Operational risk management: Emerging challenges and changing landscape

Operational risk management: Emerging challenges and changing landscape

By Candice Nonas, Managing Consultant at RGP.

Ahead of the Operational & Enterprise Risk Management Congress, Candice shares with us her insight into the ever-evolving operational risk landscape. 

Candice, can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

Since I began my career in finance I have always worked in investment banking and financial services, all in the area of risk management. Given that I have both buy- and sell-side experience, I understand the challenges that risk managers face from many different perspectives. As you know, I also worked specifically in bank regulatory risk and spent time in Washington DC working for the FDIC.

The combination of my banking and regulatory background is so powerful and valuable to my clients because I can speak both languages. I remember one time I walked into a meeting with our regulators and everyone shook hands and I gave hugs to former colleagues who are now old friends.

Right now I am focused on helping clients manage their most pressing risk issues, and time and again I am called upon to help them understand and meet a regulatory requirement or manage a risk that is operational in nature. The US and non-US bank regulators are united and focused on global financial stability, but they fulfill that mandate in different ways. For our global systemically important financial institution (SIFI) clients, RGP works with them here in the US and wherever they have branches or material entities abroad. Being a global consulting firm means that we have local regulatory experts that help our clients harmonize their compliance efforts across the firm wherever possible. Even our mid-sized bank clients that tend to have less of a global concentration struggle with understanding exactly what the US regulators require or consider satisfactory. We develop strategies to assess where financial institutions stand relative to requirements, then the next step is to help them understand any gaps that the processes uncovered, and finally we deploy resources to help remediate shortfalls.

At the Operational & Enterprise Risk Congress, you will be giving your insight on the operational risk changing landscape, with a particular focus on third party risk, why do you believe this is a key talking point within the industry?

Financial institutions increasingly engage with third parties to support core business processes, provide critical technology support and conduct direct customer-related activities. Third-party risk is a key talking point as a form of operational-risk because financial institutions are responsible not only for their own activities, but also for the actions of third parties acting on their behalf, including vendors, customers, suppliers, partners, contractors, consultants, advertisers, marketers, international intermediaries and distributors.

While these third-party relationships can enhance productivity and add value, they can also be costly and dramatically increase financial and insurance companies’ exposure to fiscal, operational, regulatory and reputational risk, as evidenced by the following recent events:

A credit card issuer with $525 million in restitution and civil penalties because of illegal vendor sales practices
Financial services firm with a $700 million loss due to improper sales practices and identity protection problems within a vendor’s organization

In addition, a recent study found that a third party caused a data breach in more than 41% of the surveyed companies, which led to losses in brand value ranging from $184 million to greater than $330 million.

All of these factors make third party risk management (TPRM) a significant compliance issue for many banks and insurance companies. Indeed, nearly all third-party relationships appear to be subject to greater liability concerns and more regulatory enforcement scrutiny.

How do you see the industry evolving over the next 6-12 months?

In that time frame, which I would call the mid- to short-term, we are going to see more of what we are doing and trying to do today, and that is using technology to make our business more efficient and profitable, and to make the processes more efficient. Banks are in different phases of development, use and adoption of financial technology (fintech), and success or failure varies not only from one bank to another, but within one financial institution.

Of course, we can have an entirely separate conversation about what constitutes success – so if I am using technology that requires a high degree of manual manipulation, then I would have to question the effectiveness of that tool. The use of fintech is going to come through its organic development by banks; or by the first line engaging with a non-vendor third party that supports the business; or we are going to continue to see acquisitions of fintech and regulatory technology (regtech) companies.

As banks bring blockchain, bitcoin, robotic process automation, etc., online; or bring such technology into their core business lines; or integrate it into critical operations, new challenges for risk management will arise. Likewise, regulators will have to keep up with such advancements and ensure that they understand the greater risk implications. It is like turning the knob on a tuner like you did as a kid and watching the bars go up.

How has Basel’s focus on conduct risk and regulatory technology changed the way that operational risk professionals work?

It is not just Basel but it is regulators all over the world that have not “solved for” conduct risk. Of course, given the central role that the Bank for International Settlements plays in global financial stability, many of the regulatory initiatives are discussed in that G-20 forum and then executed by the host regulators in their own jurisdictions.

However, while many banks, both large and mid-sized, report that they have a mature enterprise risk or operational risk management program however we still see failures in the control environment. The breach is either caused by a single, a small group of “rouge” individuals or is the result of collusion in an entire department or business unit. RGP has worked with fintechs, which are more appropriately called regtechs, which have created and are building tools to address regulatory and compliance risk, including conduct risk.

Can you provide an overview of some examples of non vendor third party risk and why institutions should be considering these?

When a bank or financial institution engages a vendor, that relationship comes through procurement and is vetted through the corporate due diligence process. However, the first line of defense or the business will engage a supplier, partner or service provider directly, and it does not come through the centralized procurement process. The non-vendor third party is attached to the specific business unit and not the bank’s infrastructure.

The best example is what we call a financial market utility (FMU) like the Depository Trust & Clearing Corporation (DTCC), which provides clearing services to the broker-dealer. Intuitions have and need to examine the potential future exposure of these relationships, which not only cover operational risk, but business risk or impact as well.

During the legal entity rationalization exercise that SIFI banks had to conduct for resolution and recovery planning, they reviewed every relationship, every contract, and drafted new agreements as a result of modeling the impacts of a stress/resolution scenario.

What would you say is the highlight of your career so far?

When I look back on my career there are many things that I am proud of and consider accomplishments. But I am a builder. I like to create processes and tools that solve problems and improve business. When I reach the top of a mountain it quickly becomes a base and I am ready to climb again.

Cumulatively, the thing I like the most about this industry and my place in it is the people that I have met and formed relationships with along the way. I love walking into a room and being greeted by a warm smile that I have not seen in 10 years.

What do like to do after a long week at work to wind down?

I consider myself a runner. I like the 5K because it offers the quickest gratification. But I did run the New York City Marathon, I ran a Ragnar Relay, which is where your team runs 200 miles in 24 hours, and next year I am running in the Star Wars 10K at Walt Disney World. I recently picked up trail running because I participate in in a lot of Spartan obstacle races and the trails are good training.