One of the big themes in the new Basel Committee on Banking Supervision’s Review of the Principles for the Sound Management of Operational Risk is the need for financial firms to revolutionise their approach to risk identification and assessment.
While this has historically focused on the pinpointing and quantifying of individual risks, regulators are now pushing firms to expand their approach: “The Principles are focused primarily on the use of operational risk identification and assessment tools for risk management rather than risk measurement exposure.” Moreover, regulators want to see firms do this in a more collaborative way. There are five key ideas emerging from the Basel Committee’s paper and three steps that organisations should take now:
1. Collaborating around risk identification and assessment delivers more insight.
Today, financial firms can struggle to identify risks that are emerging, and to understand the impact that the risks could have. Often risk identification exercises are not as wide-ranging as they should be, starved of external data, and they do not dig deep enough into the underlying issues, which results in a limited understanding of the risk or its impact. Too often the in-house data model doesn’t allow the connectivity that risk identification and evaluation require. A firm’s understanding of a risk can also be constrained by the experience of that firm.
2. Working within a common language when identifying risks strengthens relationships.
The BCBS points out that within a firm, having a common taxonomy of operational risk terms can “ensure consistency of risk identification, exposure rating and risk management objectives across all business units.” This enables the organisation to collaborate end-to-end around risk identification and assessment. Having a taxonomy can strengthen the understanding of the relationships between risk elements, too. For example, the BCBS says it “can distinguish operational risk exposures by event types, causes, materiality and business units where they occur; it can also flag those operational exposures that partially or entirely represent legal (including conduct), model and ICT (including cyber) risks as well as exposures in the credit or market risk boundary.” This will be the greatest NFRM data challenge in the ‘industrial revolution’ this risk pillar is undergoing.
3. Communicating about risk identification and assessment across the business is easier with good data governance.
The next steps in the risk identification process require additional data governance elements. Applying metrics to an identified risk requires the organisation to trust the data used to create the metrics. Teams should know where the metric data originates from, who owns that data, and how that data is used – this is called data lineage. There should also be a single, trusted source for this metric, so the organisation makes decisions based on shared understanding and trust.
4. Identifying controls for a newly identified risk is easier with collaboration.
Once a risk is identified and measured, controls are needed to mitigate the risk. If a risk is new, knowing which controls might work can be challenging. One organisation may only have limited understanding of the risk, based on its own experiences, whilst its peers might have already encountered and therefore mitigated this risk or its drivers.
5. Benchmarking controls is quicker and more accurate with more data.
The new Sound Practices paper notes that regulators would like to see firms engage in more benchmarking, too. The paper notes that not all firms benchmark their data, and most don’t benchmark their practices externally. Benchmarks available today tend to be people-based and, too often, too framework-focused – diving into data will allow comparison to become decisive.
The ideas emerging from Basel are set to bring significant change. Important steps financial firms could be taking now include:
1. Fostering collaboration – Collaborating with peers around risk identification creates richer and deeper insights into the origins of the risk, how it is impacting firms, and the controls that could be used to mitigate it. Putting in place a network of financial firms allows them to engage actively and constructively in these conversations.
2. Embedding a taxonomy – Using a standard taxonomy for how risk and control data should be classified can add significant value. By building this from their own data points and collective experience, firms can then implement the taxonomy, and share their insights with others across the industry, driving valuable conversations around risk identification. There is an opportunity for this consistency to be applied not only intra-organisation but also inter-organisation, a data standard that other sectors, such as aviation, have been enjoying for a while.
3. Connecting on controls – Shortening or eliminating what can often be a trial-and-error approach to finding the right controls would reduce costs as well as losses, ultimately driving enhanced financial results. By pooling their knowledge, firms can develop a list of best practice controls for each risk, benchmark their control metrics with each other, and in turn lower risk within individual organisations as well as systemically across the whole network.
All of this can be accomplished through the Acin Terminal and in-person workshops. To learn more about Acin, contact us.
Gaspard Biosse Duplan
Notes to Editors
Contact: firstname.lastname@example.org, +44 7534 178 225
Acin is the leading risk and control data standards, benchmarking and controls data analytics company. Acin enables firms to standardise non-financial risks and controls, improve efficiency and reduce the cost of their risk and control operating model.
We are a SaaS-based, Enterprise platform transforming the way financial services firms manage non-financial risk through a technology, data standards and content-driven platform that connects financial services firms together to better measure, manage and mitigate non-financial risk. We are resolving the root cause of the problem rather than just treating the symptoms.
Acin’s solution has received widespread industry recognition, including multiple awards wins such as the IIRSM Risk Excellence Award 2020, and has been named as one of the most innovative RegTech companies in 2019 and 2020.