By Karl Viertel

Until recently, many financial services institutions may have viewed operational risk as a “side project” compared to market and credit risks these organizations manage on a daily basis. The rise of new types of operational risk, the increased reliance on a more complex supply chain of vendors and the velocity of threats materializing have led to an increased focus on operational risk management from FSI’s as well as regulators. Unfortunately, identifying and quantifying these risks still remains a very manual process in many cases.

The continuous increase in operational risk is a direct consequence of various factors:

• Increasing number of third-parties and vendors that provide support services to the business.
• Growing data and cyber risks.
• Digitisation of previously manual processes, amongst others.

Many financial services institutions and regulators alike are recognising that the currently established manual processes are no longer sufficient, nor cost effective, when dealing with this level of risk. Additionally, the fragmentation of GRC tools deployed across many organizations adds an enormous burden to risk management processes, making it very difficult to gain real-time risk insights.

So, what exactly is so unique about operational risk?

Operational risk can be a direct result of many potential sources, unlike market risk. They can have significantly varying impact, from health and human safety to reputational damage. Additionally, quantification can be particularly challenging. The expertise and skills needed to accurately quantify operational risk are as varied as the sources. Historical values require an enormous amount of context to be relevant enough to correlate.

Some financial services institutions refer to operational risk as a non-financial risk. It is important to mention that fraud, data privacy protection, cyber security, ESG and infrastructure risks fall under this category.

Operational risk is manageable as long as the organization keeps its losses within the same level of risk tolerance (risk appetite), determined by balancing the costs of risk mitigation against the expected outcome benefits.

Tackling operational risk consists of five individual steps that will most likely arm your organization with an effective risk management process:

1. Identify Risks: Review the task in question, list all relevant risks, understand the scope of these risks, analyze and review current and future business strategy against listed possible risks and finally create a library of risks and related items that include policies and procedures, regulation controls, tests and indicators.
2. Risk Assessments: Assess the level of risk exposure of your organization as well as the severity of the worst possible event outcome, determine the probability of the event occurring and finally establish the level of risk. This must include risk qualification based on likelihood and potential impact and quantification that may include a financial loss potential as well as minimum, maximum and probable loss scenarios.
3. Treatment Strategy: Define and implement the appropriate treatment strategy (risk acceptance, transference, avoidance or reduction).
4. Mitigation: Define and implement a mitigation strategy that includes control measures. Identify control measures for each risk, change the process to eliminate the risk (improve task design, limit exposure, provide additional training, establish warning or cautions) and finally determine the effectiveness of control measures by assessing the residual risk remaining after said measures are put in place. Controls should be implemented to limit the exposure of the organization to potential threats.
5. Review and Update: Risks should be reviewed regularly to ensure that the appropriate treatment strategy and mitigation measures are in place.

Essentially, these steps would repeat each time a new major risk event surfaces.

Implementing the five steps detailed above into your risk management framework will guide your organization into a much more efficient risk management process. Further key components in the risk management framework of any financial services institution should be:

• Risk and Control Self Assessments (RCSAs)
• Risk Identification
• Risk Quantification
• Internal and External Loss Events
• Scenario Modeling

Ensuring the efficiency of a fully integrated risk management framework requires continuous monitoring and it is the responsibility of the organization to ensure that the risk process established provides comprehensive coverage across the different risk event types (including operational risk) in order to perform ongoing assessments of not just the individual components, but the overall framework’s success.

Selecting an easy-to-use solution that ensures high user adoption in order to engage key risk stakeholders on an ongoing basis is critical. It needs to convey a tone emphasizing and encouraging an active risk culture within the organization using agile methods of interaction. Furthermore, the solution must also be able to provide a methodical approach for quantifying risk exposure and appetite, without being highly rigid. Additionally, when identifying risks, the solution must be able to support scalable assessment capability, rather than relying on manual sample-based approaches.

Executed correctly, integrated risk management will enable organizations to focus their spend on risk mitigation rather than risk identification and management.

About the Author:

Karl Viertel is responsible for Mitratech’s global GRC business as Managing Director of the business unit.  After working in the technology and risk divisions of Accenture and Deloitte, Karl co-founded one of the first RegTech companies – Alyne, in 2015. In late 2021, Alyne was acquired by the legal and risk software leader Mitratech.