An effective, consistent operational risk framework is essential to enable your organisation to manage risk within appetite. Too many organisations are tying up unnecessary resource in the process of running the framework, diverting the organisation from fixing the underlying problems. As a result, the operational risk frameworks are not working as well as they could, causing unnecessary additional costs with no real benefit, and in some cases, they may be ineffective at identifying and managing risk.

Here are the top 10 reasons why your operational risk framework may be failing:

1. Multiple operational risk frameworks

Sub-set risk management frameworks outside of a Group Operational Risk framework have evolved within most organisations in recent years, often as a result of a business or function reacting to a new regulatory requirement; such as Sarbanes-Oxley (Finance), Senior Accounting Office (Tax), FATCA (Tax), CASS, Anti-Bribery and Corruption (Compliance); or reacting to emerging risks such as infosec and cyber risk (Technologies).

Although the organisation may have achieved regulatory compliance, these sub-set risk management frameworks can result in duplicative, inefficient processes requiring more resource, more oversight and at times, more risk due to siloed views, varying assessment of risk, and multiple data repositories.

2. Lack of standard hierarchy for process, risk and control assessments

Few processes are owned end to end by one business area or function. There can be multiple handoffs or crossovers between business areas or functions within one process. Without a standard hierarchy of whether a Risk and Control Self Assessment (RCSA) should be an entity, process, risks or location-driven, and how to manage handoffs, it is not possible to be assured of risk management coverage and accountabilities end to end, to identify all potential points of failure, or provide complete management reporting.

3. Only managing the ‘known’ risks and current issues

Risk assessments are often confused, or even replaced, with issue logs of risks that have already manifested, or the outputs of control assessments. Your business processes, and the internal and external environment in which you operate, are constantly changing. You cannot assess or manage a risk that has not yet been identified. Risk assessments need to be frequently revisited to ensure any new risks and emerging or horizon risks are also considered.

4. No clear RACI – who is doing what?

A RACI should identify clearly who is responsible, who is accountable, who is consulted, and who is informed of the activities within the operational risk framework. This also clarifies the segregation of the roles between the 3 Lines of Defence, and ensure ownership of the activities is appropriate. Without this, how does management know who is doing what, and who is accountable?

5. Data – inconsistent and incomplete data models

Operational risk data that is not consistently collected by different business/function areas, or is incomplete results in inaccurate and incomplete MI for management with no end to end view of the risks, issues and controls/mitigations which impacts decision making. Additionally, it prevents detailed analysis and triangulation of the data, data convergence, and the creation of one single source for MI.

6. Too many ‘key’ controls

A key control is a ‘must have’ control to prevent/detect the occurrence of the risk, without which the residual risk would exceed risk appetite. In our experience, if you have multiple key controls documented as mitigating one risk, you have too many, and most of these are supporting controls. Ideally, you would expect 1, or perhaps 2, key controls mitigating risk with some shared key controls mitigating risks in multiple processes (e.g. reconciliations or logical access management). Having too many ‘key’ controls cause inefficient business processes and result in unnecessary focus, control documentation, testing and reporting on these non-key controls. Importantly this increases resource required across all 3 lines of defence and therefore, cost.

7. Lack of resource capability 

There are several capability related issues that impact the effectiveness of the operational risk framework:

  • Lack of operational risk management understanding and training, 
  • Lack of experience/quality of the resource in the 3 lines
  • The right people in the wrong role, and vice versa

An operational risk framework can only be as effective as the people performing it!

8. The ‘wrong sizing of the 3 Lines of Defence

The level of resource and type of resource required in each of the 3 lines is critical to both the effectiveness and the cost-efficiency of the operational risk framework. The level is dependent on the demarcation of roles as per the RACI, and the requirements for risk identification, assessment and response as per the framework.  Frequently we find the sizing of the 1st versus the 2nd line is incorrect due to the lack of a standard process hierarchy, inadequate segregation and demarcation of roles, unnecessary key controls, poor data quality and manual reporting processes.

9. Inadequate Governance

This can be caused by a lack of understanding of accountability and responsibility, inadequate governance infrastructure where meetings do not demonstrate real active risk management, and a poor risk culture (see below). Additionally, the risk governance may not consider the impact on customers, employees, or the external environment. This can result in slow or inappropriate management risk response and decisions

10. A poor risk culture

In a poor risk culture, employees may not feel able to identify and escalate risks and issues, or comfortable challenging management risk decisions.  With the rollout of the Senior Managers Regime to all remaining FCA regulated firms in 2018, it is essential the appropriate governance and culture are in place, with all employees aware of their responsibilities to encourage and improve the risk culture. Appropriate risk culture focuses on customer outcomes and doing the right thing, and allows for the timely and accurate identification and escalation of risks and effective challenge of management risk decisions.

For information on how 1RS can help you get the optimal effectiveness for your operational risk framework, book a discovery call here.