Ahead of the Operational & Enterprise Risk Management Congress, we interviewed Theresa Reynolds the Director of Operational Risk Management Validation at Capital One on her insight regarding the 2nd line of defense.
Theresa, can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?
I have over 18 years of Financial Services industry experience with time spent in both the First and Second Lines. Today I am responsible for the Operational Risk Management validation program at Capital One. In this role, I have established the methodology used by the many operational risk functions throughout the Company to assess adherence to programmatic requirements as well as overall effectiveness of operational controls.
Additionally, my team is responsible for execution of the testing and validation strategy for Business Continuity, Third Party Management and the broader set of Operational Controls across Capital One. I was previously responsible for the Capital One enterprise-wide scenario analysis strategy and methodology from design to execution, where we created an industry-leading, data-driven process to support comprehensive, transparent estimation of losses through her scenario analysis leadership. I have also spent time in risk and operations areas in the Credit Card Division at Capital One.
What are the considerations that need to be made when setting parameters for operational risk?
Today, with so much focus on Regulatory Compliance, companies have to be very careful to ensure attention remains on the cause of compliance risk, which is generally an operational breakdown. If we focus upstream on all the ways our companies are exposed to breakdowns through our people, processes and systems, then operational risk feels incredibly broad. I would say the biggest emphasis shift I’ve seen recently on broadening our boundaries is to ensure Cyber Security is not just considered by our technical information security teams, but by the broader operational risk program. There are so many drivers to these big risks like Cyber, Consumer Compliance, Sales Practices, etc. that our view of operational risk needs to continue to expand.
In your experience, what is the best practice for reporting to senior managers? And have you got any advice for your fellow peers?
It is important to have broad reporting that goes to senior levels of your organization. Bring the operational risk story together in a way that clearly shows the breadth of the oversight and helps the consumer of the information be able to make risk-based decisions based on the total story. If we let Tech guys, Fraud gals and Ops folks tell their stories individually, then we never enable our leaders to understand the full impact of operational risk and make resource tradeoffs that encompass all of that risk.
At the Operational & Enterprise Risk Congress, you will be speaking on: “2nd line oversight responsibilities”. Why do you believe this is something that needs to be addressed? And what can risk professionals gain from this insight?
With the OCC’s Heightened Standards we have gotten some clear guidance on the expectations of the second line. While we now know that the 2nd line is expected to provide an independent assessment of risk taking activities in the first line, the ‘how’ that gets accomplished can vary. I think sharing best practices across our institutions can promote quick learning and drive increased efficiency in the way we chose to execute on our roles.
What challenges face the 2nd line of defense across the lifestyle of products and execution?
A major challenge is visibility into the many products and processes across an institution coupled with the necessary depth of knowledge required to effectively challenge risk taking within them. The second line has to be sure there are robust risk assessment practices in place to help fully flesh out the risks of the products and practices before they can think to challenge them. The next step is to find a balanced approach where the second line can challenge areas across the lifecycle of products and practices where it is most important, knowing they can never achieve 100% coverage. Honing our risk-based approaches to challenge will be a major key to success as the need for that challenge continues to grow.
What does the future look like for the Operational Risk Professional right now? And what changes or problems do you see in the horizon and theoretically, how would you tackle these?
The future gets more and more exciting. With the shift away from AMA, we are focusing more than ever on driving heightened business value in the risk management practices we instill within our institutions. This is where we, as risk professionals, need to spend time understanding our business partners’ needs and finding ways to act as trusted advisors and thoughtful partners in meeting and exceeding those needs. Specific expertise is more and more critical as our risks such as Cyber and Fraud continue to grow and change. Our roles must expand to meet the growing and changing need of our business partners. I would recommend continuing education, embedding yourself in first line processes where possible and staying abreast of industry events and using them as springboards for meaningful discussions at your institutions.