An effective, consistent operational risk framework is essential to enable your organisation to manage risk within appetite. Too many organisations are tying up unnecessary resource on the process of running the framework, diverting the organisation from fixing the underlying problems. As a result, the operational risk frameworks are not working as well as they could, causing unnecessary additional cost with no real benefit, and in some cases, they may be ineffective at identifying and managing risk.
Here are the top 10 reasons why your operational risk framework may be failing.
1. Multiple risk management frameworks
Sub-set risk management frameworks outside of a Group Operational Risk framework have evolved within most organisations in recent years, often as result of a business or function reacting to a new regulatory requirement; such as Sarbanes-Oxley (Finance), Senior Accounting Office (Tax), FATCA (Tax), CASS, Anti-Bribery and Corruption (Compliance); or reacting to emerging risks such as info sec and cyber risk (Technologies).
Although the organisation may have achieved regulatory compliance, these sub-set risk management frameworks can result in duplicative, inefficient processes requiring more resource, more oversight and at times, more risk due to siloed views, varying assessment of risk, and multiple data repositories.
2. Lack of standard hierarchy for process, risk and control assessments
Few processes are owned end to end by one business area or function. There can be multiple handoffs or crossovers between business areas or functions within one process. Without a standard hierarchy of whether a Risk and Control Self Assessment (RCSA) should be entity, process, risks or location driven, and how to manage handoffs, it is not possible to be assured of risk management coverage and accountabilities end to end, to identify all potential points of failure, or provide complete management reporting.
3. Only managing the ‘known’ risks and current issues
Risk assessments are often confused, or even replaced, with issue logs of risks that have already manifested, or the outputs of control assessments. Your business processes, and the internal and external environment in which you operate, are constantly changing. You cannot assess or manage a risk that has not yet been identified. Risk assessments need to be frequently re-visited to ensure any new risks, and emerging or horizon risks are also considered.
4. No clear RACI – who is doing what?
A RACI should identify clearly who is responsible, who is accountable, who is consulted, and who is informed for the activities within the operational risk framework. This also clarifies the segregation of the roles between the 3 Lines of Defence, and ensure ownership of the activities is appropriate. Without this, how does management know who is doing what, and who is accountable.
5. Data – inconsistent and incomplete data models
Operational risk data that is not consistently collected by different business/function areas, or is incomplete results in inaccurate and incomplete MI for management with no end to end view of the risks, issues and controls/mitigations which impacts decision making. Additionally, it prevents detailed analysis and triangulation of the data, data convergence, and creation of one single source for MI.
6. Too many ‘key’ controls
A key control is a ‘must have’ control to prevent/detect the occurrence of the risk, without which the residual risk would exceed risk appetite. In our experience, if you have multiple key controls documented as mitigating one risk, you have too many, and most of these are actually supporting controls. Ideally, you would expect 1, or perhaps 2, key controls mitigating a risk with some shared key controls mitigating risks in multiple processes (e.g. reconciliations or logical access management). Having too many ‘key’ controls cause inefficient business processes, and result in unnecessary focus, control documentation, testing and reporting on these non-key controls. Importantly this increases resource required across all 3 lines of defence and therefore, cost.
7. Lack of resource capability
There are several capability related issues which impact the effectiveness of the operational risk framework:
- Lack of operational risk management understanding and training,
- Lack of experience/quality of the resource in the 3 lines
- The right people in the wrong role, and vice versa
An operational risk framework can only be as effective as the people performing it!
8. The ‘wrong-sizing’ of the 3 Lines of Defence
The level of resource and type of resource required in each of the 3 lines is critical to both the effectiveness and the cost efficiency of the operational risk framework. The level is dependent on the demarcation of roles as per the RACI, and the requirements for risk identification, assessment and response as per the framework. Frequently we find the sizing of the 1st versus the 2nd line is incorrect due to the lack of a standard process hierarchy, inadequate segregation and demarcation of roles, unnecessary key controls, poor data quality and manual reporting processes.
9. Inadequate Governance
This can be caused by a lack of understanding of accountability and responsibility, inadequate governance infrastructure where meetings do not demonstrate real active risk management, and a poor risk culture (see below). Additionally, the risk governance may not consider the impact on customers, employees, or the external environment. This can result in slow or inappropriate management risk response and decisions
10. A poor risk culture
In a poor risk culture, employees may not feel able to identify and escalate risks and issues, or comfortable to challenge management risk decisions. With the rollout of the Senior Managers Regime to all remaining FCA regulated firms in 2018, it is essential the appropriate governance and culture are in place, with all employees aware of their responsibilities to encourage and improve the risk culture. An appropriate risk culture focuses on customer outcomes and doing the right thing, and allows for the timely and accurate identification and escalation of risks and effective challenge of management risk decisions.
For information on how 1RS can help you get the optimal effectiveness for your operational risk framework, click on the link below
© 1st Risk Solutions Limited- all rights reserved