People, Process and Technology, the Operations Ecosystem, is fast evolving, and posing new challenges and risks for the senior management.  Time and again the robustness of an organization’s machinery is undergoing a test of its design, its capability maturity and its operating effectiveness.  Recent and recurring market and industry risk events have re-emphasized the need for Indian Financial Institutions to recognize their failures resulting from sub-standard business practices and inadequate technology investments, and to position renewed energies into Operational Risk Management. 

Highlights of few select events from the recent past are as follows:

In a previous article on this subject – Mind The Gap – we elaborated on the boundaries between operational risk with conduct risk in context to the changing regulatory landscape in UK.  Understanding these risk boundaries is not a complex process but implementing an organization-wide methodology "consistently" is a significant task.  Mature markets in the western economies continue to explore and develop scalable and sustainable models to embed a culture of risk management. 

Financial Institutions in India have made varying degrees of effort and resource investments in developing policies, processes and controls, followed by periodic self-assessments of risks and controls.  While a few have exercised rigor in performing comprehensive risk impact assessment studies, most others have bought themselves a ready reckoner, a checklist, that acts as a handbook to meet regulator’s expectations.  Organizations who perceive this as a problem of non-compliance with policies and procedures continuously make additional investments in cultivating a culture of absolute compliance. 

However, quantification of effort and investment for exercising control over operations and realizing efficiencies remains a difficult challenge.  Only a handful organizations have chosen the path of evaluating their investment to perform an integrated analysis of operational performance and risk management for greater good of their business, to drive efficiencies and to optimize costs.  Reviewing the recent risk and regulatory events in India and the maturity of risk management practices followed by Indian Financial institutions, we recognize the need for defining essential capabilities that form part of an operational risk management framework.

Let’s begin by examining the key elements of an operational risk management framework.

Copyright © Profisor Services Pvt. Ltd. 2015.  All rights reserved. This document is subject to contract and contains confidential and proprietary information.

Where does one start?  What are the key enablers of operational risk management?  What is the role for technology?  What are the necessary capabilities?  How should one develop capabilities?  How does one test the level of maturity?  What mature practices from western economies offer ready learning?  Answers to these and many related questions will offer insights into challenges, hurdles, which most financial institutions encounter in their efforts to embed an effective operational risk culture.

With that aim in mind we present you the typical journey, articulating in detail the best practices, success factors, potential issues, causes of inefficiencies and industry-wide challenges at every stage of the process - from ORM Enablers to Risk & Control Self Assessment (RCSA), Key Risk Indicator (KRI) & Risk Events to Stress Testing and to Capital Management.

Copyright © Profisor Services Pvt. Ltd. 2015.  All rights reserved. This document is subject to contract and contains confidential and proprietary information.

While the above info-graph offers learning opportunity, in our experience, organizations always benefit from engaging with proficient advisors to determine an approach for robust capability development to effective operational risk management.

Remember, resources are scarce and any wasteful investments will adversely impact your operational losses!

April 2013

It won’t be long before a new regulatory supervisor, the Financial Conduct Authority (FCA), one of the successors to the U.K.’s Financial Services Authority, comes knocking on the door. For U.K. financial firms, now is the time to map the relationship between operational risk and conduct risk.

Over the past three years a majority of operational losses occurred in the “clients, products and business practices” event category. Mis-selling, billing errors, failure to pay client claims … the list is ever growing and represents huge operational losses. Hence the U.K.’s new twin-peaks model, which has a particular focus on conduct-of-business, or conduct, risk.

Consumers today understand the definition of conduct risk through their own experiences — either their medical insurance has failed to provide necessary coverage, their investments are now worthless, or their pension claims are just claims. Recognizing the consumer demand for fair and suitable products, financial institutions face an enormous challenge in designing their product offerings and trade strategies to not only ensure future growth and profitability, but also to win shareholder confidence.

In this article we will analyze the relationship between conduct risk and operational risk, while charting the opportunities and benefits of collective risk and compliance management under the organization-wide operational risk management framework.

Mis-selling of interest-only mortgages, a conduct risk event, may result from incorrect advice on the mortgage product or inadequate checks on the borrower’s in-place capital repayment vehicle. “Wrong advice” qualifies under the “product flaws” and/or “product suitability and disclosure” operational risk event categories, and “inadequate checks” qualify under the “improper business or market practices” category. Controls devised to monitor and mitigate such events, though ineffective, may exist in the risk and control assessment document, which is a key component of the operational risk management framework.

Financial institutions must recognize these relationships before endeavoring to add measures to monitor compliance with conduct-of-business rules. It is highly likely that supervisory reviews, rising product claims and compliance issues will drive management’s focus toward a specific event or a product class, like mortgages. Nevertheless, for effective conduct-of-business compliance, organizations must act to enhance their operational risk management capabilities.

Essential enablers and components of an effective operational risk management framework are illustrated in Figure 1.

Operational risk management techniques have evolved over the past few years, yet financial institutions have not made much progress on the effective implementation of these standards. Traditional techniques with a heavy focus on risk and controls, inconsistent risk management standards, and inconsistent interpretation and application of policies and procedures have resulted in teething problems, including:

1. Disparate and deficient operational risk taxonomy
2. Large counts of ineffective risks and controls
3. High volumes of immaterial control issues
4. Lack of risk ownership
5. Ineffective and inconsistent mitigation plans
6. Inconsistent use and application of KRIs
7. Inadequate operational risk MI
8. Deficient loss event capture process
9. Lack of historical internal loss database
10. Unclear risk appetite definition
    

When planning to enhance their operational risk management framework, financial institutions must assess the relationship with conduct risk before embarking on a journey to manage compliance requests from the regulators. Below is a viewpoint on – or an approach to – the crucial next steps.

1.  Understand the definition and significance of conduct risk
Where should you find conduct risk definitions? A good starting point is the FCA’s Risk Outlook, which sets out the most significant retail conduct risks.  For example, changes in product design pose a strategic risk, but the complexity of design or lack of marketing disclosures pose operational risks with a potential for reputational damage. Mis-selling is a “business practice” operational risk event and also falls under the definition of conduct risk. Articulating the relationship between operational risk and conduct risk is a fundamental step for effective monitoring and management of these risks.

2. Map conduct risk relationships in the operational risk taxonomy
Accurate operational risk taxonomy, which is a key enabler, outlines the strong foundation of a robust operational risk management framework. Identify and map conduct risk relationships –based on the nature of business and product offerings — to the operational risk taxonomy. Remember the boundary definitions when categorizing operational risk events as conduct risk. This step also offers an opportunity to find gaps in accuracy and completeness in the existing operational risk taxonomy.

Operational risk technology infrastructure will play a significant role in the effective management and reporting of conduct risk. Ease of use, data customization and the ability to expand the data dictionary will help in implementing unified operational risk management standards with an explicit focus on conduct risk.

3.  Enhance policies and procedures
Past supervisory reviews have reflected weaknesses in management’s policy framework — jurisdictional vs. global, and divisional vs. group standards, for example. Review the existing policy statements and procedures for inconsistent definitions and the potential for misinterpretation. Enhance and develop unified standards for effective measurement, monitoring and management of operational risk and conduct risk.

4.  Create awareness
Common understanding and consistent use of the operational risk taxonomy, including conduct risk relationships, will be essential for driving enhancements to the operational risk management framework. Create awareness of conduct risk relationships and an enhanced operational risk taxonomy by hosting workshops, to develop skills and train “risk champions” or people responsible for managing operational risk in the organization.

Clear and well communicated risk management strategies and appetite definitions help embed risk culture in the organization. Involve people responsible for implementation of operational risk management frameworks when developing standards and policy statements. Results will be visible in the quality of risk management information, risk mitigation responses, and escalation of threats and concerns.

5.  Assess and align the operational risk framework
Review the key components of the operational risk management framework — risk and control assessment, control assurance, loss and risk event analysis, and key indicator analysis — for conduct risk coverage. One key aspect of such an assessment should be the ownership of risks and controls. Most organizations still struggle to assign responsibility for risk and to make the business accountable for managing these risks.

Another key aspect is the use of “risk indicators”. With conduct risk in question, organizations will have to re-align key risk indicators for effective analysis and compliance. For example, monitor and measure product design change vs. product mis-selling, cost reduction initiatives vs. quality of customer service, use of advanced payment platforms vs. potential for fraud, and others.

While the Financial Conduct Authority will question compliance with conduct-of-business rules, the Prudential Regulation Authority will question compliance with regulatory capital standards. Many financial institutions suffer from deficiencies in their historical loss event database, which is needed to perform scenario analysis and stress testing. Establish robust standards for loss and risk event capture. Validate and capture loss and risk events, when possible, keeping in mind the boundary definition and relationship between operational risk and conduct risk. For instance, while performing a root-cause analysis for reasons of product mis-selling, map and capture resulting claims (losses) to the correct operational risk event categories — “product flaws” or “product suitability and disclosure” or “improper business or market practices.” A comprehensive account of internal losses will help in conducting empirical study for capital management and to establish an adequate risk appetite definition.

Resources are scarce so be wary of the end-to-end impact of regulatory change on your operational risk management framework. Aligning a compliance program to respond to regulators’ requests is essential for compliance monitoring and reporting. However, for effective regulatory compliance, such initiatives must be aligned under an umbrella program with the overarching objective of enhancing the operational risk management capabilities. Otherwise, budgets wasted on “monitoring and reporting” will have to be considered operational losses under the “execution, delivery and process management” operational loss event category.