Understanding control management practices

We have been working with our members on a key aspect of operational risk management frameworks – understanding control management practices. We've recently run a project aimed at understanding how participants are managing their control frameworks and the nature of the related data they collect. To do this we conducted a series of interviews and a detailed survey in the first half of 2017.

Throughout the project, we worked closely with the participants from 36 ORX member firms to develop the report. Participants then shared their experiences and learning at roundtable events in London and New York.

The full report, available to participants on our members' website, presents the results of the interviews and survey. It includes an overview of current industry practices, proposes definitions, identifies common control data attributes and provides an indication of how an institution can assess their stage of development. The summary report is available to download below.

Why controls?

Controls help an organisation to operate effectively, comply with policies, produce dependable information and conform with regulation. But, they can be costly to implement, operate and monitor. They often drive inefficiency through duplication and unnecessary activity. Furthermore, existing industry research about what works well is limited.

What did we find out?

Controls are a priority

Operational risk is changing. Managing operational risk effectively and efficiently is increasingly important. A consistent, enterprise-wide control environment is key to a balanced risk management framework.

Financial institutions are investing more to improve control management. They are also addressing specific risk areas like regulatory compliance and developing related technology.

There is pressure to improve

Pressure to enhance control frameworks is exposing the reality that the discipline of control management is not at an advanced stage of development. So far, investment has had a positive impact on culture and the development of over-arching frameworks.

However, the absence of sufficient external frameworks and guidance has led to practices and terminology evolving in isolation. This means that some areas – such as financial reporting – are more established than others. The less established areas include conduct, third party and data management.

The variation in definitions and approaches has also led to vast differences in the volume of controls considered key, ranging from 500 to 45,000 within this study. This makes it difficult to focus on the most important controls and stretches resources in both operating and monitoring them.

These factors combined are hampering the ability of board members to make positive statements about the overall effectiveness of their control environment.

The industry is moving in the same direction, but at different speeds

Operational risk as a whole is increasingly being seen as an umbrella function, promoting the harmonisation of frameworks, methodologies and systems. This is leading to a better understanding of the importance of controls at all levels and efforts to identify which controls are truly key.  It's also improving the quality and accessibility of controls data

Control monitoring is a priority for most institutions and is widespread across the lines of defence. Firms are investing significant time and resource, with techniques advancing beyond sample testing to enable a more nuanced and efficient risk-based approach. Some institutions have invested more heavily and are, therefore, currently more advanced in control management.

What next?

We plan to carry out more research about controls in the future. We are also building a community of financial services professionals interested in contol management. If your institution would be interested in finding out more about this let us know.