Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .

Technology

Risks, controls and bow ties – Oh my !

Risks controls 1 - Global Banking | Finance

By Rupert D.E. Brown, CTO Evidology Systems.

The events of the first two decades of the 21st century have made the world’s businesses and general populations far more risk-aware and risk-averse: in this period we’ve seen natural disasters, multiple pandemics, major terrorist events, a major financial crash and, of course, most recently the blocking of the Suez Canal by a single ship that halted a significant proportion of global physical trade for a week.

And yet the systematic evaluation and mitigation of risk remains a challenge, especially outside of complex financial analysis, where the 2008 crash forced a major rethink and improved financial risk measurement and controls across the globe.

In November 2020 ORX and Oliver Wyman Group published a “Reference Taxonomy for Operational and Non-Financial Risk Causes and Impacts”. This short and nattily-formatted 9-page PDF document is a follow-on to their prior joint publication, “The ORX Event Type Reference Taxonomy”.

Alongside these two free items is usage guidance which is available for a fee for each taxonomy.

Although it would be interesting to know how many companies have paid their fee for the guidance, the real question that needs to be asked is whether the taxonomy is actually useful.

This work by ORX and Oliver Wyman is based on what is known as the “Bow Tie” risk evaluation methodology developed in the 1990s to identify factors and chains of events that then lead to catastrophic failures, most notably in aviation and petrochemical industries at that time.

Rupert D.E. Brown

Rupert D.E. Brown

Alongside the “Bow Tie” method interested readers will also find the “Swiss Cheese” model, which in turn has evolved into the more formal notion of “lines of defence”, that is usually summarised as comprising 3 key entities.  However, in July 2020 the Institute of Internal Auditors (IIA) recognised that the “3 Lines” model was overly simplistic and had to be augmented with 6 Principles.

When one looks into this world as a neutral outside observer, it is very easy to get lost in a blizzard of rather weak and overloaded terminology – taxonomies, methodologies, frameworks, principles, lines of defence, etc.

Detailed scrutiny of the “Bow Tie” and “Swiss Cheese” models and real examples of their usage show that they are often introductory PowerPoint illustrations to explain the notions of factors, causes and effects in operational risk using visual analogies. The diagrams themselves lack notions of formal dimensions, axes and scales that a rigorous measurement technique demands.

The Covid pandemic, and now the seemingly chaotic manufacture and distribution of vaccines, has surfaced one of the largest collection of interconnected operational risks the world has ever faced and must inevitably result in improving both our skills and toolsets to properly comprehend and manage them.

If we are going to make this improvement, then we need a combination of both rigorous definition and use of terminology, as well as formal, machine-readable digital standards for risk entities.

Probably the two most important are:

  1. Glossaries/thesauri – i.e., consistent common lists and alternative definitions for the risk items.
  2. Taxonomies – how the elements in the glossaries are put into collections of “related interest” terms.

The good news is that Sir Tim Berner’s Lee (“Father of the Internet”) has already defined digital standards for this as part of his work on the “Semantic Web”.

The bad news is that Sir Tim’s standards are not widely used outside of academia and are probably declining somewhat in use from the initial interest in them in the early years of the millennium, if the financial results of start-up companies in the field are anything to go by.

The question that now needs to be asked is why organisations such as ORX and Oliver Wyman aren’t publishing and maintaining digital risk/control taxonomies , and nor are regulatory institutions such as the FCA and PRA publishing glossaries that formally define the entities they govern.

There are probably two main reasons for this.

  1. Ownership and liability – if something is going to be a formal digital risk reference data standard then it costs money to maintain and raises the question of who is responsible if the content is wrong.
  2. Versioning and distribution – technical standards have existed for some time now to enable rigorous version control of digital assets (aka source code) and global distribution (GitHub etc). However, consulting firms are often wary of using these tools because they are perceived as commoditising their skills and cannibalising margins (how many consultancies have in-house IT these days?)

So what we have been left with is a balkanised collection of websites and pdf brochureware that abuse the terms glossary and taxonomy in a modern digital context, with the result that the notion of “Straight Through Compliance” has become something that everyone waxes lyrical about in virtual conference keynotes, but no one is willing to make the first move.

In order to cut this Gordian Knot, someone is going to have to blink and start publishing content that they own – this would seem to point the finger to regulatory bodies and basic glossaries.  At the moment, these institutions tend to promote their technical credentials through the use of sandboxes and hackathons rather than having the confidence to trust their own in-house IT capabilities to construct and maintain substantive new content.

In conclusion, we can now return to the initial question posed about the value of the taxonomy that ORX and Oliver Wyman have published. The answer – as we have seen above – is that it could be useful if it was machine-readable, but that it is one of many, all of which are subject to continuous change. Currently no one is brave enough to industrialise the supply chains and processes that truly digital operational risk and control taxonomies enable.

George Bernard Shaw coined the phrase, “Those that can do, those that can’t teach” – perhaps it sums up the capabilities of the operational risk and compliance market participants at the moment.

Global Banking & Finance Review

 

Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!


By submitting this form, you are consenting to receive marketing emails from: Global Banking & Finance Review │ Banking │ Finance │ Technology. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post