safe risk managment

Perspectives

What does an optimal risk management operating model look like?

Managing operational risk and compliance: New paradigms for synergy

With the global financial crisis in the past, institutions can now reflect on what an optimal risk management operating model may look like—and on finding synergies in the existing capabilities of operational risk and compliance. Keys to success include communicating a clear, well-articulated vision combined with an appropriate tone from the top.

Explore content

Reflecting on an optimal framework

Many financial institutions, consistent with regulatory expectations, organize their risk management framework into a model with three lines of defense (LOD):

  1. The business line, which generates, owns, and controls the risk.
  2. The support functions, which provide oversight to the first line, and includes the risk disciplines of operational risk and compliance, among others.
  3. The internal audit, whose remit is derived from the board to process-audit the first and second lines of defense.

The global financial crisis generated years of significant spend on the remediation of identified regulatory (and, at times, internal audit and risk management) issues. In response to addressing these issues and executing their oversight responsibilities, operational risk and compliance may have created multiple functions and activities, and in certain cases, generated duplicative requests for the first line of defense.

With the global financial crisis behind us, institutions now have an opportunity to reflect on what an optimal operating risk management model may look like—and where synergies may be garnered from the existing capabilities of operational risk and compliance. For the purposes of this paper, we will discuss the first and second lines of defense. Further, we will explore the activities performed by each risk discipline and the capabilities where synergies may exist.

Operational risk and compliance functions have a shared mandate to provide oversight to the first line and challenge the execution of their risk management practices. But depending on how the functions are organized, this may create some challenges that result in inefficient processes. For example, operational risk and compliance may request that the first line perform the same or similar activities (e.g., risk identification, risk assessment, controls testing, issue identification, and issues reporting). So today, some institutions are exploring ways to optimize the execution of their risk management activities at both the first and second lines of defense.

Managing operational risk and compliance

Click on image to enlarge

Transforming risk management processes

Many institutions are reevaluating their risk management operating models across lines of defense. Now they’re looking to transform their risk management processes to address specific challenges while recognizing drivers for change.

Challenges to transforming risk management processes:

Click image to enlarge

Drivers for change

Stakeholder expectations Need for clarity and transparency Cost reduction Data and technology opportunities
icon users

The need for more effective and efficient communication and reporting to stakeholders of an integrated view of risk.

board

The need for second LOD risk and compliance functions to break down silos that open appear to overlap in roles and responsibilities.

dollar sign

Increasing pressure on first and second LOD to find new ways to reduce costs, increase efficiencies, and still control risk.

icon

High potential for automation and emerging technologies (such as artificial intelligence, the use of bots, etc.) to help improve risk effectiveness.

Opportunities for synergies

In transforming risk management operating models, many institutions are beginning to identify potential synergies across their risk management efforts. These synergies can bring greater transparency and higher value intelligence to management and the board. Synergies can also provide greater transparency of issues and risks, as well as their potential impacts.

Operational risk and compliance capabilities

Discrete capabilities of operational risk and compliance, as well as opportunities for potential synergies between these risk disciplines, include:

Operational risk

Potential synergies
Compliance
  • Operational risk appetite/metrics
  • Risk measurement (e.g., scenario analysis, stress testing, and calculation of economic capital)
  • Operational risk monitoring
  • Operational risk domain activities (e.g., third party, business resilience)
  • Effective challenge and oversight content
  • Governance and interaction model
  • Framework and methodologies
  • Taxonomies
  • Challenge and oversight process
  • Evaluation of controls
  • Tools and technology
  • Reporting (e.g., data collection, analysis, and aggregation)
  • Issue management
  • Training program
  • New business initiative process
  • Compliance risk appetite/metrics
  • Obligations library and regulatory change management
  • Regulatory interaction and coordination
    Code of conduct
  • Compliance monitoring (e.g., complaints, whistleblowing, and allegations)
  • Compliance risk domain activities (e.g., anti-money laundering, privacy)
  • Effective challenge and oversight content

To realize the opportunities of synergies, a common and consistent taxonomy is foundational for effective risk management. A definition of terms is considered a leading practice to advance the consistent interpretation, measurement, execution, and reporting of issues and risks within the two risk disciplines. There are five critical data elements where a common and consistently applied taxonomy is crucial: risks, controls, processes, policies, and obligations.

Synergies become most evident when performing a risk assessment, regardless if it is a self-assessment at the first LOD or a compliance assessment performed by the second LOD. The ability to map processes from obligations to policies, and then to risks and controls, can assist in the identification, reporting, and escalation of issues.

Key opportunities for synergies

Click image to enlarge

There may be opportunity to rationalize governance committees to allow risks and issues pertaining to operational risk and compliance to be addressed by the same committee. Such committee consolidation could lead to greater collaboration between the first and second LOD on policy interpretation and execution, issue management, reporting, and so forth.
A common taxonomy enables effective evaluation and measurement of controls associated with key risks and obligations. Potentially, a shared services unit for conducting second line testing could be established to promote single testing for both disciplines, including validation and oversight of the first line testing results.
Issues identified in isolation across operational risk and compliance may create inefficiencies regarding issue management and remediation, specific to solving for the same or like issues twice. A centralized system of identification, analysis, reporting, and tracking of issues may promote the successful systemic identification and prioritization of issues.
This process can be more comprehensive when collaborative analysis by operational risk and compliance create common risk and performance indicators and metrics to produce shared and insightful reports. Centralized reporting across operational risk and compliance can bring about a reduction of overlaps.

Options for realizing synergies

Baseline maturity and sustainable processes for both operational risk and compliance functions are needed before real efficiencies and synergies can be considered. A defined vision—one shaped by the tone from the top—is a critical factor for a successful transformation. Also crucial to transformation are identified and effective agents of change with requisite skill sets. As financial institutions explore different ways to realize synergies and touchpoints between operational risk and compliance, some examples of organizational construct include:

Coordination between operational risk and compliance

Streamline processes for risk management requests of the first LOD while having the two risk disciplines remain independent functions.

  • Potential advantages: Minimal disruption to people, process, and technology to reduce redundancies and costs and maintain desired independence and authority of respective risk discipline, which enables them to continue to meet regulatory requirements and expectations.
  • Potential disadvantages: May not result in optimal long-term operating model objective of supporting cost reduction associated with risk management. Also, there is potential to create confusion between operational risk and compliance roles and responsibilities with the first line unless communicated properly.

Centers of Excellence (CoE)

Some institutions are considering, or have already established, a shared service model across operational risk and compliance using CoEs for same or similar risk management activities. This includes controls testing, issue management, reporting, etc. The CoE may have a dual reporting line to both operational risk and compliance senior officers with a single interface to the first line. In addition, some institutions are opting for a managed services model where they outsource selected risk management processes.

  • Potential advantages: Reduction in overall effort and cost of activities, greater consistency in results and applied methodologies; and streamlined coordination with first line and alignment to the enterprise risk strategy and vision.
  • Potential disadvantages: Regulatory constraints and possible dilution of subject matter expertise specific to each respective risk discipline.

Singular ownership for operational risk and compliance

Some institutions have considered merging the two risk disciplines under one organization to take advantage of the synergies between exposures.

  • Potential advantages: Strategic alignment of visions and objectives with limited or no conflicting requirements and processes, and reduced burden and touchpoints with the first line.
  • Potential disadvantages: Different approaches and perspectives to managing risk, which can cause inherent conflict between the two functions. For example, operational risk often anchors risk management activities to a process, whereas compliance manages risk to an obligation. Further, compliance must manage regulatory requirements and expectations for legal obligations (e.g., laws and regulations), which does come under an operational risk mandate. Requisite knowledge and understanding of such is generally not resident in an operational risk function.

Revisit and transform

With the global financial crisis in the past, financial institutions can now revisit their organizational construct and required capabilities across the first and second LOD. In doing so, these organizations can optimize risk management processes and create efficiencies.

The transformation of the risk management operating model and culture may be warranted based on potential synergies. But it is also important to retain the integrity of each respective risk discipline, consistent with regulatory definitions. For success in this transformation, it is critical to establish a clear, well-articulated, and communicated vision combined with an appropriate tone from the top.

Endnotes

1 BCBS: Principles for the Sound Management of Operational Risk (June 2011).
2 BCBS: Implementation of the compliance principles—A survey (August 2008).
3 OCC Comptroller’s Handbook: Corporate and Risk Governance (version 1.0, July 2016).
4 US Federal Reserve: SR 08-8/CA 08-11 (October 2008).

Explore content

Operational risk management: The new differentiator

Steps to driving better business decisions and creating competitive advantage