By Robert Crewdson, Managing Consultant and Rob Murray, Managing Director, BCS Consulting.
Can you please tell the Risk Insights readers a little bit about yourself and what your current professional focus is?
Robin is a Managing Director at BCS Consulting and leads the firm’s Risk & Finance practice within which Robert oversees the Non-Financial Risk propositions; from Risk Management Framework Design to Fraud and Financial Crime Management and everything in between.
We began working together on Non-Financial Risk engagements with a project to help a global bank define a new process-based approach to Risk and Control Self-Assessment. During the subsequent 8 years we have supported a range of organisations to deal with NFR challenges and observed the proliferation of risk management frameworks springing up to respond to them.
Robin is dealing with this first hand in his current role as the Interim EMEA Head of Operational Risk for an international bank.
What, for you, are the benefits of attending a conference like the ‘New Generation Operational Risk: Europe’? What can attendees expect to learn from your session?
Conferences like this provide a chance to hear about the challenges that other organisations are grappling with, and learn from the variety of solutions being applied. It is always interesting to hear how other practitioners are handling situations that we face, or the different viewpoints peers have of the same issues.
As the title of our session suggests, we hope that attendees will learn from our crystal ball exactly what the future of operational risk holds…of course, we don’t have all the answers but will draw on our experience of seeing the discipline evolve to present a view of what might be. We will look at topics from emerging risk themes to alignment of risk frameworks and may even suggest some less obvious ideas to keep things interesting.
In your opinion, how can we look to effectively handle the evolving scope and frameworks?
An ongoing theme we have observed at our clients, and across the industry, has been the proliferation of non-financial risk frameworks. An operational risk management framework has often been joined by a framework for financial crime and one for conduct (among many others) that simply ignore the inherent coverage of these risk types by a comprehensive operational risk framework.
The scope of operational risk hasn’t changed, exactly, but there is a need for someone to the play the role of coordination and alignment across risk areas and disparate frameworks. The key to handling this evolution comes from closer engagement within the relevant control functions and being cognizant of the impact on the rest of the organization from developing risk management approaches in silo. Gaining buy-in from risk generating parts of the business remains a key challenge and presenting a risk management approach that is joined-up, doesn’t overlap, and enables resources to be focused based on materiality, can deliver a step forward.
What are the key considerations that need to be made when placing a greater focus on top & emerging risks?
Top and emerging risks represent the top-down view of the threats an organization faces, which should complement risks identified through a bottom-up approach such as an RCSA. The two are valuable barometers of a firm’s risk profile and each should inform the other.
Any focus on top and emerging risks should always be tied back to a robust risk management framework. Identification of an emerging risk should be provided for in the existing framework and shouldn’t drive a knee-jerk reaction to establish a new set of risk management processes. Does the current framework define that new risk as being material, and if so, will that drive appropriate actions?
What challenges and opportunities can you expect the digital revolution to bring the industry?
The digital revolution is, and will continue, posing new questions of how we keep our financial institutions safe. But at the same time, it presents obvious opportunities to enhance our businesses, and transform the way we manage risk.
By increasing digital access to our organisations we have presented new and more remote access points for intruders. Financial institutions historically do not have the skills available to combat these intruders. Meanwhile, organisations and their clients have become increasingly reliant on technology platforms that have seen under investment, resulting in both an increased likelihood of failure with a much greater potential impact.
Clearly, there are business benefits to be realised for the firms that best harness the digital revolution, but risk management departments should also be embracing technology to improve performance. This may include more insightful use of existing risk management data to drive decision making or employing artificial intelligence to model external data and inform internal risk profile analysis.
Looking ahead, what operational / emerging risk do you think will keep people up at night?
It may be the obvious answer but, assuming we all make it through Brexit and the associated risks, Cyber is likely to pose the greatest threat. The increasing use of technology to simply do business means that associated risks will obvious materialize. But the nature of cyber risk in terms of speed to execute, speed to evolve, remoteness, and potential event size means that the risk being introduced to firms is increasing significantly and the industry should work together to tackle it.