“A clear strategic direction of your company should help formulate clear business objectives, understood by all stakeholders, including employees,” said Brenda Boultwood, SVP, Industry Solutions at MetricStream. An operational risk may be seen as something, together with credit or market risks, which impedes “achieving those business objectives” and includes IT risk, HR risk, and reputation risk.
MetricStream is a provider of Governance, Risk, Compliance (GRC) management software and consulting. Boultwood was the first of two presenters at a GARP-sponsored webinar on April 8, 2014 that attracted about 2,000 registrants.
Operational risk has evolved from conceptual to strategic, and is now preoccupied with data management and possible paths of integration, Boultwood said. This is a transformation from the “silo” approach to risk that often existed before the 2008 financial crisis. “It’s important for a company to have a common language when speaking of operational risk” to help break down the silos.
A best practices operational risk management framework begins with risk and control self-assessment (RCSA) that uses a scoring technique to establish what is most important. Policies, risks, compliance, controls and issue management are all studied during the assessment phase. Boultwood emphasized risk assessment should be linked to controls and control testing. “Some controls cannot be linked to a risk (or policy or regulatory requirement)—these are orphan controls,” said Boultwood and a firm should decide whether to continue them.
“How does a loss event impact performance?” she asked. Losses and incidents should be linked to controls to understand the handoffs between business units and support functions. “This links to risk appetite and external loss events,” she noted.
Advanced analytics are a component of the fourth part of the framework: scenario analysis. “You can use visualization to determine the key points of intersection,” she said. Analytics and visualization can help to improve decision-making when data relationships are understood. For example, if we can link loss events to control failures, we can better understand the costs and benefits of business investments in stronger controls.
“Link risk assessment to controls and control testing,” Boultwood advised, where every item that has risk associated (the risk library) has an associated control (the control library). Every control comes with tests to see how sound the controls are. We will discover that there may be “a lot of duplication across banks in some processes, for example, in evaluating supplier risk. In the future, there could be opportunities to form common approaches,” she said.
Loss event data, RCSA, KRIs, and scenarios should also be associated, she recommended. Join organizational efforts, such as audit with corporate policy. “Can we create the cultural transformation to create the collaborative environment?
Data can (and should) be brought in from multiple sources. “We must understand how third parties conform to the company’s data security standards, and unite multiple perspectives, including IT, in risk assessment,” she said.
Centralized visibility will help the firm as a whole, for example, “visualized geographic information or on a common dashboard.”
The MetricStream GRC platform will capture internal and external data inputs and model the operational risk using, for example, causal, predictive and capital analytics. Reporting of capital is done “so that management will appreciate the level of capital required to run business processes within their stated risk appetite.”
She emphasized that the barriers to integration are all manageable: data quality, taxonomy (how different departments refer to operational risks), culture, and a fear that the undertaking is too complex. “These barriers are human and they can be overcome.” ª
Brenda Boultwood is an ongoing contributor to GARP. Here are links to some articles related to her presentation: