What does an optimal risk management operating model look like?

Click on image to enlarge

Transforming risk management processes

Many institutions are reevaluating their risk management operating models across lines of defense. Now they’re looking to transform their risk management processes to address specific challenges while recognizing drivers for change.

Challenges to transforming risk management processes:

Click image to enlarge

Opportunities for synergies

In transforming risk management operating models, many institutions are beginning to identify potential synergies across their risk management efforts. These synergies can bring greater transparency and higher value intelligence to management and the board. Synergies can also provide greater transparency of issues and risks, as well as their potential impacts.

Operational risk and compliance capabilities

Discrete capabilities of operational risk and compliance, as well as opportunities for potential synergies between these risk disciplines, include:

To realize the opportunities of synergies, a common and consistent taxonomy is foundational for effective risk management. A definition of terms is considered a leading practice to advance the consistent interpretation, measurement, execution, and reporting of issues and risks within the two risk disciplines. There are five critical data elements where a common and consistently applied taxonomy is crucial: risks, controls, processes, policies, and obligations.

Synergies become most evident when performing a risk assessment, regardless if it is a self-assessment at the first LOD or a compliance assessment performed by the second LOD. The ability to map processes from obligations to policies, and then to risks and controls, can assist in the identification, reporting, and escalation of issues.

Key opportunities for synergies

Click image to enlarge

Options for realizing synergies

Baseline maturity and sustainable processes for both operational risk and compliance functions are needed before real efficiencies and synergies can be considered. A defined vision—one shaped by the tone from the top—is a critical factor for a successful transformation. Also crucial to transformation are identified and effective agents of change with requisite skill sets. As financial institutions explore different ways to realize synergies and touchpoints between operational risk and compliance, some examples of organizational construct include:

Coordination between operational risk and compliance

Streamline processes for risk management requests of the first LOD while having the two risk disciplines remain independent functions.

• Potential advantages: Minimal disruption to people, process, and technology to reduce redundancies and costs and maintain desired independence and authority of respective risk discipline, which enables them to continue to meet regulatory requirements and expectations.
• Potential disadvantages: May not result in optimal long-term operating model objective of supporting cost reduction associated with risk management. Also, there is potential to create confusion between operational risk and compliance roles and responsibilities with the first line unless communicated properly.

Centers of Excellence (CoE)

Some institutions are considering, or have already established, a shared service model across operational risk and compliance using CoEs for same or similar risk management activities. This includes controls testing, issue management, reporting, etc. The CoE may have a dual reporting line to both operational risk and compliance senior officers with a single interface to the first line. In addition, some institutions are opting for a managed services model where they outsource selected risk management processes.

• Potential advantages: Reduction in overall effort and cost of activities, greater consistency in results and applied methodologies; and streamlined coordination with first line and alignment to the enterprise risk strategy and vision.
• Potential disadvantages: Regulatory constraints and possible dilution of subject matter expertise specific to each respective risk discipline.

Singular ownership for operational risk and compliance

Some institutions have considered merging the two risk disciplines under one organization to take advantage of the synergies between exposures.

• Potential advantages: Strategic alignment of visions and objectives with limited or no conflicting requirements and processes, and reduced burden and touchpoints with the first line.
• Potential disadvantages: Different approaches and perspectives to managing risk, which can cause inherent conflict between the two functions. For example, operational risk often anchors risk management activities to a process, whereas compliance manages risk to an obligation. Further, compliance must manage regulatory requirements and expectations for legal obligations (e.g., laws and regulations), which does come under an operational risk mandate. Requisite knowledge and understanding of such is generally not resident in an operational risk function.

Revisit and transform

With the global financial crisis in the past, financial institutions can now revisit their organizational construct and required capabilities across the first and second LOD. In doing so, these organizations can optimize risk management processes and create efficiencies.

The transformation of the risk management operating model and culture may be warranted based on potential synergies. But it is also important to retain the integrity of each respective risk discipline, consistent with regulatory definitions. For success in this transformation, it is critical to establish a clear, well-articulated, and communicated vision combined with an appropriate tone from the top.