Craig, can you tell the Center for Financial Professional’ reader about yourself and your professional experience?
I have spent 25 years as a risk management professional within consulting, lending, and insurance organizations. I started in a risk rotation program for 3 years before taking roles in commercial lending, risk reporting, portfolio analytics, governance, and currently in Operational Risk Management. My wife and I have moved locations ten times during this period including stints in Poland and Australia. It has been fascinating to see the evolving role of risk management within financial institutions and the common elements and variations of strong risk across financial sectors.
At the 2nd Annual New Generation Operational Risk Congress (October 25-26), you delivered insight on RCSA. How can organizations benefit from better understanding the pros of having an effective RCSA program?
An effective RCSA program is more than just documentation; the benefit occurs in the dialogue about what operational risks are parts of the process and how to appropriately mitigate potential risks. For USAA’s Property & Casualty division, we always include a component of risk culture in our reviews of the 1st Line of Defense’s RCSA’s. These risk culture discussions are not identifying gaps to requirements but how to lay the groundwork for future iterations of RCSAs with an improving risk mindset. To advocate on the benefits of an effective RCSA program, we spent much time in 2016 conducting training with the business to not only inform them of their responsibilities but also how this benefits the company. This training has taken place in large sessions, small staff meetings, and remote discussion.
What would you say are the main components to an effective RCSA program that organizations need to consider when building this up?
In my experience, process owners want to do the right thing and executives want to be good stewards of risk. For me, there are four components to creating an effective RCSA program. First, clear requirements defined by Risk Management will go a long way in helping the 1st Line develop robust RCSA. Second, help the business understand different approaches to the key risks and processes where RCSAs must be established versus lower-ranking risks and processes where RCSAs are beneficial but do not have to be prioritized for the organization. Third, ensure that the business not only develops but provides its own method of testing. Fourth, reporting on RCSA program should be about effectiveness and not just on progress to a timeline.
How can an RCSA program be used to drive strategic business decisions?
At USAA, the RCSA is tied to the outcome of the Process Risk Assessment (PRA) review. Through the PRA, the business reviews the key inputs and impacts of processes at varying levels of details. In aggregate, this allows the business to see which processes are dependent on any given input factor and how multiple processes can amplify impact to the business. The result is a decision on where to prioritize investment whether in technology or staffing.
Finally, how do you see the role of the operational risk manager evolving over the next 12 months in terms of focus?
Stronger RCSAs are a natural component of moving up the risk maturity curve. In insurance businesses, the 1st line has demonstrated increasing knowledge of risk requirements but still have development opportunities. At USAA, we see Operational Risk managers providing more training and coaching while transitioning away from looking narrowly at RCSAs. We anticipate conducting broader reviews of operational risks that can impact the business and working with colleagues in IT and capital adequacy to progress on quantitative analysis of the operational risks within the company.