Operational risk – Getting the fundamentals right

Operational risk – Getting the fundamentals right

By Elena Pykhova, Denis Lyons and George Clark -Senior OpRisk Professionals from the Institute of Operational Risk. 

George, can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

George has over 40 years experience in the financial services sector ultimately leading both business and risk functions at a senior level in a large international bank. Since 2007, George has worked as an independent consultant, leveraging his experience in operational risk and compliance. He has worked with some of the industry’s leading financial services firms, gaining international experience in Africa, Australia, New Zealand and the Netherlands.

George is the current Chair of Council of the Institute of Operational Risk and was one of the founding members in 2004. George has also held the IOR positions of Co Secretary and Chair of the Executive Management Committee.

Aside from leading the Institute the current professional focus would be on developing research in Operational Risk and on what the future holds for the discipline and the
people who work in it.

Elena, can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

I feel passionate about the discipline. Over the years, I had global, regional and Business-specific Operational Risk Head roles at various international firms, and now run my own company. Operational risk is very dynamic and it’s exciting to be part of it. I lead discussion and working groups and oversee papers on ‘good practices’ in my work as chair of Operational Risk Committee at the Association of Foreign Banks. At the Institute of Operational Risk I look after the IOR’s Educational portfolio, exciting times as we have just launched a new professional qualification.

Denis, can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

I am an operational risk specialist, having “converted” to Operational Risk from Credit Risk in 2002.  I have worked in many banks and other financial institutions, as well as a number of years at the FSA.  I am now a self-employed consultant currently working with a US consultancy in a major European bank.  Previous missions have been an interim & project role at a wealth manager, where I redesigned the risk framework and restructured the risk organization, and a project role at a futures and options clearing house to support their RCSA efforts.

At the New Generation Operational Risk Europe Summit, you will be speaking at the Pre-Event Masterclass. What can attendees expect to learn at this Masterclass and why is it important that they do?

George: It’s a wonderful opportunity to hear from a diverse group of experienced practioners and to have conversations with like minded people. Any conversation across risk peers is worthwhile as it never fails to either reaffirm that you are not alone or that your current practice is sound. The resultant confidence boost shouldn’t be underestimated. Similarly I have never attended events such as this and not taken away some insight or idea that then improves my opportunity to think or to do something differently. Given the speakers and agenda topics, and whether your are new to the discipline or highly experienced, I think the opportunity for new ideas and conversations is a given.

Elena: As a practitioner, I am keen to share my experience, tips and hints on what works and what doesn’t and generate a good discussion. As we know, the regulation is not prescriptive and it’s the exchange of practical ideas that is most important. My focus for the day will be on Operational Risk Losses and Near misses – our core tool that nevertheless is changing and improving itself as we gain more knowledge and experience.

Denis: I will be presenting a Masterclass on Risk Assessments.  I will be taking a high level look at the various ways in which risks can be assessed; I will also be considering the main challenges facing professionals in delivering value from the assessments and exploring ways in which this can be achieved.

 Can you give an overview of what the key things to consider as an operational risk manager on a day-to-day basis and how / what should they be involved with within the institution / firm?

George: The role is many things: policeman, subject matter expert, trusted advisor, coach, educator, salesman, relationship manager, conscience, influencer, and psychologist and on and on. Whatever the demand however, at its core there is a need to be a credible and professional practioner that understands and can talk the business language and objectives. It is critical that risk understand how and where they can make effective interventions and contributions in the service/value/profit chain that help deliver organisational outcomes, safely and in appetite.

Potentially there is nothing that they shouldn’t be involved in, from strategy to control design and testing. A core challenge is not simply being seen as a technical expert on frameworks but an organisational contributor that makes a difference at whatever level you currently sit. How risk is managed and how business leaders use the toolkit and frameworks should be more important for the risk manager rather than simple conformance.

Elena: The so-called ‘use test’ for me is the key part of operational risk management. Designing practical tools that truly help and not hinder the Business (i.e. Divisions, Departments, etc) to articulate what ‘keeps them awake at night’, assess their control environment and identify the areas where actions are needed.

Denis: The main thing is to remember that risk management may not be what everyone in the organization is thinking when performing their roles, even though they should!  The challenge of getting people to recognize the value in embedding risk management into what they do.  An operational risk amanger will always need to be someone who can understand how things work and happen very quickly – they must be able to go up a steep learning curve very quickly.  Knowing what is happening in the business at all times is important – the coffee machine conversations can be extremely useful.  I used to spend a fair portion of my time walking the floor and chatting to people.

Can you explain to our readers how financial institutions can best manage loss data as a core operational risk tool and its changing nature following the indroduction of conduct risk?

George: Data is data hence the introduction of conduct risk or indeed any other risk “type” makes little difference to the core inherent challenges of data: completeness, quality, biases and heuristics that influence its capture and interpretation, application of expert judgment in its interpretation and use, applicability to current business structures, systems of record. Experience and research shows that time spent on education and training users on the why data is collected, what it is used for and how to do it within the specific area is a key success factor.

Elena: With the introduction of Conduct risk, some firms have chosen to create conduct-specific risk assessments and breach/incident escalation processes. In my view, Operational Risk tools are well suited for the identification, assessment and management of all Operational risk ‘sub-types’, including conduct, cyber and others. At the session, we’ll discuss what enhancements may be needed to the Operational Risk Losses & Near Misses process to accommodate Conduct risk management.

Denis: One important use of internal loss data for an operational risk manager is for back-testing the assumptions made in the risk assessment – in the light of events, should the evaluation of the effectiveness of the controls be reviewed?  This is something that is not done routinely but would add extra value to the risk assessment process.  Loss data can be used to support any areas of Operational Risk – including newly idenfified “hot topics” such as Conduct Risk.