with the existing framework is one thing.
But we are seeing it increasingly included in things like stress tests. So, it's going to start getting real quite soon and something people have to really get on top of.
Roland: Data was mentioned an awful lot in all the sessions. What were you hearing particularly Luke?
Luke: In virtually everything that we've just talked about, there is some kind of data element sitting underneath that. So, all of the stuff around automation, digital banking, control monitoring, climate, there's a data element. I think people are moving to a world where they've recognised that there is a lot of useful data outside of their GRC, so outside of the classical risk data you'd collect that would be very useful to support risk management. So, they're thinking about that a lot and how to combine that. But also, there is a risk management lens on data around the fact that the more you rely on it, the more you need to make sure that it's good quality. You need to understand where it's come from. So, data governance is a hot topic as well as the use of data. Maybe different people in the operational risk team are going to be looking at each point, but they're both very much data related.
Roland: And from an ORX’s perspective, we're always very focused on losses. How are you hearing people look at losses going forward?
Luke: We've seen in the last couple of weeks the real importance of things like reputational impacts, which aren't necessarily captured in the traditional events loss database. So, we're looking to see how we can support that. I think the loss data is still going to be very useful, but primarily in combination with contextual information about risk management, about controls. So, I think that's the direction that we will be taking our loss data in when we look to re-platform away from Insight, which is a big agenda item for the next couple of years.
Roland: I know Steve, you've got a programme of work looking at losses and what our members want to do with losses going on later this year?
Steve: Yes, absolutely. And this links to the opportunity we have to take our data services from Insight and move them to the iDP platform. We're going to look at exactly what data we are exchanging with that risk management focus in mind.
Roland: Thank you very much, gentlemen. That was a very good summary of basically three weeks of very detailed discussions with lots of different firms.
There's one topic that came up frequently and that was training. There seems to be a lack of decent training on offer with certification. That was a continual thing that was mentioned. It’s not something that ORX is able to help with at the moment, but I'm sure there's a market opportunity for someone.
And the last thing I'd like to say is that this was the first time we've done these trips for a number of years. From our perspective – and we hope from the people we interacted with, from their perspective as well – it was fantastic to be back face to face. The discussions were considerably better than they are virtually. So, we're already looking forward to next year and we hope this gave you a flavour of some of the topics that were discussed. Thank you.