The future of operational risk: Technology integration for effective risk management in an evolving landscape

Nick WoodsChief Auditor, NatWest

Below is an insight into what can be expected from Nick’s session at Risk Evolve 2024.

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

  1. What is the importance of technology integration to ensure effective risk management in an evolving landscape?

The key to implementing an efficient, effective risk and control framework is to make it easy for users.  Effective risk management relies on everybody across the organization playing their part, whether that is assessing risks, operating controls, identifying issues or many other roles.  These roles need to be performed consistently by a large number of individuals, each of whom has a busy day job.  In order to do this, the technology needs to support the actions that we, as risk professionals, are asking people to take.  The simpler we can make it, the more likely colleagues will be able to execute these tasks effectively and consistently. If we ask our colleagues to operate complex manual workarounds, the chance of success is significantly reduced.

2. How can financial institutions look to incorporate advanced technology solutions into operational risk frameworks?

Large parts of operational risk rely on consistent, high-quality information being available. In every firm I’ve worked at, a huge amount of time and effort is spent manually manipulating data into a particular reporting format before anyone can do what really matters, i.e. interpret what the data is telling us.  In one previous firm, we worked extensively with the software vendor to (i) have the RCSA process significantly automated so the focus could be much more on the outputs than the process and (ii) standardize and automate risk and controls reporting into a standard Control Book for all parts of the firm.  In both examples, we were able to significantly reduce the time taken to provide information, whilst also improving the quality of information to drive the right risk-based conversations.

3. How can technology be used to produce dynamic, real time operational risk outputs?

Until now, the focus has been on developing consistent, standardized risk and control outputs, simplifying reporting, and driving consistency and automation to reduce the amount of manual input required. The next step will need to move from inherently backward-looking reporting to real time dashboards and more forward-looking metrics.

4. What impact does an AI-driven operational risk landscape on the role of risk managers?

AI opens up many opportunities for risk managers.  Performing read across from incidents, ensuring lessons learnt can be implemented across the estate are just the beginning of what will be possible going forward.  All of this will continue to rely on consistent reliable data.  More broadly, AI is likely to change the role of risk managers to focus on how the AI is being used, and interpret what it is telling us, reducing the amount of time spent on many of the traditional operational risk processes.  This will mean risk managers should be able to spend more time actually managing risk, rather than executing processes (reporting, updating risk and controls assessments etc) which allow us to manage risk.

5. Why is it important for financial institutions to identify and map vulnerabilities beyond their own boundaries?

A key part of a risk manager’s job has always been to consider what is going on externally and ask the question “Could that happen here?”.  In today’s world that’s no different, whether considering traditional operational risk incidents and cyber vulnerabilities, or conducting events across the industry.  Macro events can impact many financial institutions and all firms can be vulnerable to these.  This can include trends in cyber-attacks, changes in the external fraud landscape, changing regulations, and more b=besides. The list is endless.