Operational Risk Program Design Influences
A picture is worth a thousand words and the chart below, depicts the core influences of an operational risk program. Operational risk is defined by the Basel Committee as “the risk of loss resulting from inadequate or failed business processes, people and systems or from external events”. Operational risks relate to areas such as cyber and fraud, crime prevention, human resources management, information technology, information security (including digital and multimedia), business continuity management, physical security, and vendor management.
An Operational Risk program design can be embedded in both financial and non-financial organizations and needs to be suited to fit the culture and objectives of the specific organization. The benefits of a program are multiple:
a) understanding the key risks and application of relevant applicable mitigants controls
b) reducing the complexity in operations by understanding the key processes
c) inserting key performance indicators thus ensuring more effective processing and
d) improving resource preparation and allocation for future planning. An Operational Risk program speaks to the internal controls of an organization.
Figure 1. Operational Risk Influences
Enterprise Risk Management
For an operational risk program to be successful, it must be fully integrated with the strategy and culture of the organization, otherwise it will have no bearing and credibility. It must be scalable regardless of the size, scale and complexity of the organization to have influence.The program must be managed at the enterprise level and will have a Policy and Procedures document which will outline the risk appetite, scope and governance of the program. The Policy and Procedures document will incorporate much of the influences below depending on the size and maturity of the program.
Operational risk arises in two areas, business as usual and new product/ new activities conducted by the organization; each of these areas will be influenced by regulatory and industry considerations. The new product/ new activities require an added level of scrutiny, since these are dealing with forecasted risks that have not yet manifested themselves and as such warrants an extra level of governance, usually managed by a committee. Moreover, these new activities will drive changes to the required framework in terms of KRI’s and KPI’s adjustments, new RCSA process identified and new scenarios considered.
Common Integrated Tools
Definition, consistency and standardization of both tools, documents and language are need for a successful implementation. The tools will include a) risk taxonomy, (describes the risk, the event and affect), b) definition of inherent risk (no controls) and residual risk (with controls), c) an operational control library (describes the types of controls), d) scorecards, e) rating scales for inherent risks and control effectiveness. Common metrics such as KPI’S (Key Performance Indicators) and KRI’S (Key Risk Indicators) need to be aligned in a manner that drives area of focus and ensures planned control assessments. Finally, a standard organizational specific Risk Control Self-Assessment form (RCSA) will manage and evaluate the key processes and document the effectiveness, adequacy and application of controls.
Operational Risk Data Collection & Analysis
The standard RCSA should be able to be decomposed allowing the contents to be inputted into a central registry. Remediation and action plans flowing from the RCSA’s should show ownership and a timescale of when these plans will be executed and finalized. Supplementing the data derived from the RCSA will be incident reports, audit reports and compliance reports. Internal loss data needs to be captured in this central registry as well, providing a basis for operational risk management and mitigation strategies. Collection of this diverse data is important as the information contained will help to understand the effectiveness of the controls and the ability to predict patterns and trends which warrant further investigation.
A model which incorporates stress and scenario analysis, will enable the organization to gain foresight and to evaluate the different types of responses needed under different operating environments. Note that this will be associated with a more mature program as it will require a rich level and history of data points together with advanced modelling skills
A control framework is a data structure that organizes and categorizes an organization's internal controls, which are practices and procedures established to create business value and minimize risk. The framework will outline the key processes and activities, key documentation requirements, methodology assessments, governance (roles and responsibilities), escalation and monitoring/ reporting responsibilities. Continuous education and training will play a major part in the program in embedding and maintaining this control environment and will be the key factor in successful and effective implementation
The most important influence will be the reporting aspect and the different requirements of audiences both internal and external that need to be both informed and addressed. The information supplied should include meaningful metrics which should show both trend, materiality and control effectiveness. The reporting will also need to cascade down and filter up with governance decisions documented and actioned. Reporting will further include a catalogue of material incident reporting, an evaluation by audit or a third party on the effectiveness of the program and a pronouncement as to the quality control and assurance of the program.
The internal control structure of any organization is under constant threat with the advent of cyber risk and the explosion of social media. Operational risks are expanding and emerging with the constant deployment of new and rapid technology. An Operational Risk Program small or large, immature or mature is a must have, without out it, the organization can quickly lose both credibility and reputation, examples include Volkswagen, GM and Toyota. The implementation is not difficult but it does require vision, application and documentation to ensure effectiveness. That is where RiskSmartInc can help. #risksmartinc