Operational Risk, as a discipline in the banking sector, has always struggled with the lack of sufficient, robust and quantifiable data. Data has often seemed to be at the heart of some of its fiercest controversies and challenges.
All this could be about to change with the introduction of a fresh approach to OpRisk data that is anchored in the methodologies of today’s data management revolution. As a result, the value that Operational Risk teams will be able to deliver to their organizations should increase substantially.
Defining “OpRisk data”
First, what is meant by the term “OpRisk data”?
Up until recently, the phrase usually provoked thoughts about loss data – the information that firms collect when things go wrong with people, processes, systems, or external events. Today there are several loss data consortiums that collect this information and redistribute it back to firms.
However, the truth is that OpRisk data – as a category – is much broader than just loss event data in the same way that credit risk data is much broader than just historical loss events. OpRisk data includes the fluctuating metadata of the risk taxonomies, key controls libraries, and operating performance data from the control environments itself, such as risk indicators. Finally, the data collected and produced from the risk and control self-assessments (RCSAs) should also be considered part of this dataset, as a cornerstone component of the risk profile view and decision making process. In general, banks are not getting all of the value that they should be out of this information.
Moreover, OpRisks are too often managed “offline”, within the perimeter of each bank. OpRisk data today is now evolving, there is a growing interest and appetite to start consuming external data to introduce a leaner and more dynamic OpRisk management regime.
Understanding the data challenges
Value generation from their OpRisk data is being hampered by a few fundamental challenges.
First, this data is often not complete. A firm may suffer from an overwhelming number of risks and key controls – it can be truly burdensome. And yet, best practice risks and controls can be missing from individual business units, and commonalities and relationships between datasets are often ignored.
This lack of completeness is often caused by operating silos – based on geography, business line, or corporate evolution, such as M&A. As a result, banks often struggle to share information and experiences about risks and controls, both internally and externally. For example, a commodities desk may discover a new risk within its business that other trading desks could encounter as well, however we see many instances, when this new risk is not communicated with other teams. Moreover, the finding is almost never shared with other banks, even though it would reduce systemic risk to do so, making all firms safer.
This failure to collaborate and communicate about Operational Risks and key controls – both internally and externally – has been a significant issue within the global banking industry. Often within firms it can lead to a proliferation of hundreds of controls, as all three lines of defence struggle to manage risk and enhance operational resiliency. Paradoxically, this can result in more risk and less resiliency, as attention and resources are stretched. The rapid trading electronification and interconnectedness of market participants have exacerbated this issue and increased the need for data-driven industry collaboration to meet the velocity of market environments.
For firms and individuals, this is not just a missed opportunity, the threat posed by this misalignment of risks and controls is increasing as a result of new regulations focused on improving risk culture. The UK’s Senior Managers & Certification Regime (SM&CR) now holds senior executives directly accountable for risk and control failings that happen under their aegis. Today, a risk or control gap can be career-ending. Many other countries are closely watching the UK’s progress with the SM&CR regime and are considering rolling out similar, culture and accountability-focused regulatory frameworks.
Understanding the value of data
These issues could be remedied with an improved approach to Operational Risk and key control data. However, there is another important benefit – the enhancing of the ability of the business to deliver value to shareholders, and protect their interests.
OpRisk data management practices remain at the same stage that Market and Credit Risk practices were 20 years ago. There is a huge amount of value that can be created by applying new data management techniques to the full range of OpRisk data. Firms could be using a more sophisticated approach, like they did with the adoption of value-at-risk (VAR) measures for Credit and Market Risk.
Through improved OpRisk data management, boards should be able to see their Operational Risk appetites actually understood and expressed at the business level through more efficient risk and control frameworks. This could lead eventually to a reduction or reallocation in the level of regulatory capital they have to hold, improve operational resilience and open new growth opportunities, at the very least it will improve decision making and make the banking system safer for all.
Embracing essential change
To achieve these benefits, banks need to move beyond the mindset that Operational Risk information should not be shared because it confers competitive advantage. Most senior executives and boards are now beginning to understand this, as they are seeing that the benefits of collaborating are significant.
By sharing information through a trusted partner like Acin, they will be able to adopt a best practice set of risks and controls inventories, and in time, gain data that gives them better insight to improve management of their operational risks as new controls are introduced, or new analytics allowing a more predictive use of industry data. The collective intelligence that is then generated through robust data management will transform their ability to manage the business in alignment with their stated risk appetite.
To do this effectively involves creating a common language, a consensus around these risks and controls across the banking industry. Every bank has its own taxonomy, its own set of terms, that are distinct. And yet, all of these banks are talking about the same risks and controls. The language can be standardized, and then banks can link their own terminology to this best practice, so that they can retain their own language, internally.
Leadership is essential to breakdown the silos that inhibit progress, be they business, function and organisational level. The ‘tone from the top’ needs to be that collaboration will create an organisation which manages its risks better and is more operationally resilient, through improved operational risk data management.
The reward of better data management through enhanced collaboration – both in the short term and as industry risk and control data amasses over time – will be substantial. Better data will enable the industry to reduce both the likelihood and impact of risks, through improved controls. This helps keep both firms and executives safe from compliance risk, financial risk, reputational risk, for example.
Moreover, boards and C-suite executives who feel more assured that the organisation’s risk appetite is being adhered to are in a better position to consciously take risk, by moving into new products or markets. We believe that with a more effective risk and control framework, firms will be able to seize new opportunities, knowing that their approach is underpinned by best practice, turning their sound Risk & Control Framework into a competitive advantage with investors, for instance. This is already being observed in banks, but also in the Asset Management community.
So, for financial firms, there is much to gain by embracing a new approach to operational risk – an approach that uses tools and techniques generated by the data management revolution, such as collaboration. A more effective approach to risks and controls can transform an organization’s approach to both compliance and risk management, and give it the confidence to evolve through new products, geographies, and technologies.
Peter Irvine, Head of Product, and Gaspard Biosse Duplan, Head of Sales & Trading Product at Acin, a data standards company that enables firms to standardise Risks & Controls, improve efficiency and reduce the cost of their Risk & Control operating model.