Article by Simon Cartlidge, Head of Operational Risk Governance, Legal & General and Laura David, Head of Operational Risk Controlling, Raiffeisen Bank SA Romania.
Ahead of the 4th Annual New Generation Operational Risk: Europe Summit, Simon and Laura have shared their insight into the future of risk management and embedding operational risk management as part of decision making process.
Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?
Simon: A near quarter century career in financial services risk management, with a current focus on embedding a value-adding and proportionate operational risk framework within a large insurance group. The nature of operational risk means there’s never a dull moment, and there’s always something new to do and learn. In my spare time, I continue to be dazzled and befuddled and by the three ladies in my life, and find solace and thinking time in running and triathlon events.
Laura: My background in operational risk started 10 years ago when I decided to take an important step in my professional path and do risk management. During these 10 years I succeed to gain valuable experience in dealing with operational risk from implementing the base of operational risk in Raiffeisen Bank Romania, obtain local regulatory approval for using STA and then moving to AMA. In this period my first objective was to be a partner for my colleagues from business and process management and together add value to the organization. This would not be possible without being involved and understand in depth the bank activity from project to product and then process management. Now the new focus is on IT risk management and digitalization as new challengers for the operational risk environment.
At the Summit you will be participating on a panel assessing the future of risk management and embedding operational risk as part of decision making activities. Without giving too much away, can you explain some of the challenges of embedding operational risk management into an institutions’ decision making process?
Simon: In my opinion, many of the challenges relate to the sheer breadth of operational risk, and its constantly shifting profile (a current example being the transition to a more digital world). Understanding how this impacts your organisation is vital if you are to respond appropriately. For insurers operating under Solvency II, the Use Test is now an established ‘new’ requirement, which has influenced a more defined relationship between, say, operational risk capital and decision making.
Laura: Being part of one organization for so long offered me the possibility to assist to major changes that happens in the life of an institution – people changing, new processes, changes of organizational structure, business model and so on. Having operational risk management part of the decision making process means having a functional risk culture implemented and this is a long process with many challenges. My experience showed that many of them are related to resources and priorities. We can achieve proper resources and a high priority only if the managers understand the added value of this process and in addition sees that they have some benefits. One benefit could be an aligned approach regarding risk management activities and tools which increase the efficiency as a result of alignment of stakeholders from the second line of defense like compliance, security, internal control.
In your opinion what can FI’s do to ensure operational risk is being effectively led and managed by the first line?
Simon: A clear operating model and effective communication on the back of this really does help. The operating model should show the differing responsibilities for operational risk management (particularly across the 1st and 2nd lines of defence), and needs to emphasis the 1st line’s risk-taking role, and the 2nd line’s oversight role.
Laura: My opinion is that having a strong operational risk management process where first line of defense is proactive and efficient in addressing operational risk is a question of maturity of the organization and risk culture. Still the people need to understand the value of their work in achieving their objective and also organization objective. Communication and training represent key factors to build commitment and capabilities ensuring managers have all information needed to do a good job.
Has risk management become too much of a compliance based activity and, if so, how can institutions balance this whilst still obtaining value for the business?
Simon: I don’t think so. If anything, I think we’ve progressed to a more mature space, where risk management is less binary than it perhaps was a decade ago. The development of meaningful risk appetites, combined with strong risk awareness, has meant that well-informed risk-taking is acceptable, and can also influence proportionate systems of internal control.
Laura: Compliance vs risk management is a direction decided by the BoM considering the priorities and effort they are willing to allocate. Facilitating this decision is the role of the operational risk controlling function by showing that operational risk management could bring value to the organization and is not just documentation, specific tools and reporting. The added value is created only when operational risk functions acts more like a consultant and less like a controlling and you cannot be a good consultant if you limit only to compliance.
In the future can risk assessments be conducted for each decision rather than a broad RCSA annual?
Simon: In my opinion, risk assessments should be conducted for all significant decisions, and RCSA should be an ongoing management responsibility (not just an annual exercise). Process owners should regularly be asking themselves whether they understand the material risks that their processes are exposed to, and whether their key controls mitigate those risks to an ‘in-appetite’ position.
Laura: Annual RCSA and ad-hoc assessment could coexist together and considered to be essential for a proper risk management process. The annual RCSA provide MoB the overview of the risk profile highlighting the risk areas that need more focus for the future and could drive specific actions like new/review process, project initiative and so on. Still a more detailed risk assessment is needed for each decision of doing new product or process or a project. The level of complexity of the ad-hoc assessment is higher and also the resources allocated.
My opinion is that both are needed still the effort should be balances in line with the scope if each exercise.
What, in your opinion, what does the future hold for operational risk professionals?
Simon: Operational risk professionals can be excited to work in a constantly changing field, where there is huge scope to learn and stretch themselves intellectually. A focus on demonstrating the value-add of 2nd line activities, and engaging effectively with 1st line colleagues to help them manage risk better, should provide plenty of rewarding challenges.
Laura: The future will be very challenging as the direction where we go as financial industry is very different from what we were used until now. Topics like digitalization, blockchain, open bank, big data are more and more present in our environment. In order to succeed we need to make alliance with other second line stakeholders and work together. They have the specific knowledge and we, operational risk, have the experience of the governance and communication with the business managers. So the times are very interesting and we should be aware of the privilege to be part of these changes from the beginning.
