By Lin Lu, SVP, Enterprise Operational Risk Officer, Freddie Mac.
Lin presented at our Risk Americas series, find out more about the upcoming Risk Americas Convention by visiting www.risk-americas.com
Lin, can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?
I started my career as a loan underwriter and had the opportunity to work in Europe, Asia and Americas at institutions including China Construction Bank, British Petroleum, Deloitte Consulting, Deutsche Bank and most recently at Freddie Mac. Over the course of my career, I’ve led large scale strategy and transformation across a diverse portfolio including business development, information technology, regulatory compliance, information security and enterprise risk management. Currently, I am leading enterprise operational risk at Freddie Mac. My focus is to advance operational risk framework and embed operational risk management effectively and efficiently in business activities across the Firm. The goal is to enable our businesses to gain competitive advantage and achieve business objectives through world class risk and control capabilities.
You had extensive experience in risk management throughout your career. Do you see today’s risk environment differ from just a few years ago? How is it changing?
The risk factors have evolved profoundly. This is driven by the fundamental shift of the operating environment where technological advancement, customer demand, threat landscape and regulatory expectations are changing constantly. In our increasingly connected, complex and fast paced world, operational risk has emerged as core risk discipline and became increasingly critical for business viability.
Board of directors are focusing more on key operational risks and enhancing their oversight on this front. Businesses are embedding operational risk management in daily decision making and aligning with their strategic objectives. Relatively speaking, operational risk management is immature compared to financial risk such as market risk or credit risk. Companies are investing significantly to build out capabilities so that they can manage such risk effectively with scale. We will continue to see enhanced risk governance and risk management frameworks for operational risk within Financial Services, as well as other industries, as digital transformation is catching on with speed.
The topic you presented at Risk Americas 2018 refers to integrated operational risk management and its importance for businesses. What do you mean by that?
When I say operational risk, I meant it in a broad sense. It includes all non-financial risk types from operating activities of a company. Whether it’s to have a resiliency plan in the event of business disruption or destruction, or implement security controls to reduce risk of payment fraud, or implement KYC process to ensure compliance to regulations, or evaluate financial reporting accuracy. It all falls under the umbrella of operational risk. Same for third party risk, conduct risk and technology risk.
These risks are interconnected and cannot be looked at in isolation. For example, a natural disaster could result in operational losses due to a company’s own operational capabilities or its supply chain, and it could also have impact on credit and counter party risk. Payment fraud risk could be managed by enhancing information, technology, process and people controls internally and at critical third parties, which in turn could help improve payment resiliency capabilities and reduce information risk. Cyber-attack could result in risk of failure to protect information assets or disruption of critical business operations that may have major impact on liquidity and revenue at the end. Not to mention reputational impact due to any of the operational risk event.
Business that can identify, measure, control and manage operational risk in a holistic and effective fashion, and integrate risk based decision making in regular course of operating will have much better chance to achieve strategic objectives in a safe and sound manner. It will solidify the trust from all stakeholders, and Trust is the most important competitive advantage in the digital world.
What are some trends you are seeing in operational risk?
There are lots happening in the operational risk space. I would highlight a few broad themes:
First is further enhancement of risk governance. After the initial implementation of three line of defense model, financial services are making further adjustment of how the model works. There are increased efforts to improve risk and control capabilities within front line functions, and bring more clarity of second line independent risk oversight role with elevate statues. More and more Chief Risk Officers will have direct reporting lines to the Risk Committee of the Board, in addition to reporting line to CEOs.
Second is the push for consistency and integration across risk types. There is a big movement towards applying consistent risk framework across all operational risk types including compliance risk. It allows the company to connect dots better and prioritize risk response plans based on a holistic risk profile, and execute more efficiently through unified method and process.
Third is increased emphasis on systematic risk identification and measurement. Risk appetite is being deployed in operational risk space using both qualitative and quantitative measures. Companies are looking for ways to improve risk identification so that material risks and respective risk responses can be transparent and managed in a timely and sufficient manner. Risk visibility is essential here.
Last but not the least is Innovation. As companies continues the match of digital transformation, key risks increase in new forms and particularly pertaining threat related to data, information security, and resiliency. Risk teams are paying close attention to these new areas to understand risk implications, at the same time increasingly leveraging innovation such as big data analytics and machine learning to reduce risk data collection efforts and increase risk analytics.
The integrated operational risk sounds like the way to go. What recommendation would you have for anyone who are interested in building that out?
There are many ways to build out integrated operational risk management. The implementation would be a multi-year journey depends on the organization size, complexity and risk management maturity. I would highlight a few key success factors as follows: Treat operational risk management program like a continuous business process to be operated, refined and innovated, not a project with start and end date; Keeping up with industry trends and being open to change are key points to take into consideration; Embed operational risk, within a robust governance framework, and in the front line; Secure “Tone from the top”, a clear message from the Board and C-suite will help tremendously; Have a vision of what you want the operational risk management program to achieve, work towards it using a consistent framework and through close collaboration with key stakeholders; Communicate well and often to key stakeholders, tailor the message to audience so that it is beneficial for them and the program; Execute a well-designed training and awareness plan for the framework rollout; Build skills and expertise in both front line and independent risk oversight team. The key is to have a diverse portfolio of knowledge and skills span across risk types, analytics, business knowledge, and risk and control management.