By Jimi Hinchliffe, England & Wales Chapter Chair, IOR.
Jimi, can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?
I was first exposed to the concept of operational risk management during my PhD studies which in turn led me to join the Operational Risk Research Forum (ORRF). ORRF was established by Brendon Young and contributed enormously to the thinking on operational risk at the time when Basel and UK regulators were working on the new capital framework. Brendon later established the Institute of Operational Risk. I then joined the UKFSA in 2000 to work on operational risk policy. Having worked for almost 20 years in operational risk and regulation I set up my own risk consultancy in 2016 and have worked with a number of clients on various projects. I’m also Chairman of the Institute of Operational Risk in England and Wales.
At the New Generation Operational Risk Europe Summit, you will be speaking at the Pre-Event Masterclass. What can attendees expect to learn at this Masterclass and why is it important that they do?
It’s a great opportunity for participants to hear from a top notch group of operational risk professionals in what will be an interactive and engaging masterclass.
The Masterclass will showcase a range of leading professionals from the Institute of Operational Risk (IOR) and will draw on their expertise and experience to provide what should be a highly informative and instructive day. The IOR launched its Certificate in Operational Risk last year and the day will provide insights from that course and draw heavily on the IOR’s Sound Practice Guidance Notes.
With the demise of AMA and the Basel 2 regime that effectively invented operational risk management as we know it today in banking, it is an auspicious time to be considering what the fundamentals are in operational risk management, and the Masterclass will provide the answers.
Can you please give an overview of sound practices within operational risk and regulation?
Fundamentally, operational risk management and management of regulatory risk (which is a subset of operational risk) are predominantly about common sense good management practices. Whether that’s ensuring staff know what their roles are and that they’re overseen by a competent people manager to make sure they’re doing what they’re supposed to (and not doing things they shouldn’t), or that when there is a significant regulatory change, you set up an adequately resourced implementation project so that you aren’t rushing around like a headless chicken at the last minute. Many firms have forgotten the basics, perhaps being entranced by the latest sophisticated modelling techniques – I believe there is a need to get back to basics on these fundamental sound practices and operational risk will deliver genuine business value.
What is the biggest emerging challenge within operational risk and how can risk professionals successfully prepare and overcome it?
The biggest challenge within operational risk continues to be demonstrating business value. The operational risk framework must deliver tangible business benefits through improved risk management and better business decisions, otherwise it becomes a mere compliance exercise. Keeping risk assessments fresh (avoiding tick box), ensuring very active enagement and collaboration between the lines of defence to solve problems, high profile with the Board and senior management, and being an agent for a strong risk culture where everyone sees themselves as a risk manager are key steps to demonstrating value.
What, in your opinion does the future hold for operational risk professionals, and how can they keep up with the increasing change?
There is an inexorable trend in banking to increasing complexity and sophistication, for example in use of financial models and application of AI and robotics. It is a significant challenge for 2LOD operational risk managers to have sufficient levels of understanding to be able to effectively oversee and challenge the operational risk from these areas. It’s also about understanding the limitations of new technology – a major risk is that we overestimate the capacity of AI and robotics and consequently fail to sufficiently control it.
There is a danger that operational risk management as a function will disintegrate into specialist functions e.g. conduct risk, IT risk, model risk, cyber risk, vendor risk, financial crime risk etc. However, this will lead to an even more fragmented and siloed approach to risk management which is certainly not deserirable. Therefore, I believe there will continue to be a role for operational risk generalists but they will increasingly have to engage with specialists and keep up-to-date as far as possible on the changes.