Gus, can you tell the Center for Financial Professionals’ readers about yourself and your professional experience?
“I am operational risk practitioner with over 15 year’s industry experience. I joined the Enterprise Risk Management organization at AIG in 2013, and I am currently Director and Global Head of Internal Loss Data and Issue Management within the Operational Risk Management function. Prior to joining AIG, I held various senior roles in operational risk at UBS Investment Bank, Dresdner Kleinwort (Commerzbank) and Morgan Stanley, focusing on various risk processes like Internal Loss Data, Root Cause Analysis, Key Risk Indicators (KRI), Scenario Analysis, Risk Control Self-Assessments (RCSA), Special Investigations, Governance, Reporting and Analytics. I am an active operational risk industry practitioner and most recently contributed with the CRO Forum Operational Risk Working Group on the development of an industry white paper focusing on minimum standards for operational risk loss reporting for insurance companies.”
Why do you believe establishing an effective governance structure and sound operational risk framework is a key talking point when looking at operational risk as a whole?
“I believe that without a sound governance and a robust operational risk framework there is no benefit in having an operational risk unit. An effective operational risk unit helps bring together informative risk discussions amongst the business lines and support functions to help expedite risk remediation strategies and promote lessons learned. Operational risk units provide independent process reviews like end-to-end business reviews and challenge the business risk and control activities reassuring optimal risk management. Operational risk units drive enterprise change and enable consistent procedures employing common taxonomies and tools for businesses to self-identify, assess, measure, escalate and monitor operational risks. Accountability models are also part of the governance and framework for risk management to be effective. It is important for operational risk units to clearly define the business roles and their responsibilities to ensure appropriate identification, assessment and treatment of risks across all operating units. This is typically achieved through lines of defense models ensuring effective governance process for managing risks across the enterprise.“
How do you describe Operational Risk today, and why is it so important to financial institutions?
“Operational risk management is more than just a numbers game, it is a behavioural management discipline. Operational risk has transformed from a simple loss data collection exercise used for operational risk capital to a more wide-ranging function that looks at the quantitative and qualitative aspects of risk identification, assessment and measurement.
Internal loss data collection has evolved to become more comprehensive focusing on risk events, that is not just internal or external loss data, but includes risk events with direct economic losses, timing impacts or better known as accounting losses, non-financial risk events with defined impacts affecting customers, business operations, reputation, and also errors that may result in positive consequences like gains and near miss events. All of which help inform the risk profile of the organization from a qualitative and quantitative perspective. Risk and Control Assessments are becoming more targeted and integrated with other assurance functions focusing on key business processes and outsourced activities. KRIs which have struggled in providing value in the past are now making a comeback serving an important element of the framework, in particular with enhanced risk monitoring. Scenario analysis have advanced and continue to be in high demand in particular with forward looking capital planning processes like the Federal Reserve Bank requirements on CCAR (Comprehensive Capital Analysis & Review). In today’s financial environment, operational risk has moved to the top of the CRO agenda and it’s developed from being considered just “operations risk” or the risks of processing transactions to a more inclusive risk discipline.”
What continues to be the key challenges for Operational Risk Management?
“I believe the challenges for operational risk management continue to focus around three key areas, that is 1) demonstrating value-add to the business; 2) ensuring compliance with regulatory expectations and requirements; and 3) data management and ability to consume large volumes of data for effective and timely management reporting. Operational risk managers are faced with enhanced regulatory expectations, defining and clearly documenting roles and responsibilities like the 3 Lines of Defense models and creating a common language that risk assurance and businesses can speak to.”
What would you say are the 5 top Operational Risks you see for 2016?
“It’s hard to focus on 5 top operational risks in particular when operational risk is so complex, pervasive and its manifestations of risks can become systemic. I’d like to think that technology risk continues to be the highest risk for large financial organizations, this is coupled with increased risks around cyber and security controls. Regulatory continues to be at the top of the list in terms of fines and highest priority to risk manage for financial institutions. Conduct risk is another risk that is increasing, in particular with new regulatory expectations as is the case with the FCA (Financial Conduct Authority) in the UK. We cannot forget that the number one cause of operational risk continues to be people, it is human errors that continue to account for the highest number and dollars for operational risks and this is the one area that we, as operational risk managers, need to continue to focus on, ensuring strong risk culture is embedded into our daily routines to be able to not eliminate errors but potentially mitigate the impact of those errors.“
