Carrie Cook at Risk Universe attends the third annual New Generation Operational Risk conference in London, hosted by the Center for Financial Professionals.
Put a couple of hundred operational risk professionals in one room for two days and you’re bound to get to the crux of the core issues currently
faced by the profession. The Center for Financial Professionals’ New Generation Operational Risk conference did just that, and is one of those rare events which focusses on emerging challenges specifically in operational risk, without it being tagged on as after-thought, as is so often the case. At last year’s event, the SMA versus AMA debate dominated the conversation. But this year, a much more interactive format, utilising an e-polling system and question forum via a dedicated app, cultivated a dialogue that took us back to the basics of what operational risk really is and where ownership lies within the business.
Better together?
An interesting discussion that reappeared throughout the two days was the differing views about how some firms are choosing to amalgamate compliance and operational risk departments, largely as a cost efficiency move. Many felt that the two functions, which are inevitably interconnected, could undoubtedly see some benefit from being merged. But it was also felt that both ultimately serve different roles, neither one of which should be overlooked in favour of the other.
Quantifying reputation
Peter Mitic’s (head of operational risk methodology at Santander UK) session was an interesting choice for an operational risk event: he sought to prove that a firm’s reputation can be quantified and therefore measured and managed. With a strong mathematical background (he has a PhD in Mathematics from the Open University and ruthlessly picked apart the Basel Committee’s proposed new SMA formula for capital calculation at last year’s event), I’ve no doubt Mitic could find a way to quantify anything if he put his mind to it. But his practical demonstration of how vendors of reputational index technology are analysing publicly available information, such as news articles, tweets, online reviews and comments on public discussion forums, to give a score for how a firm is doing reputationally-speaking, was certainly thought-provoking. Interestingly, despite what many might judge to be an apparent general ‘bad’ public feeling towards the banking sector, Mitic informed us that evidence shows the banking industry in fact gets a neutral score as a whole, contrary to common perception.
Reading between the lines
Three lines of defence, as ever, was a recurring theme in many discussions, with a key concern being uncertainty around who or what sits where under the model. Jenny Birdi, head of three lines of defence execution for operational risk at HSBC, laid out the basics firms should be doing to achieve success in this area, noting that although not a new concept, many firms are still struggling to truly embed the three lines, despite it being recognised by regulators and increasingly finding its way into guidance.
Unfortunately, the three lines doesn’t lend itself well to good communication, as each line tends to use its own language and have varying levels of understanding of risk, argued Birdi. It’s all very well telling the first line that they “own” the risk, but do they even understand what that means? Providing the right training and skills is therefore key to embedding the three lines – as is creating clarity around where each function lies. Varying answers were given when delegates were asked where key support functions such as IT and logistics should sit, demonstrating that even a room of operational risk practitioners can’t agree on how it should be implemented. Birdi offered the activity-based three lines model as a possible alternative, whereby the activity you carry out is what determines which line of defence you are categorised under, rather than where you sit within an organisation. Benefits of an activities-based model are that it enables independent challenge and review with greater clarity of first and second-line activities for each risk type; it breaks down silos; it fosters proactive engagement and dialogue between the lines of defence; promotes a healthy risk culture; drives individual accountability for managing risks, whilst encouraging quality and effective oversight.
Whichever model you go for, operational risk has to be the driving force behind its implementation, with you as the “ambassador for change” as Birdi puts it, providing continued reinforcement, referring to it in communications and building it into staff inductions and mandatory training. She also suggests finding a means to measure how well the three lines are being adopted across the organisation, producing metrics to demonstrate progress and building it into incentives schemes.
Technology
Gareth Evans and Jamie March from Thomson Reuters steered the discussion towards technology – and how in this fintech-obsessed era, financial institutions need to adopt technology strategies for enabling operational risk functions, rather than the other way around. This, say Evans and March, is achieved by creating a joined-up technology strategy across the business, providing a singular view for the board and equipping the business with clear risk information to inform decision making.
They argue that the barriers to achieving this holy grail of technology strategy are mainly to do with the way the individual functions you are hoping to tie up actually work. Most functions within a bank tend to work in fundamentally different ways, which, they argue, is what makes start-up banks
so successful when it comes to building technology: they are building it from the ground up, with each of the banks’ functions ‘growing’ out of the same technology, rather than trying to adapt entrenched ways of working.
So, how do we get around this? For one, Evans and March advise choosing carefully which risk functions you decide to unite when seeking a joined-up plan – for example, IT and information security departments may like to “do their own thing”. Also, understand how the broader technology environment impacts your
plan, being realistic about which areas of the business will want to move onto a single platform and those that won’t. To demonstrate the number of platforms currently being utilised in many institutions, they gave the example of a tier 1 bank they are currently working with, which uses 30 technologies just across operational risk and compliance. It is hoping to bring this number down to six.
Experience is everything
Other topics covered included practical sessions on building better, broader and more informed risk frameworks; driving operational risk as an added-value function; assessing operational loss data and its implications for capital modelling; the Senior Managers Regime and, of course, cyber. The range of topics covered and variety of discussion created was testament to just how varied and complex operational risk has become. Interestingly, when polled, 63% of those attending the event said they didn’t hold an operational risk-specific qualification and 57% said they valued practical experience over qualifications
in carrying out their role. Whether this is because they have yet to find a qualification to meet their needs or because they feel ‘doing’ is the best way to learn, there’s no doubt that this was a valuable two days for both the newly initiated and seasoned risk manager alike.