Operational Risk: The Umbrella Function
- 22 August 2019
The range of operational and non-financial risks that institutions face is changing at a rapid pace, becoming broader and multidimensional. To keep up with this change, the management of these risks is also evolving.
The umbrella function
If you picture operational risk as an umbrella, what does it cover? Does it include compliance, IT security, conduct risk, cyber, fraud or change management? More than these, or none of them?
The development of operational risk into an 'umbrella function' was a key observation in The future of operational risk study. The term umbrella refers to how operational risk is:
- Moving to provide an overarching framework, creating consistency across specialist areas of operational and other non-financial risk
- Combining with compliance teams to provide an integrated approach to non-financial risk management
At ORX, we've been exploring this concept with our membership. In 2018 we surveyed and interviewed 13 institutions who are on the journey towards the operational risk umbrella.
Our aim was to understand how this approach was being realised and what challenges operational risk functions have encountered while on the journey. We were also keen to see what benefits institutions might already have experienced from adopting the umbrella.
We summarised the results of this study into a report which is available to all the ORX membership (members can log in here to read the full report). Additionally, we provided the participants with a number of case studies that offer insights from institutions who have already started to move towards an umbrella function.
No institution who took part in the study was at the end of their journey. Whether there are more functions and risks to bring under the umbrella, or more framework elements to align, it is an ongoing process.
What did we find out?
Four benefits of the umbrella approach to operational risk
The aim of our survey was to map the progress and identify outcomes achieved by the participants who are working towards an umbrella approach to operational risk.
Participants are at various stages of the journey, which for most has started in the last two to four years. For some, the decision to adopt an umbrella function was driven by a need to reduce duplication. For others, it was driven by the adoption of new technology, or even challenge from the regulator.
What benefits does the umbrella bring?
There was consensus on the benefits achieved by moving towards a more coherent view of risk. Most participants noted that adopting the umbrella approach resulted in a degree of consistency, efficiency, effectiveness and agility. Several institutions mentioned the truer, clearer data which was generated, and which for some provided validation of the project at an early stage of implementation. Closing control gaps also proved to be a major benefit.
“We used to spend meetings discussing the data, we now spend them discussing what the data tells us…” Umbrella study participant
While it may result in efficiencies, many found the primary aim of the umbrella was a qualitative improvement in risk management practices. Providing senior management with consistent and complete risk information was one of the strongest and most consistently reported benefits. This is essential for managing the enterprise-wide risks that are confronting firms today in a rapidly changing environment, and to provide solutions for identifying and tackling them.
Still some way to go
The transition to an umbrella is a logical response to the new issues facing operational risk, and a way of building a solid and permanent basis for operational risk challenges to come. However, many of the participants observed that their firm was at the beginning of its journey, and they expected the process to be long and complex.