Despite increasing emphasis on operational risk (OR) by financial services regulators and firms, it remains a challenging topic. Not only can OR incidents result in reputational damage and regulatory consequences (e.g., increased capital requirements per Basel III), they can also result in significant financial losses.
First of all, here is a quick definition we can find in Basel II : “Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.”
According to the ORX institute’s 2018 Annual Banking Loss Report, compiled from information submitted by 86 major banks:
/ €170bn was lost from OR events between 2012-2017
/ €206k was lost on average per OR event reported in 2017
Operational risk management : the challenges
Operational risk is not always considered when making business decisions (e.g., organizational restructuring, implementation of new systems), leading to increased likelihood of control gaps.
Many firms lack a comprehensive view of their operational risk, and approaches may vary for different departments.
/ It is difficult for companies to assess and manage their operational risk due to the many events and business lines involved.
/ Manual risk management processes (e.g., emails, screenshots) can be difficult and time consuming.
What should be the top priorities ?
/ People: Increase employees’ OR awareness (e.g., trainings customized for relevant use cases), and align incentives accordingly (e.g., incorporation of OR into management performance reviews).
/ Process: Create a single enterprise-wide risk management framework to oversee all risk types, including operational risk, for all departments
/ Technology: Leverage big data and predictive analytics to enhance threat identification and automate the risk governance process where possible (e.g., RPA, GRC tool)