Aligning compliance and operational risk departments to better remediate the risks

Aligning compliance and operational risk departments to better remediate the risks

Jodi, can you please tell the Risk Insights’ readers about yourself and your professionals experience?

I lead Operational Risk Management for U.S. Bank, having joined the company two and a half years ago.  Prior to joining U.S. Bank I was with HSBC for eleven years, most recently Regional Head of Operational Risk and Internal Control.  I started my professional career as a bank regulator, spending 12 years as a bank examiner with the OCC.

You joined us in New York City for the New Generation Operational Risk: Americas Congress, for a panel discussion on aligning compliance and operational risk departments to better remediate the risks. What key talking points were addressed?

Key items I highlighted are those areas where alignment can strengthen risk management – such as aligning risk and control assessment methodologies and terminologies, key risk indicator frameworks, quality assurance monitoring and testing strategies, and standardizing control issue reporting.

We also explored the difference of “aligning” versus “integrating”, and where one may be favored over the other based on an institution’s structure or risk profile.

What are the key benefits of aligning operational risk and compliance, and what is the impact on managing the department?

Clear benefits exist with implementation and embedding disciplines in the first line of defence.  With more aligned frameworks and policies, the first line can get more traction and manage risk using uniform tools and techniques.

In my view a large bank still needs distinct compliance and operational risk functions, but that risk identification, monitoring, control, and reporting should be aligned in a common risk management framework and uniform policies.  Departments need to work together, sharing tools and resources.

With a more unified operational risk and compliance team what challenges arise in terms of governance, oversight and controls?

Often times the banking regulators have different exam teams for compliance from operational risk, also different handbooks and expectations.  A bank needs to ensure they meet individual risk category expectations, while aligning to enterprise frameworks and methodologies.  This can sometimes be challenging as there may be differing priorities and uses for common tools.  From a governance perspective, a too broad of focus can also water down a committee discussion, where details and granularity are sometimes important.  For oversight, there are clear expectations for Compliance Risk Management systems as evaluated by the CFPB, one needs to ensure that Compliance program accounts for all of the elements in a clear and distinct manner.

How do you see the role of the operational risk professional changing over the next 6-12 months?

I see the level of scope continuing to broaden, encompassing cyber risk, business continuity, third party risk management, fraud, physical security, data governance, information technology, and all things that touch the internal control environment.