By Colin Last, Director of Risk and Control, Nationwide
What for you are the benefits of attending a conference like the ‘New Generation Operational Risk: Europe’ and what have attendees learnt from your session?
The conference gives us a great opportunity to learn from each other, collaborate and share experiences. It also presents us an opportunity to better understand the future challenges for us as Risk and Control practitioners.
There’s a lot changing in our industry as we become increasingly dependent on technology and manage the complexities of extended and dynamic supply chains along with increasing expectation from our members and those who rely on our services. The ability to network with others, facing into the same challenges presents a great opportunity to navigate these challenges together.
Why is it important to have an agile approach in an ever-changing climate?
The way in which we deliver products, services and solutions is increasingly aligned to DevOps and agile ways of working. It’s proven to enable us to deliver Better Value for our members and increase the speed at which we can develop and deliver services to our members whilst ensuring that they remain safe.
The majority of these services are now enabled by technology and so we need to use a technology mindset when operating controls and managing risks. We call this ‘Intelligent Control’; taking a risk adjusted approach to identifying controls that ensure resilience, availability and safety. If that’s to support a payments process or other kind of transaction, we need to understand what ‘safe’ means in that context and ensure that the controls embedded support the delivery of that outcome.
Using this approach, we aim to ‘build the right thing, in the right way’, reducing the number of issues and making more the whole process more efficient whilst empowering our people to make decisions on the ground and in real time.
Why is it important to move away from tradition control cycles? And what are the benefits to the institution?
We’re not so much moving away from a conventional approach to ‘Control Lifecycles’, instead we’re adapting and accelerating the way in which we ensure design adequacy of a control, embed it and see its performance in operation.
The steps in the process are much the same but the design of the control and the way in which it is operated is what changes.
One significant difference is the need for a ‘holistic approach’; understanding the ‘intent’ of the control (i.e. to ensure the security of a data transaction) by bringing together the various control domains and working together to engineer the right controls that enable us to build the right thing in the right way.
In your opinion, what are the key benefits of intelligent control?
Intelligent Control enables us to operationalise control. Working with product development teams we’re able to understand the risk inherent in an idea before we commit valuable resource to any development work.
This means that we’re able to take a risk adjusted approach to the work, identifying those control activities that will make the product ‘safe’ and ensuring that they’re embedded and operationalised ‘by design’ and ‘by default’ enabling us to ensure that the value of any investment is realised.
It also means that we minimise risk flowing into our operational environment and work to continually improve, through continuous monitoring, continuous assurance and the ongoing ‘real time’ visibility of a control (and its performance) in operation.
What do you see ahead for the future of technology within operational risk?
The more that we use and rely on technology to support and deliver business operations, the more we need to adapt the way in which we test and provide assurance of the way in which control is operated and its effectiveness in the mitigation of risk.
A key area of focus for us is the way in which we use tooling and automation to operate control activities; this means that we’re able to enable the operation of control at scale and see where controls are operating and measure their performance as part of a continuous assurance cycle.