Five key topics discussed at HORF 2018
- 22 June 2018
This year's Heads of Operational Risk Forum (HORF) took place on 15-16 May in New York. It brought together 61 senior operational risk professionals from 50 banks and insurers for two days of discussion.
Last year, the overarching takeaway was that operational risk was at a turning point. Since then, banking regulatory capital reforms have been finalised and focus areas have noticeably shifted towards risk management.
In a small number of cases, we heard that regulators are beginning to take a more targeted, bilateral approach to supervision, which could suggest future fragmentation of regulatory standards.
This year, we observed that the industry has made significant progress in many of the emergent trends seen in 2017, but some challenges remain.
Adoption of an umbrella function is growing and raising the profile of operational risk
In 2017, operational risk was in danger of fragmenting as specific risk silos developed specialist frameworks, often in response to contemporary areas of regulatory focus.At this point, the industry had begun to articulate the need for operational risk to ‘step up’ and become an ‘umbrella’ function.
This trend has gathered pace. A show of hands at this year’s event indicated four-fifths of representatives have begun to develop an ‘umbrella’ function. However, what this means in practice varies, ranging from a single reporting layer to provide coherent management information flow, through to a fully-integrated non-financial risk function applying a single risk framework across each specialism.
Two of the potential benefits of an umbrella function reported were:
- Consistency – without a common, overarching method for interpreting risk, a holistic understanding of the risk environment is difficult. This in turn makes prioritising risk management and mitigation resource significantly harder.
- Enhanced efficiency – an umbrella function can reduce the duplication of effort across multiple risk frameworks, leading to efficiency gains and a lower resource strain on the business.
One of the challenges associated with promoting a consistent approach is avoiding over-simplification. For an umbrella function to enable practical, active risk management, it needs to balance the nuanced needs of specific risks by harnessing specialist knowledge and recognising the need for specific tools, without allowing silo creation.
Material operational risk concerns remain top of board and regulatory agendas
The two primary areas of concern from 2017 – conduct and cyber risk – continued to feature heavily throughout discussions.
On conduct, regulatory interest in assessing culture and governance is continuing to grow across the globe. However, robustly demonstrating good culture and conduct risk management remains challenging.
The broad scope and diverse interpretations of conduct risk made for a lively discussion. A proposed first step toward managing conduct risk more effectively is to demarcate broad sub-classes of risk and “stop trying to boil the conduct risk ocean”.
A wide range of techniques are being employed across the industry for identification and mitigation of conduct risks. Ranging from a “follow the money” approach (identifying products that carry outsized profit margins), to applying AI to human resources data to detect suspicious behavioural patterns.
On cyber risk, participants discussed how the number of attack vectors is expanding as banking services are increasingly delivered digitally. Interestingly, one of the most significant risks from the last few years – denial of service – was now thought to be broadly under control. However, the range of new threats mean that existing cyber security approaches are not sufficient for today’s and tomorrow’s challenges.
- Embedding cyber risk awareness across existing organisational structures is a common challenge and members were unanimous that ORX can help to support industry dialogue around this key concern. Proposals include:
- Developing a risk management community dedicated to cyber issues
- The development of an industry-wide taxonomy and standards which would allow meaningful dialogue and data exchange
- Framework and practice benchmarking
- Encouraging dialogue between operational risk and cyber subject matter experts
- Collaboration with cyber experts in academia
Operational risk needs to be a strategic partner to support the change agenda
Last year, participants identified that substantial organisational changes were creating new operational risk exposures. A common theme from discussions this year was how second line operational risk can become a truly valuable input in supporting the change agenda. This can be done primarily through both business planning and strategy setting, and need not be a roadblock to change.
Attendees recognised that not only does operational risk need to get a "seat at the table" early in the planning process, but it needs to also offer valuable insights once there. But helping to shape the agenda and understanding the opportunities, as well as the risks, may require a very different set of competencies to those of the traditional risk manager.
It was encouraging to hear several specific items of practice outlined, including:
- The need for a clearer distinction between execution risk and future state risk
- Moving to triaged approach
- Aligning risk management with agile project management
- Creating test and learn environments, with the ability to “fail fast”
- Appointing a “risk champion” to be single point of assessment
- Creating guard rails/limits to allow staged progress
Becoming more proactive in the management of operational risk
Perhaps partly due to Basel II, there developed a perception that operational risk was obscure and focused solely on capital requirements, often wedded to processes that dragged on the business.
This contrasts with both credit and market risk where there is a more intuitive understanding, given risk taking is fundamental to the business. In response to this, and under pressure from some regulators, it was widely agreed that operational risk needs to become more proactive.
To drive more active risk management in the first line, it was suggested that we need to encourage a culture of first line risk ownership, responsibility, transparency and proactivity. Correspondingly, the second line needs to support this by providing the right metrics, data, analytics and lessons learned to help the first line make actionable management decisions, while still offering independent challenge.
There was still confidence that existing elements within the operational risk framework provide a solid foundation. But, to drive active management it needs risk personnel in the first line who are respected by the business, and equally credible business experts sitting within the second line. To achieve this some suggested staff recognition, staff rotation and movement. In many cases this required an alignment of similar first and second line roles to make secondment attractive.
Two specific approaches in progressing this initiative were mentioned. One firm had created career paths in Group Operational Risk for first line specialists to bring this expertise into the second line. Conversely, the other approach was to move operational risk managers into the business to encourage a risk mindset and strengthen the dialogue with the second line.
In addition, members suggested the adoption of a common risk-based taxonomy that resonates with both lines of defence. Combined with a narrower focus on material risks and key controls this will help drive more active management of operational risk.
Ensuring that risk appetite carried consequence appeared to be an area of increasing convergence with over half of attendees pursuing it. Being efficient, and doing more with less as supervisory and senior management demands increase in a changing environment was also a common theme.
Leveraging data sources and techniques to support material risk assessment
Identifying and effectively monitoring the most significant material risks remains a top priority for senior management. Leveraging new sources of data and bringing advanced analytics techniques to bear on existing sources of data appears to be becoming more common practice.
Some participants are also looking to reuse information created elsewhere in the business to support material risk identification, such as consolidating business and project planning documentation and using them to try and identify potential risks.
One interesting breakout discussion focussed on the intersection between model risk and conduct risk. It was suggested that the increasing use of models, AI and machine-learning for business decision-making can create new conduct risk exposure, particularly around appropriate model usage and data protection issues.
Attendees discussed how the rapid pace of digital change is shortening the lead time between emerging and current risks. One innovation gaining traction is the use of natural language processing to mine descriptions of loss events to surface risk drivers. There was broad support to see if ORX could support a community to share ideas in this space, with a view to ultimately creating a pool of shared event descriptions and undertaking industry level analysis.
Many of the initiatives and themes discussed in 2017 – the operational risk umbrella, the operational risk of change, active risk management and risk appetite with consequence – have developed and been adopted more widely. In addition, there appears to be interest in automation and advanced analytics. Common across these areas is a practical focus, bringing efficiencies and adding value.
Conduct and cyber remain high on the agenda. But there is widespread acknowledgment that specific knowledge is needed to manage these most effectively, and many are looking at ways of bringing this into operational risk.