The role of operational risk
Historically, many risks were managed as they emerged – often leading to the creation of individual risk silos within organisations. In time, firms found themselves facing disjointed risk systems, processes and languages.
To be successful in managing risks, institutions realised they would have to change. Systems, frameworks and processes needed to be aligned, and communication would have to be improved. By stepping up and taking on a larger role, operational risk started to provide the necessary guidance and oversight. We refer to this as the ‘umbrella model’.
There are several risk management activities that nearly all firms have either aligned, or plan to align, under operational risk. These can be considered “core” to the umbrella.
Many of these activities are operational risk specific, such as risk appetite, KRIs or RCSA. However, others are very broad, for example issues management, taxonomies, or emerging/material risk identification.
The scope of operational risk
Institutions now face a wide range of non-financial risks. Which of these falls into the management scope of operational risk varies across the industry. Areas such as third party, technology, fraud, and transaction processing are commonly managed under this function, whereas, information security, model risk, new product risk and reputational risk are often not.
Challenges
There is no ‘one size fits all’ model of the umbrella. Each firm must discover for themselves what aligns with their own objectives, budgets, and resources. Although many firms have made progress, no one has truly finished their journey to the umbrella risk function. A transformation of this magnitude can take years, needing input from various levels of the business. In order to accomplish this, buy-in must be gained from all impacted areas. This can be a challenge, and each firm must find their own way to do this. However, once the process begins to work, firms will have clarity, alignment and collaboration.
Conclusion
The shift by operational risk to take on an umbrella role is primarily driven by heads of operational risk themselves. Their aim is to streamline siloed risk functions and create a common language throughout the organisation. Doing this means that all three lines of defence can more effectively manage their risks.
This is a large project which could take years, but it's worth getting it right. Firms can already see how the benefits outweigh the challenges and efforts. The result will bring simplicity and efficiency to the process and will allow a holistic view on risk, further embedding risk management activities into the day-to-day processes across the organisation.
This resource is only available to ORX members
Want to access this resource?
If your firm is a member of ORX, log in or register to read this resource.
Not a member? Talk to us today to discuss how you could join the ORX community.
Luke Carrivick
Executive Director, ORX
