Defining next-generation operational risk management

The senior leaders of risk management functions we spoke to agree that the future of operational risk management is about data, data, data – and that’s a consistent view across the 3 lines of defence. More generically, as the discipline continues to evolve and diversify to meet new challenges, a contentious topic that will continue to be tackled is ensuring effective and efficient interaction between the 3 lines to achieve a common business purpose. When everyone is pulling in the same direction and the risk culture at all levels of the organisation is strong, there are clear benefits and measurable outcomes that demonstrate the business is operating within its stated risk appetite and that customers’ needs are being met. Our experts agreed that while there continue to be improvements in how the 3 lines model works, there is still some way to go to achieve real maturity.

Back to data. The priority today and tomorrow has to be on the generation of a single version of the truth that is consistent and can be articulated across different business lines, entities and lines of defence. Further, we need to develop this consistency right across the industry so that the focus is on how well we are addressing known and emerging issues, rather than trying to agree that a problem exists and arguing about whether it should be prioritised ahead of other competing business objectives.

More must be done to use technology so that we can make better judgements and more informed and timely decisions based on evidence and expertise. Today, way too much time and resources are spent on data manipulation and data quality failings. As warehousing and analytics improve, this will drive the quality of reporting, which then allows us to be more forward-looking, paying better attention, for example, to the emerging risk landscape, which never seems to contract. If we make these advances at an industry level, with the inclusion of the regulatory perspective, then we are raising the bar for everyone.

In future, practitioners emphasise the need to continue to improve coordination across the 3 lines while also addressing issues such as the complications of reporting consistently across multiple legal entity structures. For example, each entity has a Board that wants to see their own cut of data across all the risk stripes. Similarly, regulators in different jurisdictions are interested in country-specific risk profiles. Everyone is trying to do the right thing, but these kind of demands can create chaos if there is a lack of consistency of data and requirements.

Overall, there is a perception amongst risk leaders that we have improved as an industry. Risk professionals point to the evidence of much stronger and embedded risk management practices and fewer really serious incidents concerning rogue traders. Our ability to manage known risks is clearly more sophisticated and effective than it was 10 years ago. Conversely, organisations continue to face an increasing number of serious emerging risks that provide major, potential existential challenges in future. So while we are more mature, we can see ourselves as being in an arms race as evolving risk management processes attempt to absorb an ever-growing number of threats.