As the regulatory environment continues to intensify and the growing list of emerging operational risks shows no sign of slowing, senior risk control managers are facing challenges on multiple fronts—from stakeholder demands and pressure from regulators, through to communication issues across the three lines.
Recently we spoke to Sally Clark, former chief internal auditor at Barclays, currently non-executive director at Citi and Metro Bank, and Tracy Clarke, former private bank CEO and regional CEO for Europe and the Americas at Standard Chartered Bank, currently non-executive director at TP ICAP and Starling Bank.
They highlighted 3 key challenges that financial institutions must work hard to overcome:
- Front-to-back communication issues: “Often the three lines of defense operate in silos using their own naming conventions and drawing their own assessment boundaries to determine whether something is working or not,” says Sally Clark.
That disconnect comes from a lack of consistency and an inability to gain a holistic view, making it harder to make the right informed decisions—and increasing costs to the business.
By using data intelligently and having one single source of truth, those three lines can start to collaborate more effectively by speaking a common language, creating a seamless 360-degree front-to-back view of the business. That means less time is wasted on subjective debates and more time is spent objectively analyzing data, identifying gaps collaboratively and focusing on where to try and reduce risk, generating greater value for the business.
- Insufficient data insights: “Firms really need to be focused on risk front-to-back—there is so much data in institutions that it is very difficult to see the wood for the trees when it comes to operational risk. What I expect from my risk and control partners is for them to help me make sense of that data, to focus on the things that really matter,” says Tracy Clarke.
Being able to draw from fresh data insights can also improve the quality of the Risk and Control Self-Assessment (RCSA) process. Currently self-assessments are retrospective and static, capturing just a single point in time. Scenarios are generated on this backward-looking risk assessment instead of being part of an ongoing dynamic process that can help risk managers become more proactive in dealing with operational risk and not just react to events after they have happened.
Using connected data in a network, firms can calibrate their risk controls against their peers to get a better understanding of what other market participants are doing and enable them to follow best practice. This is beneficial during dialogue with regulators who encourage the use of peer analyses. For instance, if a regulator flags that a certain control is missing, that network data can show that other institutions don’t have that control in place either, or that the control isn’t needed because it is within the tolerance of the firm’s data-driven risk framework.
- Inadequate SMF safeguards: Pressure from stakeholders across the business, particularly in light of the Senior Managers and Certification Regime (SMCR) and other related global regimes, can also create challenges for risk managers to prove they are taking reasonable steps to meet compliance standards. By using peer-to-peer network data in a format that everyone understands, risk managers can provide evidence to all stakeholders that the risk controls are complete and appropriate.
Want to learn about the operational risk challenges facing boards and senior executives?
Watch the video to hear more from senior risk management veterans Sally Clark and Tracy Clarke.