safe risk managment


What does an optimal risk management operating model look like?

Managing operational risk and compliance: New paradigms for synergy

With the global financial crisis in the past, institutions can now reflect on what an optimal risk management operating model may look like—and on finding synergies in the existing capabilities of operational risk and compliance. Keys to success include communicating a clear, well-articulated vision combined with an appropriate tone from the top.

Reflecting on an optimal framework

Many financial institutions, consistent with regulatory expectations, organize their risk management framework into a model with three lines of defense (LOD):

  1. The business line, which generates, owns, and controls the risk.
  2. The support functions, which provide oversight to the first line, and includes the risk disciplines of operational risk and compliance, among others.
  3. The internal audit, whose remit is derived from the board to process-audit the first and second lines of defense.

The global financial crisis generated years of significant spend on the remediation of identified regulatory (and, at times, internal audit and risk management) issues. In response to addressing these issues and executing their oversight responsibilities, operational risk and compliance may have created multiple functions and activities, and in certain cases, generated duplicative requests for the first line of defense.

With the global financial crisis behind us, institutions now have an opportunity to reflect on what an optimal operating risk management model may look like—and where synergies may be garnered from the existing capabilities of operational risk and compliance. For the purposes of this paper, we will discuss the first and second lines of defense. Further, we will explore the activities performed by each risk discipline and the capabilities where synergies may exist.

Operational risk and compliance functions have a shared mandate to provide oversight to the first line and challenge the execution of their risk management practices. But depending on how the functions are organized, this may create some challenges that result in inefficient processes. For example, operational risk and compliance may request that the first line perform the same or similar activities (e.g., risk identification, risk assessment, controls testing, issue identification, and issues reporting). So today, some institutions are exploring ways to optimize the execution of their risk management activities at both the first and second lines of defense.

Click on image to enlarge

Transforming risk management processes

Many institutions are reevaluating their risk management operating models across lines of defense. Now they’re looking to transform their risk management processes to address specific challenges while recognizing drivers for change.

Challenges to transforming risk management processes:

Click image to enlarge

Drivers for change

Opportunities for synergies

In transforming risk management operating models, many institutions are beginning to identify potential synergies across their risk management efforts. These synergies can bring greater transparency and higher value intelligence to management and the board. Synergies can also provide greater transparency of issues and risks, as well as their potential impacts.

Operational risk and compliance capabilities

Discrete capabilities of operational risk and compliance, as well as opportunities for potential synergies between these risk disciplines, include:

Operational risk

Potential synergies

  • Operational risk appetite/metrics
  • Risk measurement (e.g., scenario analysis, stress testing, and calculation of economic capital)
  • Operational risk monitoring
  • Operational risk domain activities (e.g., third party, business resilience)
  • Effective challenge and oversight content
  • Governance and interaction model
  • Framework and methodologies
  • Taxonomies
  • Challenge and oversight process
  • Evaluation of controls
  • Tools and technology
  • Reporting (e.g., data collection, analysis, and aggregation)
  • Issue management
  • Training program
  • New business initiative process
  • Compliance risk appetite/metrics
  • Obligations library and regulatory change management
  • Regulatory interaction and coordination
    Code of conduct
  • Compliance monitoring (e.g., complaints, whistleblowing, and allegations)
  • Compliance risk domain activities (e.g., anti-money laundering, privacy)
  • Effective challenge and oversight content

To realize the opportunities of synergies, a common and consistent taxonomy is foundational for effective risk management. A definition of terms is considered a leading practice to advance the consistent interpretation, measurement, execution, and reporting of issues and risks within the two risk disciplines. There are five critical data elements where a common and consistently applied taxonomy is crucial: risks, controls, processes, policies, and obligations.

Synergies become most evident when performing a risk assessment, regardless if it is a self-assessment at the first LOD or a compliance assessment performed by the second LOD. The ability to map processes from obligations to policies, and then to risks and controls, can assist in the identification, reporting, and escalation of issues.

Key opportunities for synergies

Click image to enlarge

Options for realizing synergies

Baseline maturity and sustainable processes for both operational risk and compliance functions are needed before real efficiencies and synergies can be considered. A defined vision—one shaped by the tone from the top—is a critical factor for a successful transformation. Also crucial to transformation are identified and effective agents of change with requisite skill sets. As financial institutions explore different ways to realize synergies and touchpoints between operational risk and compliance, some examples of organizational construct include:

Coordination between operational risk and compliance

Streamline processes for risk management requests of the first LOD while having the two risk disciplines remain independent functions.

  • Potential advantages: Minimal disruption to people, process, and technology to reduce redundancies and costs and maintain desired independence and authority of respective risk discipline, which enables them to continue to meet regulatory requirements and expectations.
  • Potential disadvantages: May not result in optimal long-term operating model objective of supporting cost reduction associated with risk management. Also, there is potential to create confusion between operational risk and compliance roles and responsibilities with the first line unless communicated properly.

Centers of Excellence (CoE)

Some institutions are considering, or have already established, a shared service model across operational risk and compliance using CoEs for same or similar risk management activities. This includes controls testing, issue management, reporting, etc. The CoE may have a dual reporting line to both operational risk and compliance senior officers with a single interface to the first line. In addition, some institutions are opting for a managed services model where they outsource selected risk management processes.

  • Potential advantages: Reduction in overall effort and cost of activities, greater consistency in results and applied methodologies; and streamlined coordination with first line and alignment to the enterprise risk strategy and vision.
  • Potential disadvantages: Regulatory constraints and possible dilution of subject matter expertise specific to each respective risk discipline.

Singular ownership for operational risk and compliance

Some institutions have considered merging the two risk disciplines under one organization to take advantage of the synergies between exposures.

  • Potential advantages: Strategic alignment of visions and objectives with limited or no conflicting requirements and processes, and reduced burden and touchpoints with the first line.
  • Potential disadvantages: Different approaches and perspectives to managing risk, which can cause inherent conflict between the two functions. For example, operational risk often anchors risk management activities to a process, whereas compliance manages risk to an obligation. Further, compliance must manage regulatory requirements and expectations for legal obligations (e.g., laws and regulations), which does come under an operational risk mandate. Requisite knowledge and understanding of such is generally not resident in an operational risk function.

Revisit and transform

With the global financial crisis in the past, financial institutions can now revisit their organizational construct and required capabilities across the first and second LOD. In doing so, these organizations can optimize risk management processes and create efficiencies.

The transformation of the risk management operating model and culture may be warranted based on potential synergies. But it is also important to retain the integrity of each respective risk discipline, consistent with regulatory definitions. For success in this transformation, it is critical to establish a clear, well-articulated, and communicated vision combined with an appropriate tone from the top.


1 BCBS: Principles for the Sound Management of Operational Risk (June 2011).
2 BCBS: Implementation of the compliance principles—A survey (August 2008).
3 OCC Comptroller’s Handbook: Corporate and Risk Governance (version 1.0, July 2016).
4 US Federal Reserve: SR 08-8/CA 08-11 (October 2008).

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.