The changing face of operational risk

From the ever-present threat of cyber-attack, to the unexpected and sudden impact of a global pandemic, operational risk is a fact of life in the financial industry. And while operational risk management is critical, the practice is still in its infancy.

Despite this immaturity, its relevance is highlighted by the continuous revisions and reviews published by the Basel Committee on Banking Supervision (the Committee). Their more recent being the publication of a consultative paper with proposed updates to the Principles for the Sound Management of Operational Risk (PSMOR), as well as the newly minted Principles for Operational Resilience (POR), both in 2020.

Both documents are at the forefront of current affairs in this industry and offer a glimpse of the regulatory challenges financial institutions will face in the future. In this article, we offer an overview of the updates and new principles, and consider the impact on Finance, Risk and Compliance (FRC) functions.

In short

Additions and changes to the Principles for the Sound Management of Operational Risk include:

• More details to each specification in each principle
• Fleshed out roles and responsibilities of the board of directors and senior management
• A fully new principle on Information and Communication Technology (ICT)

The Principles for Operational Resilience aim to:

• Improve banks’ ability to deliver critical operations through disruptions
• Strengthen banks’ ability to absorb operational risk-related events

The PSMOR: and then there were twelve

Since the adoption of the PSMOR in 2011, the operational risks faced by financial institutions have increased and evolved. The current consultative paper addresses this changed landscape in the following twelve principles:

1. Risk culture
2. Operational Risk Management Framework (ORMF)
3. Board of directors: implementation ORMF
4. Board of directors: risk appetite
5. Senior management
6. Identification and assessment of operational risks
7. Change management
8. Monitoring and reporting
9. Control and mitigation
10. ICT
11. Business continuity
12. Disclosure

The following additions are impending:

• Expanded requirements on risk culture, code of conduct, and ethical behavior
• Explicit delineations of the roles and responsibilities of the board, senior management and the Three Lines of Defense
• A comprehensive non-exhaustive list of tools to identify and assess operational risks, such as operational risk event data, self-assessments, event data and scenario analyses
• A new principle (Principle 10) addressing the implementation of sound ICT: its aims, its maintenance, and the roles and responsibilities related to them

The BCBS has published a paper on cyber security.

The following changes were proposed:

• A request for the inclusion of a standardized and fully developed ORMF
• A call for clear-cut definitions of processes and controls regarding the review and approval for new products, processes, and systems and that these should be monitored by a dedicated change manager
• Demands for the analysis of severe but plausible disruption scenarios and the corresponding business continuity planning (e.g.: thresholds, business impact analysis, discovery and recovery procedures)

The POR: brace for impact

The Principles for Operational Resilience were developed and proposed by the Committee to mitigate operational risks and to strengthen operational resilience in this industry. The latest updates aim to enable banks to deliver critical operations through disruption. Their objectives are as follows:

	Promote a principles-based approach to improving operational resilience – the ability of a bank to deliver critical operations through disruption.
	Reflect any initial lessons learned from the impact of the Covid-19 pandemic.
	Ensure that existing risk management frameworks, business continuity plans, and third-party dependency-management are implemented consistently within the organization.

The seven newly designed POR address many critical incidents faced by financial institutions, amongst them the Covid-19 pandemic and a rise in cyber-attacks. The scope lies primarily within:

1. Governance
2. Operational risk management
3. Business continuity planning and testing
4. Mapping interconnections and interdependencies
5. Third-party dependency management
6. Incident management
7. ICT including cyber security

With respect to ICT, the Committee sets requirements on how the physical and logical design of information technology and communication systems need to be met by banks. This includes the individual hardware and software components, relevant data and the operating environment. Additionally, a documented ICT policy incorporating the increasing issue of cyber security is expected from banks.

When suggesting these principles, the Committee considered third-party activities where failure would lead to the disruption of vital services. This was especially the case with regard to major institutions with a high market share and globally interconnected operations where consequences might represent a serious potential for danger in terms of the non-functioning of the real economy and for financial instability.

Moreover, the POR require that banks reflect on any initial lessons learned from the impact of Covid-19 in order to improve the pain points in their operations. Simultaneously, banks should ensure that their existing risk management frameworks, business continuity plans, and third-party dependency-management are implemented consistently within the organization.

How will these changes affect the FRC function?

There are three distinct challenges: risk culture, roles and responsibilities and risk assessment.

Risk culture includes setting standards and incentives for professional behavior. Roles and responsibilities refer to explicitly delineating the roles and responsibilities of the board and senior management, as well as the Three Lines of Defense, by which we refer to a widely used model for managing risk. Risk assessment comprises choosing and setting up the tools to identify and assess operational risks (e.g. event data, self-assessments, and scenario analyses). Responding to these challenges can require fundamental changes both operationally and institutionally.

At Capgemini Invent, we have many years of expertise in helping financial intuitions ensure regulatory compliance throughout all corporate functions on a global level. We have drawn on this experience to develop enhanced risk management solutions to tackling the three key challenges:

	Risk Culture: The concept of a risk culture should be a core part of a company’s strategy. Firms need to establish a mature preemptive risk culture to better manage their risks and reduce risks of failure, even when they are dealing with extreme unexpected events. The building of a risk culture is a dynamic and ongoing process, which enables organizations to resiliently thrive within an uncertain and constantly changing environment. Getting this right can create a competitive advantage by providing the agility to quickly and efficiently navigate through unfavorable market conditions, whether external or internal to the financial industry. Find more details about our preemptive risk culture concept in our Risk Culture Blog.
	Roles and responsibilities: Understanding both current and future roles and responsibilities in an organization is the first step in a business optimization process. Organizations need to be clear on their degree of compliance with the recently introduced Basel Committee on Banking Supervision (BCBS) requirements. To support our clients with this, we have developed an extensive governmental and organizational assessment providing guidance on ensuring a compliant corporate structure. The Capgemini Invent Governmental and Organizational Assessment uses customized questions to examine any compliance gap and helps to prioritize remedial actions with the key stakeholders.
	Risk assessment: The BCBS formulated specific risk management measures as part of its ICT policy, including access controls, critical information asset protection and identity management, to ensure that appropriate risk mitigation strategies are in place. ICT, and cyber security in particular, is embedded in an evolving threat landscape. A recent study highlights the extent of the average losses for different types of incidents across different economic sectors, as visualized in the diagram below:

An intelligent response

At Capgemini Invent, we have created and use various empirical and analytical tools with enhanced visualization, such as our Incident Management Tool. This intelligent tool supports the identification, capture, and analysis of risks, as well as the elaboration of next actions. It enables our clients to proactively address potential vulnerabilities, promote a faster response to risks, and prevent further incidents. Furthermore, this solid Incident Management Tool provides a dashboard with customizable outputs to track and report incidents. It is compatible with the latest technologies, such as natural language processing, optical character recognition, machine learning, etc. You can find more details about our Incident Management Tool and best practices in our Incident Management Blog.

Inventive Finance, Risk & Compliance from Capgemini Invent helps Finance, Risk and Compliance teams in the financial sector address critical challenges. This article focuses on operational risk.

Stay tuned for further updates on the PSMOR and POR by Capgemini Invent.

This blog is authored by Erekle Tolordava, Dr. Rita Motzigkeit and Kerem Cigerli.