By Sean Miles, Head of Operational Risk, Santander Services.
Insight ahead of the upcoming New Generation Operational Risk: Europe 2019 Summit in London (12-13 March).
For more articles and insights like this, become a member of the Center for Financial Professionals by making your free account here.
Sean, can you please tell the Risk Insights readers a little bit about yourself and what your current professional focus is?
I am head of Operational Risk for Santander Services. This covers the back-office operations and technology units of the Retail Bank. I left Oxford University with a degree in Physics and trained as an Accountant at Andersens working in Birmingham and Melbourne. After that I worked as an Internal Auditor, then in Operational Risk at Barclaycard.
My current professional focus is ensuring Operational Risk assessments become more data driven and more automated and that we can use AI and Big data to predict and prevent future risks and events.
What, for you, are the benefits of attending a conference like the ‘New Generation Operational Risk: Europe’? What can attendees expect to learn from your session?
New Generation Operational Risk: Europe offers a great opportunity to network and to understand what issues fellow professionals are facing. This will be my third event and I’m looking forward to attending.
I am joining a panel to talk about Vendor Risk; we are living in an world where all critical processes are underpinned by Third (and sometimes Fourth and Fifth) parties. Consequently, only by working in partnership can we ensure all our risks are appropriately mitigated.
In your opinion, how can we look to effectively ensure scenarios, incidents and RCSA fit together?
RCSAs should assess the high likelihood events which could crystallise either low or high impact events. Scenarios are low likelihood high impact events. RCSAs and Scenarios are two sides of the same coin and should be assessed in line with each other. Both information the risk profile.
Incidents tell us when a risk has crystallised, it is 100% likely that they risk will occur, they can then be used to back-test the risk and scenario assessments comparing the likelihood of the event occurring in the risk / scenario assessments. We can then understand why and event happened, what controls happened and then look across what other similar controls could fail under the same strain.
What are the key considerations that need to be made when dealing with changes in internal controls with the increase in technology?
Technology is an enabler and a servant, we shouldn’t allow it to become a master. Technology should make our control environment more effective and simpler. It Technology controls complicate our control environment, create single points of failure or increase risks it should be avoided.
How can we best manage control testing across the lines of defence?
If we can identify the ‘super controls’ that act as pervasive controls across a business to prevent several risks materializing; (such as access management, exception reports, segregation of duties / limits of authority / and authorisation levels); we can focus control testing or assurance activity to ensure these are system-based, can’t be circumvented and can operate in a stressed environment. We can then take comfort that most risks are being well-controlled.
Then, we can look at which inherently critical or high risks aren’t covered by the above. The core controls required to mitigate these can then also be tested. Applying the 80|20 rule will enable us to best use testing and assurance resources.