Q1 – Ellen, thank you for taking the time to speak with us. Please can you tell our readers a little bit about yourself and your experience in operational risk?
Certainly. Very happy to do so. I am an accomplished executive and attorney with over 25 years of experience in risk management, compliance, and legal leadership. I have established a strong and consistent record of advocating for initiatives that transform organizations and ensure operational excellence. Most recently, I served as EVP and Chief Risk & Compliance Officer of AST, where I directed all corporate compliance and risk (including operational risk) functions throughout the U.S. and Canada, leading a senior executive team composed of CCOs, CROs, AML officers, and privacy officers. Prior to joining AST, I advanced through increasingly responsible Senior Counsel roles with the New York Stock Exchange (NYSE) and the Financial Industry Regulatory Authority (FINRA), implementing prudential, risk-based regulatory principles.
Q2 – We look forward to your presentation at the upcoming Risk Americas 2017 Convention where you will review risk framework requirements. Why do believe operational risk should be raised to an equal visibility, as credit and market risk?
Thank you. I am looking forward to participating in the Risk Americas 2017 Convention. It is an exciting time in the evolution of risk management. As the discipline continues to evolve, an increased focus on operational risk (otherwise known as non-financial risk) is a natural step towards maturing into a true enterprise risk management practice. Risk management, at its very core, may be defined as managing uncertainty. That means all reasonably identifiable uncertainty – financial as well as non-financial. Organizations are realizing that non-financial risk (including but not limited to fraud risk, information security risk, business continuity risk, regulatory risk, reputation risk, and strategic risk) may just be the biggest uncertainty on their horizon. In addition to stress testing and other financial risk identification and mitigation tools, it is imperative to have a framework that includes appropriate tools to identify, prioritize, mitigate, report, and measure operational risk and tie it into a well-vetted and strategically-based enterprise-wide risk appetite statement.
Q3 – Where does operational risk management fall in the enterprise risk management framework?
Operational risk management is an integral part of the enterprise risk management framework. As I mentioned, operational risk management is the identification and mitigation of non-financial uncertainty. It exists in co-relation to credit risk and market risk and must be addressed holistically in order for an organization to achieve its key strategy elements – those factors most critical to continued success.
Q4 – When reviewing the enterprise risk management framework, why do you believe it is important to look into definitions, categories of risk, and the three lines of defense?
Effective enterprise risk management is a holistic concept. In order to manage uncertainty (both challenges and opportunities), it is important first to be able to name that uncertainty or risk. Only when you have appropriately identified risk can you prioritize it. Each organization is different. Each organization defines the factors most critical to its continued success in a way that is unique to that organization. Once those key strategy elements are defined, they must be prioritized. Each organization categorizes the risks of doing business and prioritizes them by establishing appetite statements, which can change over time. Appropriate controls must be put in place to mitigate the categories of risk that have been identified. Each of the three lines of defense (business units, risk management & compliance, internal audit) has a role to play in risk identification and mitigation. The tone at the top of the organization, including the Board and executive management who should embrace the independence of the second and third lines of defense, is essential. So, too, is the buy-in of operational excellence from the bottom up. Personnel at all functions and levels of the organization are key stakeholders in the practice of enterprise risk management.
Q5 – What responsibilities will you look to draw upon in your upcoming presentation, and why?
I will draw upon my extensive career as a regulator in my upcoming presentation, to provide insights into successfully navigating the ever-changing regulatory landscape – in particular, to discuss evolving regulatory expectations concerning risk management. In addition, I will utilize my recent responsibilities as the C-suite executive in charge of North American risk management and compliance to discuss operational risk management best practices at a financial services organization.
Q6 – What risk management requirements will you be discussing and what tools do you believe banks should be using?
I will be discussing board-approved enterprise risk management policies and appetite statements, risk and control self-assessments (RCSAs), operational risk event and incident reports, key risk indicators and key performance indicators, and business-line designated risk officers. Banks and other financial institutions should use all of these tools in their enterprise risk management framework.