By Graeme Wood, Specialist in Operational Risk and Process, Rule Financial

Despite the best efforts of firms and regulators alike, there has been no shortage of media headlines covering operational risk failures in recent years. Vast improvements have been made in risk management practices within the Investment Banking community since the financial crisis of 2008, yet incidents of benchmark rigging, anti-money laundering breaches and rogue trading prove that there is still more work to be done in the operational risk space.

With their reputations at stake, firms can no longer afford to ignore the operational risk challenge. Many leading institutions are embracing a new approach to risk management and are thinking about its application in a surprisingly different way. Although it has been traditionally viewed as an end product, firms are discovering that there is hidden value to be extracted from effective and proactive operational risk management.

Cause for concern
Due to its expansive nature, formulating and implementing a successful operational risk strategy can be difficult. Although each firm will face a unique set of operational risk challenges, there are a number of common themes throughout the industry:

• Firms are still struggling to embed a culture of risk and control across functions
• Organisations are failing to implement a consistent and coherent risk strategy across the firm, and interdepartmental discrepancies are commonplace
• Processes and methodologies have been deployed but all too often these are providing a false sense of security to managers
• The proliferation of PowerPoint decks and metrics masks underlying risks
• Managers feel ‘the need to act’ and therefore their reaction to a perceived weakness is to deploy additional tactical controls – these quite often have longer-term negative impacts

Recent instances of operational risk failures have demonstrated the prevalence of these issues amongst the investment banking community. It is clear that a change of approach is required if they are to be addressed.

A new approach
Until now, cost reduction has been the primary driver behind firms’ operational strategy. However, there has recently been a pronounced shift of emphasis towards risk reduction, with firms actively reviewing both their assessment processes and underlying methodology. One consequence of this is the rise in ‘backshoring,’ where firms are reversing decisions on which roles are suitable to be performed in offshore locations based on their wider risk profile.

Firms have also adapted their risk assessment methodology to encompass a far greater range of inputs and qualitative measures. This has been driven primarily by the need to produce more detailed reports for new regulations such as Dodd Frank and the European Markets Infrastructure Regulation (EMIR).

Another instigator of this change in approach has been firms’ increased desire to gain a deeper understanding of their risk exposures across the entire organisation. Organisations have been forced to invest a great deal in compliance initiatives in light of recent regulatory reforms, and many are now capitalising on the opportunity to re-evaluate, improve and (in some cases) radically transform their risk processes. Leading organisations have invested significant sums in innovating, adapting and extending their technological capabilities in order to achieve this goal. A key development is the adoption of centralised risk management, where firms aggregate data from different business areas in order to gain a clear enterprise wide view of risk exposures across the organisation.

As enterprise risk monitoring becomes a reality, firms are beginning to finesse their risk management solutions and are seeking to apply the same principles to areas such as operational risk. Obviously there are issues to address around historical trade documentation and data cleansing, but there is at least optimism that in the future all firms will have a more holistic view of their risk exposures.

Culture
There is more to the operational risk challenge than just the issues surrounding technology and process. People and culture have a huge role to play in the effective implementation of an operational risk strategy. Clearly, it is not cost effective, beneficial or desirable for firms to employ vast numbers of people to monitor or check on others’ activities. Therefore, in addition to leveraging technology, firms will need to address the cultural issue of embedding an ethos of risk and control, and of ‘doing the right thing’.

There is no doubt that progress has been made over recent years, with many financial institutions having significantly improved their risk monitoring and reporting capability. Despite this, organisations cannot be complacent. Firms continue to face challenges and most would agree that the upfront cost of implementing a ‘fit for purpose’ risk capability represents good value when compared with the market and reputational costs resulting from any potential failure.

There is no simple answer to the operational risk challenge, but the greater the effort firms make to alleviate any potential future problems, the less likely it is that they will find themselves at the heart of the next investment banking mass media scandal.