What does an optimal risk management operating model look like?

Perspectives

What does an optimal risk management operating model look like?

Managing operational risk and compliance: New paradigms for synergy

With the global financial crisis in the past, institutions can now reflect on what an optimal risk management operating model may look like—and on finding synergies in the existing capabilities of operational risk and compliance. Keys to success include communicating a clear, well-articulated vision combined with an appropriate tone from the top.

Reflecting on a optimal framework

Many financial institutions, consistent with regulatory expectations, organize their risk management framework into a model with three lines of defense (LOD):

  1. The business line, which generates, owns, and controls the risk.
  2. The support functions, which provide oversight to the first line, and includes the risk disciplines of operational risk and compliance, among others.
  3. The internal audit, whose remit is derived from the board to process-audit the first and second lines of defense.

The global financial crisis generated years of significant spend on the remediation of identified regulatory (and, at times, internal audit and risk management) issues. In response to addressing these issues and executing their oversight responsibilities, operational risk and compliance may have created multiple functions and activities, and in certain cases, generated duplicative requests for the first line of defense.

With the global financial crisis behind us, institutions now have an opportunity to reflect on what an optimal operating risk management model may look like—and where synergies may be garnered from the existing capabilities of operational risk and compliance. For the purposes of this paper, we will discuss the first and second lines of defense. Further, we will explore the activities performed by each risk discipline and the capabilities where synergies may exist.

Operational risk and compliance functions have a shared mandate to provide oversight to the first line and challenge the execution of their risk management practices. But depending on how the functions are organized, this may create some challenges that result in inefficient processes. For example, operational risk and compliance may request that the first line perform the same or similar activities (e.g., risk identification, risk assessment, controls testing, issue identification, and issues reporting). So today, some institutions are exploring ways to optimize the execution of their risk management activities at both the first and second lines of defense.

PDF - 6.8mb
Did you find this useful?