An effective, consistent operational risk framework is essential to enable your organisation to manage risk within appetite. Too many organisations are tying up unnecessary resource in the process of running the framework, diverting the organisation from fixing the underlying problems. As a result, the operational risk frameworks are not working as well as they could, causing unnecessary additional costs with no real benefit, and in some cases, they may be ineffective at identifying and managing risk.
Here are the top 10 reasons why your operational risk framework may be failing:
1. Multiple operational risk frameworks
Sub-set risk management frameworks outside of a Group Operational Risk framework have evolved within most organisations in recent years, often as a result of a business or function reacting to a new regulatory requirement; such as Sarbanes-Oxley (Finance), Senior Accounting Office (Tax), FATCA (Tax), CASS, Anti-Bribery and Corruption (Compliance); or reacting to emerging risks such as infosec and cyber risk (Technologies).
Although the organisation may have achieved regulatory compliance, these sub-set risk management frameworks can result in duplicative, inefficient processes requiring more resource, more oversight and at times, more risk due to siloed views, varying assessment of risk, and multiple data repositories.
2. Lack of standard hierarchy for process, risk and control assessments
Few processes are owned end to end by one business area or function. There can be multiple handoffs or crossovers between business areas or functions within one process. Without a standard hierarchy of whether a Risk and Control Self Assessment (RCSA) should be an entity, process, risks or location-driven, and how to manage handoffs, it is not possible to be assured of risk management coverage and accountabilities end to end, to identify all potential points of failure, or provide complete management reporting.
3. Only managing the ‘known’ risks and current issues
Risk assessments are often confused, or even replaced, with issue logs of risks that have already manifested, or the outputs of control assessments. Your business processes, and the internal and external environment in which you operate, are constantly changing. You cannot assess or manage a risk that has not yet been identified. Risk assessments need to be frequently revisited to ensure any new risks and emerging or horizon risks are also considered.
4. No clear RACI – who is doing what?
A RACI should identify clearly who is responsible, who is accountable, who is consulted, and who is informed of the activities within the operational risk framework. This also clarifies the segregation of the roles between the 3 Lines of Defence, and ensure ownership of the activities is appropriate. Without this, how does management know who is doing what, and who is accountable?
5. Data – inconsistent and incomplete data models
Operational risk data that is not consistently collected by different business/function areas, or is incomplete results in inaccurate and incomplete MI for management with no end to end view of the risks, issues and controls/mitigations which impacts decision making. Additionally, it prevents detailed analysis and triangulation of the data, data convergence, and the creation of one single source for MI.
6. Too many ‘key’ controls
A key control is a ‘must have’ control to prevent/detect the occurrence of the risk, without which the residual risk would exceed risk appetite. In our experience, if you have multiple key controls documented as mitigating one risk, you have too many, and most of these are supporting controls. Ideally, you would expect 1, or perhaps 2, key controls mitigating risk with some shared key controls mitigating risks in multiple processes (e.g. reconciliations or logical access management). Having too many ‘key’ controls cause inefficient business processes and result in unnecessary focus, control documentation, testing and reporting on these non-key controls. Importantly this increases resource required across all 3 lines of defence and therefore, cost.
7. Lack of resource capability
There are several capability related issues that impact the effectiveness of the operational risk framework:
- Lack of operational risk management understanding and training,
- Lack of experience/quality of the resource in the 3 lines
- The right people in the wrong role, and vice versa
An operational risk framework can only be as effective as the people performing it!
8. The ‘wrong sizing of the 3 Lines of Defence
The level of resource and type of resource required in each of the 3 lines is critical to both the effectiveness and the cost-efficiency of the operational risk framework. The level is dependent on the demarcation of roles as per the RACI, and the requirements for risk identification, assessment and response as per the framework. Frequently we find the sizing of the 1st versus the 2nd line is incorrect due to the lack of a standard process hierarchy, inadequate segregation and demarcation of roles, unnecessary key controls, poor data quality and manual reporting processes.
9. Inadequate Governance
This can be caused by a lack of understanding of accountability and responsibility, inadequate governance infrastructure where meetings do not demonstrate real active risk management, and a poor risk culture (see below). Additionally, the risk governance may not consider the impact on customers, employees, or the external environment. This can result in slow or inappropriate management risk response and decisions
10. A poor risk culture
In a poor risk culture, employees may not feel able to identify and escalate risks and issues, or comfortable challenging management risk decisions. With the rollout of the Senior Managers Regime to all remaining FCA regulated firms in 2018, it is essential the appropriate governance and culture are in place, with all employees aware of their responsibilities to encourage and improve the risk culture. Appropriate risk culture focuses on customer outcomes and doing the right thing, and allows for the timely and accurate identification and escalation of risks and effective challenge of management risk decisions.
For information on how 1RS can help you get the optimal effectiveness for your operational risk framework, book a discovery call here.
Blog
Enhance Your Company’s Risk Assessment Process (With 4 Easy Steps)
A risk assessment procedure that successfully serves your organisation is more…
SHOP SMART: 4 Steps to Successfully Adopting a GRC Solution
SHOP SMART: 4 Steps to Successfully Adopting a GRC Solution In the Mid-digital…
Top Compliance Metrics Every Business Should Know
Compliance teams often rely on metrics to measure and report on the…
A Roadmap to Cyber Confidence
Many organisations know that cyber is a challenge. The year 2020 broke all…
5 Ways to Build Resiliency in Disruptive Times
The profound disruption businesses have experienced this year is unprecedented.…
7 Reasons To Move From Excel to a GRC Solution
The benefits of ‘RegTech’ for organizations is very clear, however many may…
CASS Compliance
Many firms use excel spreadsheets and files to document and maintain their CASS…
How do you manage MAR and conduct risk in a small firm?
Following the 2016 Market Abuse Regulations (MAR), followed by MiFID and GDPR…
What Makes a Good Operational Risk Manager?
“You’re not supposed to be sycophants; you’re supposed to be sceptical. (…) And…
Managing Risk and Regulation in the Automotive Industry
1RS has been providing cost-effective and pragmatic GRC solutions to Financial…
We won! Fintech Awards 2023- 1RS voted Best Risk Management & Compliance Software Solutions
We are thrilled to announce that Wealth & Finance International have…