Be it the recent surge in cyber-attacks on financial institutions, the technical glitches that lead to flash crashes on trading venues, high numbers of fraudulent behaviour or simply the complexity of todays systems that comes with a significant probability of instability – the management operational risk has become one of the key priorities at financial firms. Often operational risk manifests itself without the illicit conduct that is inherent in the first examples. It is the level of financial innovation itself that has led to unprecedented complexity and speed in trading systems, so that operational irregularities may have unpredictable effects in timing and scale as ESMA pointed out in last year’s work programme. Therefore, in order to achieve effective operational risk management the understanding of the current methods and best industry practices.
Ariane Chapelle is Associate Professor (Honorary Reader) at University College London for the course ‘Operational Risk Measurement in the Financial Services’ and is a Fellow of the Institute of Operational Risk and a trainer for the Pofessional Risk Managers’ International Association (PRMIA), for whom she designed the Certificate of Learning and Practice in Advanced Operational Risk Management. She has been active in operational risk management since 2000, and has worked closely with ING Group and Lloyds Banking Group. Her new book “Operational Risk Management: Best Practices in the Financial Services Industry” tackles these aspects and provides a comprehensive guide for those new to the discipline and for experienced risk managers alike. PlanetCompliance spoke to her about the evolvement of operational risk, what makes a good risk manager, the key operational risks any bank needs to address now and more.
Your book “Operational Risk Management” gives a comprehensive analysis of best practices in financial services. To set the scene, could you tell us what exactly is operational risk and why is it important?
“Operational Risk Management” is also called “Non financial risk management” in the financial industry, as opposed to the credit, market and liquidity, which are the “financial risks”. Outside of the financial sector it is simply call “risk management”. Without risk management, you can’t fly planes (or they will soon crash), operate energy plants (without explosions), run hospitals or schools (without harming patients or kids), so it’s pretty important…
Even in the financial sector, operational risk management is important: the frauds, systems breakdowns, cyber attacks, transaction errors and customers detriment, compliance breaches and other business sanctions lead up to billions of euros of annual losses for the financial sector (€170 bn of losses reported by 86 member banks of ORX between 2012 and 2017). And with the changes in technology and increasing uncertainty of the environment, these are likely to keep increasing.
What makes a good risk manager?
I would qualify a good risk manager as: well-informed, insightful and collaborative.
Well-informed, as he or she needs to know what is going on in and around the business in its scope, without sitting at his desk waiting for the information to come to him or her, a risk manager – and a manager too – needs to know and understand the business, the people, the exposures, the vulnerabilities.
Insightful: turning data into insight, reporting into stories are very important qualities in risk management. From experience, this is still a domain where risk management, and operational risk management in particular, needs to grow.
Finally, risk managers need to collaborate with the business lines: “advice and support” is more important than “oversight and challenge” for risk management. Risk managers are neither auditors nor policemen; they need to bring constructive opinions, highlight – when relevant – potentialities that may have been overlooked, and help finding solutions to make the business safer without impeding growth.
What are the main operational risks for financial institutions in 2019?
Several surveys are coming out currently about prospective risks. Let me share with you my answers to Risk.net when they recently ask me to contribute. They will be blended with those of other respondents so you can only see those here:
- “Brexit risk” and trade risk: slowdown in growth and revenues due to international trade restrictions, political uncertainties (Brexit) and trade war (Trump)
- Business restrictions, sanctions and regulatory fines following information security breaches and data handling (GDPR, Mifid, etc.)
- Systemic business disruptions in case of central third party failings, such as large could companies hosting data for multiple financial institutions (extreme weather events or terrorist attack as possible causes of the third party failings)
- Business disruption due to cyber attacks and information loss or corruption
- Skill gaps and shortage in competent resources, leading to all of the above… Widening gap between the “have” and “have not” talent and knowledge to keep up with technology and regulatory developments
- Project management failures due to overstretch of resources, cost pressure and multiplicity of projects put together
- Model risk and model pricing failure due to similarities of models across institutions leading to systematic risks (in last place as it is already well looked at)
Technology and innovation has touched upon every corner of the financial industry. How has operational risk management evolved over the last ten years and what are the next ten going to be like if you had to make a prediction?
Predicting the past is such easier, so let me start with that 🙂 Operational Risks derive from PPSE : failures and inadequacies of People – Process – Systems – External Events. Therefore, any changes in the nature of any of these elements change the nature of operational risks. In the financial industry, risks relating to information security, cyber protection, digitalisation but also outsourcing and projects management are top of the lists for most CROs, whereas there are plainly absent for the Basel categories (defined 20 years ago) for operational risk (or buried in one line sub-categories), so much so that ORX, the largest data consortium for Operational Risk, has suggested in 2018 a new taxonomy for operational risks.
For the ten years ahead, it is safe to say that the evolutions of operational risks will follow the evolutions of systems, processes, employment in financial firms, and of the general environment. Some of these evolutions have already started, like those I mention in my answer to the previous question. Besides, there will probably be more surprises and disruptions between now and then, but the nature of surprises and disruptions if that they cannot be foreseen.. It doesn’t mean that nothing needs to be done: building resilient, adaptative, even opportunistic businesses (in the good sense of the word) is possibly the best protection against surprises and disruptions.
Similar to other functions like compliance, operational risk management usually is not at the top of the list of priorities for Start-Up that traditionally have limited resources and often struggle to cover all bases. What would your advice for Start-Ups be?
I like start-ups. I tend to consider myself as a start-up too, although my company is not very new (I am in business for 12 years) and I tend to resist upscaling (maybe there is a risk appetite decision there..), but I apply what I preach and running a business myself helps me to experience operational risk management every day. For them, I would say two things:
First, remember a famous quote : “ Good risk management is good management”; risk management is not or should not be a separate activity, but rather a part of everything we do, just like all of us in our private lives: we watch for our kids (that’s risk management) and we pay our taxes and obey the law (that’s compliance); why not doing it for our business? You need to make up the time for mandatory requirements as much as for other aspects that significantly impact your business. It should not be up for debate. Compliance is just another aspect of risk management and of good management.
Second, there is a direct relationship between good risk management and business performance: it’s only when you understand the risks you take that you can properly take them, with the appropriate mitigation: it’s only when you understand credit risk that you can grant loans, when you understand market risk that you can be a trader (at least those surviving more than two years in the job), when you understand actuarial risk that you can underwrite insurance policies. In cinema, the best risk managers are the stunt actors; those who take the biggest risks. Being a start-up requires taking huge risks, so excellent risk management is required not blow up in flames by over-taking risk, or stall by not taking enough.
If people want to follow in your footsteps seeking a career in operational risk management, what advice can you give them?
First, I would be very honoured if they would. Then, the best advice for every career is to love what you do. If you’re happy at work, your enthusiasm is contagious. So go to risk management if you like it, educate yourself, get to know the business, be good at what you do, be there to help and to improve the status quo. I am forever passionate about my field: I like planning, organisation and efficiency; I like foresight and quick reactions. When I was young, my father had always the same injunction he needed me to do something, get ready or move fast: “Efficacite!”, which a French word that means both “efficiency” and “effectiveness”. It stuck with me; I work much and I work fast. To me, this is what good risk management is: improving efficiency and effectiveness in business operations and business strategies alike.
“Operational Risk Management: Best Practices in the Financial Services Industry” by Ariane Chapelle has been published in the Wiley Finance Series and can be purchased here. For more information on Ariane Chapelle, check out Chapelle Consulting.