Role of external content in operational risk assessments

Role of external content in operational risk assessments

Abstract Image of Business People's Busy Life

Operational risk programs cover a wide range of risk topics such as financial crime, technology failure, process failure, misconduct, and external fraud. For conducting a fully informed risk assessment, organisations should incorporate information on a risk from within the internal and external business environments; e.g. when assessing the risk “Theft of customer data by external parties”, organisations need to incorporate the following information about the risk from their internal business environment: –

  • Business objectives which are affected by the risk
  • Completeness of existing control environment in place to manage the risk
  • Effectiveness of the existing controls in place to manage the risk
  • Previous risk assessments and how these have evolved over time
  • Recent incidents related to the risk
  • Any known issues/vulnerabilities within the existing approach to manage the risk, and details of remediation actions to address these
  • Other information such as performance of KRIs, KPIs etc.

For the same risk, organisations need to incorporate the following information from their external business environment: –

  • Recent incidents within the industry related to the risk
  • Emerging trends or patterns related to the risk
  • Emerging best practices on managing the risk
  • Regulatory developments related to the risk

Only by combining the information from the internal and external business environments will the risk assessments reflect the true understanding of the risk and enable an organisation to select an appropriate risk response strategy. In our experience, organisations are typically very effective at incorporating the information from the internal business environment but very ineffective at incorporating the information from the external business environment. When we have asked this question to risk owners in the first line, the responses we commonly get are –

  • “I don’t have time to spend hours on searching for information about the risk on Google”
  • “Google does not organise information by operational risks so even if I want to search it is very difficult to find relevant information”
  • “There is a vast amount of information on the internet on the risk and new information is getting added daily. How can I find what’s relevant?”
  • “I need a summary of the relevant events and emerging threats that are out there that could be relevant to my business.”

Due to these challenges, many of the risk owners in the 1st line typically only utilise information from their internal business environment for assessing operational risks. This results in an incomplete understanding of risk leading to ineffective risk response decisions.

So what external operational risk information sources are available to risk owners and 2nd line oversight roles to help them with assessment of operational risks? Below are some of the key information sources: –

  1. Public loss databases: – There are two primary public operational risk loss databases. The first one is from IBM and the second one is from SAS. Both these databases cover details of operational risk loss events reported in the media. They are typically priced between £8,000 to £35,000 for the first year and around £5,000 to £15,000 in the subsequent years. Firms which subscribe to these databases can download regular updates which includes information about recent operational risk events in a structured database format. 1st line users can utilise the content in these databases to review details of recent loss events, loss amounts, and descriptions of how the event occurred. This can save a significant amount of time compared to searching for similar information on the internet. In our opinion, every firm which takes operational risk management seriously should subscribe to at least one external good quality operational risk database and our recommendation is to pick from IBM or SAS with SAS being our personal favourite as it covers incidents across the financial and non-financial services industry.
  2. Loss data consortia: – There are currently many operational loss data consortia available globally. These consortia typically require consortium members to share their operational risk loss data, which are consolidated and anonymised and then shared back with the members. Becoming members of such consortia can cost between £3,000 to £40,000 annually. Unlike public loss databases, getting access to the consortium loss data requires an organisation to also submit their loss event data with the consortium members. This can act as a hurdle for some organisations as they may not be prepared to share their loss events externally. Due to the need to anonymise loss data so that the loss event cannot be attributed to a specific organisation, a lot of contextual information about the events are not available as part of the consortium database. This may include detailed description of how the event occurred, detailed root cause analysis and details of controls which failed. Despite of these limitations, consortium databases are a great source of information for valuable loss event information as the majority of these events have small or medium impacts and hence they may not be available within the public loss databases or on the internet. Therefore an effective approach is to subscribe to one or two consortia which have member organisations which are similar to your organisation’s business profile. Combining the consortium loss database with information from a public loss database will give you a comprehensive view of external loss events. Examples of loss data consortia include GOLD (from UK Finance), ORX and ORIC. There are also various national level loss data consortia in many countries.
  3. Regulatory updates: – Various operational risks such as money laundering, data breach, tax evasion, mis-selling and market manipulation are now also covered by one or more regulations in the countries in which an organisation may operate. So managing operational risks also requires information on applicable regulatory obligations and upcoming changes. Such obligations may affect the design and implementation of controls for the operational risks. Most financial services firms have dedicated regulatory compliance teams which monitor the regulatory changes and inform the respective owners in the 1st line on this information. They commonly utilise regulatory update services from content providers such as Thomson Reuters, Wolters Kluwers, LexisNexis and Reg-Track. Subscriptions to such services can cost annually between £25,000 to £250,000 depending on the number of countries and regulators covered. Due to the regulatory nature of such content the 1st line risk owners may not fully understand the content and it is preferred that the risk owners in 1st line receive inputs from the internal regulatory compliance teams after they have translated the regulatory content to business context.
  4. Analysis services by external consultants: – Some organisations also utilise external consultants to perform one-off analysis on external information related to specific operational risks. This may include identifying emerging risks and identifying current best practices on managing risks. Such engagements can cost between £20,000 and £100,000 depending on the number and seniority of consultants involved. While this can provide valuable external inputs to organisations, the information collected as part of these one-off engagements soon becomes outdated. Due to the high cost of this option, only the large organisations can afford such services.
  5. Forward-looking operational risk news service: – Risk assessments are forward-looking and hence it is important to have access to forward-looking external information about the operational risks being assessed. Such information includes emerging operational risk topics, emerging trends/patterns and emerging best practices. Three years ago when we reviewed the industry for such a service, we were unable to find any provider for forward-looking operational risk content. Therefore RiskSpotlight decided to develop such a service which is now available as the “RiskSpotlight Portal”. As part of this service, we have a team of operational risk analysts who review news articles from news sources globally on a daily basis and categorise the news articles by 126 core operational risks for financial services firms. The team focuses mainly on identifying forward-looking articles but also captures articles related to loss events and regulatory updates. We currently have nearly 28,000 news articles across five years categorised by these risks within the operational risk news service. The subscription fee starts at  just £49 for one user for a year. We also provide additional value added services for senior operational risk executives for £990 which includes a bi-monthly analysis report highlighting key emerging operational risk topics and incidents. You can review the operational risk news service for free by registering for a two weeks trial from here (does not require credit card details). Over 100 financial services firms currently utilise the news service for monitoring emerging operational risk topics and incidents.
  6. Operational risk magazines: – This a big gap within the external content landscape for operational risk at the moment. There were a few good quality magazines dedicated to operational risk topics which were discontinued by their publishers over the last few years. Currently there is no good quality global magazine currently which is dedicated 100% to operational risk. There are some journals on operational risk but their content is aimed at specialists and not for 1st line risk owners. The leading risk magazine provider is Risk.net which covers operational risk topics in addition to other risk related topics in their publications.
  7. Networking events/conferences on operational risk topics: – This is a great source for getting external information on operational risks for especially from operational risk practitioners in your peer firms. There are various organisations which regularly organise events/conferences on operational risk topics in major cities around the world. The Institute of Operational Risk (IOR) organise a number of events where there are chapters globally and these are free to attend for members. Visit the events page on the IOR website here to find out more on the upcoming events. Regarding conferences on operational risk – we recently attended the operational risk conferences organised by Center for Financial Professionals in London and New York and found both to be very useful. Whilst the events/conferences provide valuable information directly from peers, it is not always a practical solution as it may require many risk owners from the 1st line to take time out to physically visit the locations where the event/conference is hosted. The fee for attending such conferences may range from £700 to £2,500 per participant making this also an expensive option for 1st line risk owners.
  8. Head of Operational Risk Network: – UK Finance has instigated a great initiative to create a network of Heads of Operational Risk for financial services firms based in the UK. As part of this, Heads of Operational risk for various UK firms get together for few hours every 2-3 months to discuss key operational risk topics. It provides a great forum to discuss key topics with other Heads of Operational Risk. If you are interested in finding more about this or joining the network then please visit this link. If your organisation is a UK Finance member then you can join this network for free. Similar to the networking events highlighted above, such forums are not ideal for risk owners within the 1st line.
  9. LinkedIn Groups: – While there are a few LinkedIn groups dedicated to operational risk topics (e.g. the Institute of Operational Risk group), the participation within these groups tends to be very poor. Having monitored discussions over various operational risk groups in the last 3 years, it seems operational risk practitioners either do not see value in discussing topics in public or are simply reluctant to do so. The IOR group has over 8,000 members but still only a handful start a new discussion in the group or respond to existing discussions. Considering the wide range of operational risk topics and practitioners, it is difficult to understand why operational risk practitioners do not actively participate in LinkedIn groups.
  10. Search Engines & News sites: – There is a lot of information available on operational risks which can be found through search engines or by subscribing to general news sites or news sites dedicated to specific operational risk related topics (e.g. cyber risks). However, as highlighted earlier, the 1st line risk owners simply do not have the time and the energy to find relevant operational risk information due to the sheer quantity of information available on the internet, making this a very impractical option.

In conclusion utilising external information is vital in providing appropriate context, content and understanding of risks (as well as scenarios) and how to effectively monitor and mitigate their impact. Utilising this information appropriately to inform risk assessments is key to their quality and expected by the regulators.

There are multiple sources out in the marketplace and it requires an appropriate combination of these sources to optimise the result. If you would like to know more about how to utilise external news to effectively assess operational risks please contact RiskSpotlight at query@riskspotlight.com and/or trial our news portal subscription for two weeks for free by registering here.

You may also be interested in …