Can the operational risk ‘umbrella function’ provide more value to financial services?

Can the operational risk ‘umbrella function’ provide more value to financial services?

Business Person in Shirt and Tie reading Data Chart on printed Media and working on Laptop Computer with Office Background Telephone and Stationery on Table

By Mark Cooke, Global Head of Operational Risk, HSBC.

Mark, can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

Like I suspect many individuals in Operational risk, I’ve had a somewhat diverse career, one that started in professional services, training as a chartered accountant before moving into functional and business aligned roles, in both Wholesale and Retail financial services. The last 14 years of which have been in Risk roles, both as a Chief Risk Officer for a Global Business and now as the Global Head of Operational Risk for HSBC.

My experiences have often revolved around ‘behavioral engineering’, most latterly as being the means to establishing consistent, robust and efficient approach to managing risk in large and complex organizations. My current focus is centered around the adoption and alignment of approach to managing and controlling a diverse set of non-financial risks, be that financial crime, legal, regulatory, cyber, technology etc , while at the same time developing analytic capabilities, looking at new technologies, to deliver benefits in terms of being both more effective and efficiency in the risk management of our various businesses.

At the New Generation Operational Risk Europe Summit, you will be speaking on your insight regarding the operational risk ‘umbrella function’ and if it can provide more value to financial services. Why is this a key talking point right now?

Financial services organization face a myriad and diverse set of threats to their strategic aims and commercial objectives, beyond that of their traditional areas of risk management expertise, such as credit, market and liquidity (often referred to as the ‘financial’ risks). It is essential to have a well-structured and consistent approach to managing the other risks beyond the traditional financial risks and it is here that operational risk can provide considerable benefit to their organization. That value comes from providing overall leadership as to approach, standards, tools & systems, along with the overall risk aggregation, providing the ‘umbrella’ that allows the effective management of the specialist areas of operational risk such as regulatory compliance, cyber, legal, financial crime, accounting, conduct etc. This makes it simpler and easier to manage risk within the businesses, avoiding multiple and duplicative approaches, that is both confusing to management, inefficient and invariable not as effective in terms of risk management.

Can you give a brief overview of the importance of driving a sound risk management culture? And have you got any advice for your peers?

Culture and behaviors go hand in hand. While frameworks and risk management systems are important, these mechanical processes do not deliver the desired outcome in isolation. Ownership, understanding, and engaging the expertise and  judgment of the individuals in the organizations is at the heart of sound risk management. It is for that reason that so much of my functional effort has been on ensuring focus on the roles that are essential to managing our most material risks, along with the individuals and the responsibilities associated with their roles.

It has been critical to improving the risk management culture, to explicitly engage the right individual in the risk management approach and practices, creating transparency as to who owns the risk, who is responsible for the keys controls and who provides the specialist oversight of that specific risk (the second line).

Without giving too much away, how should financial professionals manage their risk management agenda, ensuring it aligns with the greatest systemic threat?

Whatever the expertise or the risk type being considered, that agenda needs to be connected to the business and functional teams that delivers the products and services day in and day out. Risk management is a contact sport, it needs partnership and working together to get good outcomes. The action is not in the ‘ivory towers’, it’s as the coal face of delivering the product and services that meet our customers needs.

What, in your opinion does the future hold for operational risk professionals, and how can they keep up with the increasing change?

The future is very bright for those who can engage with their colleagues, provide leadership on how to better manage a very dynamic and  diverse set of risks as part of helping build better, safer and sustainable businesses, that avoid the failures that we have seen in the past. That require the operational risk professional to be connected with the business, strategy and with an outward view to the external environment that we operate in.