baringa partners’ operational risk report€¦ · baringa partners’ operational risk report...

Baringa Partners’ Operational Risk Report

baringa.com


Executive summary

The results show a wide range ofmanagement tools are currentlydeployed and highlight clear areasfor development and improvement,particularly around the use of riskself-assessments and Key RiskIndicators.

Faced with growing regulatorypressures, shrinking budgets andincreasingly sophisticated cyber-attacks, functions are becomingmore resourceful in their efforts tokeep critical processes and servicesup and running.

Senior executives, including headsof operational risk, directors, andgroup leaders at the world’s biggestasset management, banking andinsurance firms also noted thechallenge and opportunity ofbalancing rapid technologicalchange with heightened regulatoryexpectations.

Communication, transparency, andfostering a top-down culture ofcorporate responsibility and ethicalconduct are considered the bestways to move business forward, butsurvey responses indicate thesechanges are difficult to execute inthe short term.

baringa.com | 01

Operational risk teams clearlyunderstand they must better utiliseresources and improve the flow andquality of information tomanagement, as this allows formore effective decision-making atC-suite and board level, as well asstrengthening the feedback loop.

Against this backdrop, we haveidentified several key challengeswhich we believe firms could benefitfrom addressing:

p Transforming managementinformation and associatedgovernance

p Improved controls rationalisation

p Implementing a single IToperational risk system of record

p Capturing and strengthening riskculture

p Adopting/improving controlsautomation

Baringa Partners’ Operational Risk Report explores the top operational risks and resulting key themes in the financial services industry today.


02 | baringa.com

Managementinformation andgovernance

More than three quarters of firmsare prioritising more targeted andstreamlined managementinformation (MI) by 2021, and 58%say their organisation does not havea forward view of risk. There areclear opportunities to refine existingmetrics and develop new MI thatreally focuses on the risks firms aretrying to measure, and to review theforums where this information isabsorbed, ensuring it is fit forpurpose.

Risk and controllibraries

Standardisation of risks and controlscontinues to be a challenge forfirms, in part driven by the lack ofclarity over the level at whichcontrols should be specified.Meanwhile, 86% of firms haveintegrated conduct risk into theiroperational risk frameworks, whichbrings efficiencies but also bringschallenges around managing thedifferent governance frameworkssupporting these two risks.

Assessing risks andcontrols

The lack of a single IT architecturecontinues to impact on theefficiency of the Risk and ControlSelf Assessment process, and is anarea firms are investing in goingforward. At the same time, riskexecutives are trying to move onfrom older box-ticking compliancemethods to strengthen the riskculture inside their organisations.

Future developments

With cyber risk the top operationalrisk for 64% of respondents, and theregulatory focus on this over the lastyear, it is not surprising thatoperational resilience is a keypriority area for firms over the nexttwo years. The continuing regulatoryburden also means firms are lookingto process automation in ordercreate capacity and increaseefficiency going forward.

1 3The key challenges identified areexplored in this report across thefollowing four topics:

4

2

About this survey

The firms surveyed providedservices across multiplebusiness lines and jurisdictions.As a result, the size of theirOperational Risk functionsvaried considerably, from lessthan 10 to as many as 600.


baringa.com | 03

20% 16%

28% 36%

Retail and Corporate Banking

Capital Markets

Insurance

Wealth and Asset Management

Business activities undertaken by respondents

50%

40%

30%

20%

10%

0%CorporateFinance

Trading & Sales

RetailBanking

CommercialBanking

Payment &Settlement

AgencyServices

RetailBrokerage

AssetManagement

Insurance

Business activities performed by firms surveyed

The survey contained 31 questionsacross the following six categories:about the organisation; riskidentification and reporting;processes and tools; assessment ofrisks and controls; and futurechallenges.

The questions recorded detailedinformation, for example on the sizeof operational risk teams, topoperational risks and associated KeyRisk Indicators, risk and control

libraries, the Risk and Control SelfAssessment framework, operationalrisk capital calculation methodologiesand key areas of improvement overthe next two years.

Our goal in launching this survey was to kick-start the debate andformulate an agenda for improvingthe future function of operational risk. By highlighting strengths andweaknesses of the current strategies,we hope this report can help

executives plan for the future andthink about new solutions to helptheir firms advance.

The data can be analysed by sector,business activity and size of firm,allowing comparison versus peerorganisations.

Baringa offers a benchmarkingservice against this data – for moreinformation please contact us [email protected] to discuss.

In Q4 2018, Baringa Partners surveyed 30 financial services firms, including retail banks,investment banks, asset and wealth managers, and insurance firms, to take the pulse ofrisk management and consider strategies to help businesses better manage risk andrealign priorities to improve risk culture.


04 | baringa.com

Detailed findings

Improving the quality and flow of management information allows business leaders tomake more informed decisions, better forecasts, and gives a clear view on how muchprogress has been made. Operational risk executives recognise the importance ofimproving this process.


baringa.com | 05

Some firms may need to be moretransformational across their metricsuite. They must begin this processby firmly establishing the keyquestions they are trying to answerfrom their management information(MI), and then determineappropriate assessment factorsbased on these questions, ratherthan just looking at available datapoints, or in some cases pieces ofdata in isolation.

1 Management information andgovernance

50%45%40%35%30%25%20%15%10%5%0%

0-10 11-25 25-50 50+

Key Risk Indicators (KRIs) tracked by firms

Improving the delivery of crucialinformation on risk managementto boards in the coming 18months is a major priority for 78%of the firms surveyed.

For some firms that may meanstreamlining metrics so thatmanagement are able to focus onthose that really matter. Oursurvey showed respondents hadvarying levels of Key RiskIndicators that they track – fromless than 10 to over 50. Too manymetrics can increase the risk thatmanagement do not interpret keymessages and take necessaryassociated action.

Hand-in-hand with this,organisations need to challenge thegovernance around their MI toensure that the right MI goes to theright forums. Almost all participantsreported that operational risk MI isbeing consumed by multiple forumsacross their organisation. Escalationthresholds for metrics need to be setat the right level for eachcommittee, to ensure that metrics

are escalated to the appropriateforum at the right time and eachlayer of governance serves a robustpurpose, rather than repeating orrecycling the same metrics andthresholds for all forums.

This chart shows the proportion of respondents monitoring the indicated number of KRIs


06 | baringa.com

Statements are set by the board

Statements utilise both qualitative andquantitative components

Statements are specific to the risk profile ofthe organisation

Statements are monitored by seniormanagement on a regular basis

Statements are monitored by relevant KRIs

Statements are cascaded through theorganisation

Statements clearly link to the underlying riskrather than being performance indicators

Statements provide a clear link with thefirm’s strategy

Statements provide a forward-looking viewof risk

Statements are embedded into businessdecision-making

Risk appetite statement observations

Strongly agree Agree Disagree Strongly disagree

0% 20% 40% 60% 80% 100%

This chart shows respondents’ level of agreement with the indicated statements

appetite statements did not link tothe firm’s strategy or to the actualunderlying risk the firm faced, anddid not provide a forward lookingview of risk.

However, metrics are meaninglessunless a firm has adequatelydefined its appetite, against which itwill measure itself. Whilst themajority of firms had risk appetitestatements that were set by theBoard and which were supported byrelevant metrics, 50% ofrespondents noted that their risk

“How to distribute riskappetite across multiple[diverse] businesseswho share the sameinfrastructure is falseprecision” said onerespondent

Disparate systems and libraries are driving inefficiencies in assessment of risks. Firmsneed to standardise where possible, as problems will exacerbate as firms look tointegrate conduct risk and operational risk.


baringa.com | 07

2 Risk and control libraries

In 2010 the Institute of OperationalRisk suggested that firms considerestablishing a central operationalrisk repository to provide a centralcommon risk event and key controllibrary. Whilst this has been an areaof development for banks over thelast few years, around half of firmssurveyed reported ongoing strugglesin this area.

One of the drivers for this challengethat we have witnessed is theconsiderable variation in thenumber of controls in place at firms.On average firms reported 300-400controls, but responses varied wildlyfrom less than 100 to manythousands. What this highlights isthe challenge in determining theappropriate level of granularity atwhich to specify controls. A controlshould be defined at a level that ismeaningful, such that it clearlymanages the risk that it is beingassessed against.

In standardising controls, firmsshould also consider whether thereis scope to rationalise their controlenvironment. A number of tacticalsolutions have been implemented inrecent years in response toregulatory findings or investigations,respondents report. Rather thanlooking at controls in isolation,reviewing the environmentholistically may help identify areasfor streamlining, such as measuringthe balance of preventative versusdetective controls, and consideringwhether having one negates theneed for the other.

Integrating operational risk and conduct riskConduct risk has become one of themost important aspects ofregulatory compliance in recentyears as firms are increasinglypushed to develop new approachesto mitigation.

Although the total annual fines forbanks by the Financial ConductAuthority (FCA) diminished in 2018following the LIBOR-era spike, USregulators are showing no signs ofleniency and the FCA is openingmore investigations than ever.

Defining a clear boundary betweenoperational risk and conduct riskissues has proved challenging. Giventhis, and the overlap in the controlenvironment in managing these tworisks, 86% of firms surveyed haveintegrated conduct risk into theiroperational risk framework.

Although integration can generateefficiencies, it can also providechallenges. A number of firms have developed Compliance-run conduct assessments, which can unnecessarily duplicate the existing Risk and Control Self Assessment process if the scope, purpose, timing and format of these assessments is not clearly defined at the outset. Similarly, firms need

to consider how the governance and reporting framework forconduct risk integrates with the risk framework more broadly in order to balance the need to avoid duplication with the need to be able to demonstrate the appropriate management and oversight of conduct risk to the regulators.


08 | baringa.com

10% 30% 50%

Varying granuarity of risk controls

Duplication of risk and controls

RCSAs bot reviewed/updated sufficiently frequently

Time-consuming process to complete RCSA

Lack of business engagementwith RCSA process

Risks and controls not assessed by the relevant risk or control owner

Lack of aggregate view of risks across the organisation

RCSA challenges

0% 20% 40% 60%

Assessing risks and controlsThe time-consuming and overly complex nature of Risk and Control Self Assessmentsrisks them becoming a tick box exercise rather than a genuine mechanism for firms toidentify and manage the risks they are running.

3

Risk and Control Self Assessments(RCSAs) are utilised by all firmssurveyed. Although there isconsiderable variation in thegranularity and frequency at whichthese are performed acrossrespondents, almost 100% of firms

employ a standardised frameworkacross their organisation.

However, respondents highlighted anumber of challenges that theycontinue to face around thisprocess, which limit their

effectiveness. Survey data revealsthe most common key challengesfirms faced regarding the RCSAprocess are a varying granularity ofrisks and controls, the duplication ofrisk and controls and the RCSAprocess being time-consuming.

This chart shows the proportion of respondents that recognised each RCSA challenge as a top concern

A single IT architecture for recordingoperational risk related data wouldgo a long way to easing some ofthese challenges, and indeed a lackof such a system was explicitlycalled out by several respondents asthe driver for some of thesechallenges. Unsurprisingly therefore,over half of respondents havecommitted to this project in the long

term, with 51% of respondentsciting system upgrades as a priorityfor the next 12 to 18 months.

However, firms need to ensure thatthey future-proof their ITinvestment by considering whatadditional data they may want tocapture in the future, and how theywould look to use this. Only 30% of

firms surveyed currently have a clearmapping of regulations, policies,processes, risks, controls and events.Firms that are still working to buildout this connected view shouldconsider whether the systems andtools they are building will facilitatedevelopment of this picture in thefuture.


baringa.com | 09

Risk culture

When designed well, the RCSAframework should provide amechanism for the business toproactively self-identify their risksand determine how to appropriatelymitigate them. This relies on thebusiness engaging with the RCSAprocess, but it also relies on a strongrisk culture to drive a qualityengagement. Respondentshighlighted this as an area ofcontinual challenge.

Respondents raised concerns overthe RCSA becoming a box-tickingexercise and the reluctance of thebusiness to genuinely engage withthe process and openly identifyareas of concern.

To help address this, operational riskteams are highlighting theimportance of actively engaging inthe RCSA process to the business,both through training but alsothrough internal campaigns thattarget engagement in risk.

As firms move away from just anannual cycle of RCSAs to a moredynamic and ongoing assessment ofrisks, this enhanced businessengagement will become even morecrucial. Firms may, therefore, wish toconsider looking at ways to testtheir risk culture on a periodic basis,perhaps via specific risk culturesurveys, to identify specific areasthat need improving.

“The biggest challenge is getting across itis OK to have a high score and awillingness to show weakness, ratherthan downplaying risk,” said onerespondent


10 | baringa.com

Future developments Operational risk teams are remodelling themselves to protect the business from cyberrisks, as they also contend with geopolitical shocks and further regulatory pressures.

As a result, it is perhaps no surprisethat 64% of firms highlighted cyberas their top risk in 2018 and almost50% of respondents rankedoperational resilience as one of theirtop five priorities for the next twoyears. Those firms looking to expandtheir operational risk teams over thenext 18 months noted cyber andoperational resilience more broadlyas the key skills that they arelooking to develop in their teams.

Top identified operational risks

Operational resilience cannot beachieved in isolation but insteadneeds to be embedded into existingoperational capabilities, to allow anorganisation to offer resilientservices to its customers and otherinterested parties. Firms need tolook more widely than just theirtechnology, premises andoperations, but also look at ensuringthat resilience is embedded intodiscussions around business

change, supplier management anddata security. Resilience needs to beon the agenda at the top of thehouse, with the Board activelyinvolved in discussions weighing upresilience vs cost, but this needs topermeate through the organisation.Firms need to ensure they have aculture that values behaviours thatsupport resilient outcomes, andpeople with sufficient skills andknowledge to maintain resilience.

Cyber risk has been an area ofrecent regulatory focus, with theSenior Managers and CertificationRegime placing accountability forhacks or glitches on C-suiteindividuals. Last year the Bank of

England set out that the FinancialPolicy Committee was establishingits tolerance for disruption offinancial services from cyberincidents, and the European BankingAuthority launched a consultation

on its draft Guidelines onInformation and CommunicationTechnology and security riskmanagement.

4

100%90%80%70%60%50%40%30%20%10%0%

Cyberrisk

Regulatoryrisk

Conduct risk

Data securityrisk

Outsourcing risk

Fraud risk (internal andexternal)

This chart shows the proportion of respondents that recognised each risk type as a top concern


baringa.com | 11

Over the last 18 months firmshave had to contend with severaloverlapping regulatory initiatives,including MiFID II and the GeneralData Protection Regulation. In theface of such regulation, the ever-expanding control environmentprovides an opportunity to applyautomation to high-frequency

Upcoming priorities for the next two years

AutomationManagement information

Docu

men

tatio

n

Roles and responsibilitiesOperational resilienceSystem enhancements Pr

oces

s map

ping

Conduct risk

Risk and control library RCSA

s

3LOD

processes. Such automation washighlighted as a top five priority byover 50% of firms.

We have seen firms successfullyimplementing robotic processautomation (RPA) across a numberof different processes, includingproduction of client disclosures, pre

and post trade controls, transactionreporting and managementinformation generation. Suchautomation can reduce costs andcreate capacity so that staff canfocus on those tasks where theybest add value, as well as reducingerrors and ensuring more accurateand timely reporting.

This word map shows the level of prominence of upcoming operational risk related priorities as recognised by respondents


12 | baringa.com

Conclusion

In light of these ongoing regulatorydemands, growing cost pressureand an ever-expanding controlenvironment, firms need to look foropportunities to streamline theirprocesses and rationalise controlswhere possible, or risk duplication ofeffort. To this end, firms areinvesting in streamlining their ITarchitecture over the next 12 to 18months, to provide a single ITsystem for managing operationalrisk – one that captures risks,controls, processes and events in asingle place.

Firms are also looking at otheravenues for driving efficiency,including the adoption of roboticprocess automation. Whilst processautomation has been successfullyimplemented across a number ofFront Office and Finance processes,to date we have seen littleutilisation of automation by Riskteams.

Over the course of the next year itwill be interesting to see howresponses to the following develop:

p How will conduct managementinformation evolve and what newways will firms look to leverageto measure conduct?

p Will the costs of control continueto risk, or will firms rationalisetheir control environment?

p Will the management ofoperational risk and conduct riskcontinue to converge?

p What percentage of firms willhave deployed a single IT systemfor the management ofoperational risk?

p How will firms’ risk culture evolveover time?

p How will firms embedoperational resilience acrosstheir organisation?

p How will Operational Riskfunctions leverage the benefits ofautomation?

We hope that you have found thissummary report of interest. We willcontact all survey respondents toarrange time to review their custombenchmark report. If your firm didnot take part this year, and youwould still like a benchmark reportto be produced, then please do getin touch ([email protected]) andwe will share with you a template inwhich to provide your offline surveyresponses for comparison.

Our inaugural survey highlighted a number of challenges that firms are facing across thefinancial services industry. Some of these challenges, for instance those aroundstandardised risk and control libraries and the Risk and Control Self Assessment process,are ones that the industry has been grappling with for some time. However, thechallenges have become more acute as firms are forced to balance existing requirementsaround operational risk with new regulatory demands around the management ofconduct risk and operational resilience.


baringa.com

United Kingdom+44 (0)203 327 4220

For more information please contact us via:

[email protected]

baringa.com

This document: (a) is proprietary to Baringa Partners LLP (“Baringa”) and should not be re-used for commercial purposes without Baringa's consent;(b) shall not form part of any contract nor constitute an offer capable of acceptance or an acceptance; (c) excludes all conditions and warranties whether express or implied by statute, law or otherwise; (d) places no responsibility or liability on Baringa for any inaccuracy, incompleteness or error herein; and (e) the reliance upon its content shall be at user's own risk and responsibility. If any of these terms is invalid or unenforceable, the continuation in full force and effect of the remainder will not be prejudiced. Copyright © Baringa Partners LLP 2019 All rights reserved.

USA+1 747 227 4642

Germany+49 211 5403-9950

About Baringa PartnersBaringa Partners is an independent business and technologyconsultancy. We help businesses run more effectively, navigateindustry shifts and reach new markets.

We use our industry insights, ideas and pragmatism to help eachclient improve their business.

Collaboration is central to our strategy and culture ensuring weattract the brightest and the best.

And it’s why clients love working with us.

Baringa. Brighter together.

baringa partners’ operational risk report€¦ · baringa partners’ operational risk report...

Documents