Umbrella phase 2: role and scope of operational risk
- 28 March 2019
The role and scope of the operational risk function has evolved over time. The 2018 ORX report, Operational Risk: The Umbrella Function, found that in some institutions operational risk is taking on an elevated role. It is providing overarching consistent risk management across a broad scope of non-financial risks.
Our report on the role and scope of operational risk builds on the umbrella study, exploring how operational risk is evolving. By surveying a wide range of institutions, we have looked at change on a broader scale and found that operational risk management is indeed shifting at an industry level.
The role of the umbrella is to provide a consistent approach to managing operational and non-financial risks. In its most complete form, its scope includes frameworks, standards, systems, tools and reporting, and can extend across risks, control functions, and the lines of defence.
Summary of the findings
The role of operational risk
Historically, many risks were managed as they emerged – often leading to the creation of individual risk silos within organisations. In time, firms found themselves facing disjointed risk systems, processes and languages. To be successful in managing risks, institutions realised they would have to change. Systems, frameworks and processes needed to be aligned, and communication would have to be improved. By stepping up and taking on a larger role, operational risk started to provide the necessary guidance and oversight. We refer to this as the ‘umbrella model’.
There are several risk management activities that nearly all firms have either aligned, or plan to align, under operational risk. These can be considered “core” to the umbrella. Many of these activities are operational risk specific, such as risk appetite, KRIs or RCSA. However, others are very broad, for example issues management, taxonomies, or emerging/material risk identification.
The scope of operational risk
Institutions now face a wide range of non-financial risks. Which of these falls into the management scope of operational risk varies across the industry. Areas such as third party, technology, fraud, and transaction processing are commonly managed under this function, whereas, information security, model risk, new product risk and reputational risk are often not.
There is no ‘one size fits all’ model of the umbrella. Each firm must discover for themselves what aligns with their own objectives, budgets, and resources. Although many firms have made progress, no one has truly finished their journey to the umbrella risk function. A transformation of this magnitude can take years, needing input from various levels of the business. In order to accomplish this, buy-in must be gained from all impacted areas. This can be a challenge, and each firm must find their own way to do this. However, once the process begins to work, firms will have clarity, alignment and collaboration.
The shift by operational risk to take on an umbrella role is primarily driven by heads of operational risk themselves. Their aim is to streamline siloed risk functions and create a common language throughout the organisation. Doing this means that all three lines of defence can more effectively manage their risks.
This is a large project which could take years, but it's worth getting it right. Firms can already see how the benefits outweigh the challenges and efforts. The result will bring simplicity and efficiency to the process and will allow a holistic view on risk, further embedding risk management activities into the day-to-day processes across the organisation.