The future of operational risk

What is the future of operational risk?

Operational risk is changing, and to get a better understanding of how, ORX, along with McKinsey and Co, undertook a study in 2016. We interviewed 15 Member Chief Risk Officers (CRO) with the aim of identifying the strategic challenges that financial firms must address if they are to manage operational risk more effectively. The full report, The future of operational risk, can be downloaded below.

Framing a positive debate

We asked a series of open questions about operational risk in their organisations:

1. How important is operational risk?
2. What operational risk management has, or has not, done well?
3. How operational risk management can best add value in the future?

Our goal was to frame a positive debate and through that debate to create an agenda for the future of operational risk management. By articulating the challenges and framing the way companies can think about the solutions, we hope the report can kick-start progress.

In 2016 Simon Wills, ORX Executive Director, presented the initial findings at our regional HORFs and the RiskMinds conference. Working with McKinsey, we then drew the results together into a report. Download the full report below.

The report

Operational risk is at an inflection point

Operational risk is important and increasing. But operational risk management is difficult. This intensification is happening at such a rapid pace that risk managers need to adapt faster than ever before.

Operational risk management is at an inflection point and needs a rethink.

What needs to change?

There are many challenges facing operational risk management, including:

• Reinventing and clarifying the mandate for operational risk management
• Generating good quality, useful risk information
• The potential for advanced analytics to improve capabilities
• Improving the effectiveness and efficiency of controls
• Increasing skill levels
• Improving organisational risk culture

Five building blocks to support reinventing operational risk management

The study identified five areas that need strengthening if operational risk management is to be reinvented. Strengthening these building blocks could elevate the function to a level where it doesn't just cope with the challenges ahead, but delivers real value to the underlying business.

1. Improve risk management information
2. Embed advanced analytics
3. Strengthen risk
4. Foster a strong risk culture
5. Bolster people and skills

Conclusion – operational risk management needs to step forward and step up

Our survey clearly showed that operational risk is expected to increase. Given the scale and complexity of emerging operational risks like cyber and outsourcing, it's the operational risk profile that will change the most. Furthermore, our survey reinforced the idea that managing operational risk is difficult.

Progress has been made over the past 20 years. CROs expressed satisfaction with the work that has been done in the last few years, specifically on the “core” frameworks (e.g. risk identification and assessment, capital modelling). Yet, there is also clear frustration. These frameworks alone are not enough to allow their companies to tackle the risk management challenges that lie ahead.

Operational risk management needs to step forward and step up. It needs to engage with the business. It must ensure better coordination between different functions – such as operational risk, compliance and IT. The survey highlights five specific building blocks that must be strengthened:

• Risk management information
• Advanced analytics
• Risk controls
• Risk culture
• Operational risk management skills

Just reinforcing one or two of these five building blocks will not be enough. Action is needed on all five to ensure that firms can reinvent operational risk management when they need it most.