Guide to Operational Risk and Compliance Risk in Financial Services

Blog post Team CENTRL 2022-05-16

Following the global financial crisis of 2008 and, more recently, the COVID-19 pandemic, financial organizations now understand that operational risk – and to an extent, compliance risk – plays a critical role in shaping their overall risk profile. These crises have also highlighted the need for these organizations to shore up their operational risk and compliance risk management functions.

A 2001 paper by the Basel Committee on Banking Supervision (BCBS) defines operational risk as: “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.”

This comprehensive guide explores operational risk and operational risk management (ORM) in the financial services industry. It also highlights the similarities and differences between operational and compliance risk and suggests several best practices to optimize these functions.

What is Operational Risk?

The U.S. Office of the Comptroller of the Currency (OCC) defines operational risk as to the “risk to the current or projected financial condition and resilience arising from inadequate or failed internal processes or systems, human errors or misconduct, or adverse external events.”

Operational risk can also arise from:

  • Third-party relationships with vendors, outsourcing firms, etc.
  • Information security and cyber risk due to:
  • Ransomware
  • Phishing
  • Compromised credentials
  • Manipulation of remote access channels
  • Internal or external fraud stemming from:
  • Money laundering
  • Asset misappropriation
  • Forgery
  • Insider trading
  • Bribes or other forms of corruption
  • Robbery or check kiting

Financial institutions are vulnerable to all these risk factors since they operate in an increasingly complex environment. Operational risk can result in substantial financial losses and material damage. It can also disrupt operations, invite regulatory fines, increase customer churn, and damage the company’s reputation.

In its 2021 Semiannual Risk Perspective report, the OCC lists operational risk as one of the four key risk themes that affect the financial system’s robustness, safety, and the ability to ensure that all customers have fair access to financial services.

What is Operational Risk Management?

Operational Risk Management or ORM is less about eliminating operational risk – which is virtually impossible to do – and more about reducing and mitigating it. ORM is an ongoing activity and a continually evolving discipline that enables financial institutions to apply quantitative concepts to measure and control operational risk.

The Traditional ORM Approach

Traditional ORM aims to counterbalance operational risk through internal processes, audit programs, and insurance protection. While these means are not entirely ineffective, they do place the responsibility of identifying and mitigating risks on humans. As operational risks evolve, people can’t always keep up.

Another issue with this approach is that various business lines use siloed, non-integrated risk categorization and management methods. There’s little or no process transparency, collaboration, or information-sharing across these units. Ultimately, failure to consider overall operational risk makes the organization more vulnerable to business continuity disruptions, chaos, and losses.

The ”New” ORM Approach

The new ORM approach favors quantitative risk management over human intuition to understand risk exposure and improve risk management. It thus includes practices like:

  • Analyses of historical loss data
  • Formal risk assessments and evaluations
  • Risk measurement and mitigation
  • Controls implementation
  • Risk monitoring and reporting

This new framework provides a formal, transparent, and collaborative structure to identify, measure, monitor, and control (or mitigate) operational risk in the financial sector. It also emphasizes enterprise-wide oversight to eliminate risk siloes, improve enterprise-wide risk awareness, and minimize potential exposure.

Further, it empowers the organization to:

  • Better understand its risk tolerance.
  • Evaluate capital adequacy and align capital levels in the context of the overall risk profile.
  • Define operational risk policies with details about:
    • Assessment processes
    • Risk quantification methodology
    • Reporting standards
    • Risk personnel roles and responsibilities
  • Understand operational risk charge to accurately calculate its risk-weighted assets (RWA) and risk-based capital (RBC) ratio.
  • Create a consistent reporting mechanism to communicate risk information to key stakeholders.

ORM in Financial Services

The BCBS paper helped elevate operational risk to a distinct category in the financial services industry. It also prompted the sector to create more quantitative and analytic approaches to operational risk.

Even so, the operational risk remains more complex than financial risks, such as market or credit risk, making it more difficult to measure, control, and mitigate. But despite such challenges, financial institutions need to strengthen their ORM programs. There are many reasons for this.

Recent developments in the sector have generated substantial and growing operational risk exposures. These include the emergence of banks as large-volume service providers, the growth of eCommerce, and the rise of automation, FinTech, and new financing techniques.

The increasing complexity and volatility of financial value chains, the emergence of new business models, and an evolving regulatory risk landscape also increase the operational risk for financial institutions, funds, and investors. To minimize their exposure, these organizations must implement sound ORM practices.

The ORM Process and Key Principles

In general, ORM consists of five stages:

1. Identify Risk

Operational risk management starts by identifying operational risks in the organization’s objectives and goals.

2. Assess Risk

After identifying the relevant risks, the financial institution must assess each risk based on potential impact and probability of occurrence. This activity guides risk prioritization and mitigation and improves risk understanding in the organization.

3. Mitigate Risk

Risk assessment and prioritization inform which mitigation strategy should be adopted:

  • Avoid the risk, say, by strengthening its cybersecurity controls
  • Transfer the risk to another organization such as an insurance firm
  • Accept the risk if the cost of risk realization is lower than the benefit of a risk control
  • Control the risk to minimize exposure and decrease the probability of material damage

To select the right strategy, it’s also essential to keep in mind four fundamental ORM principles:

  • Don’t accept unnecessary risk
  • Accept risk only if benefits outweigh costs
  • Make risk decisions at the appropriate level and by a person who understands the risk
  • Proactively anticipate and manage risk through planning

4. Implement Operational Risk Controls

Mitigate, avoid, transfer, or control the risk by implementing the necessary controls.

5. Monitor and Report on Risk

Organizations should continuously monitor operational risks to assess if their prevalence and potential impact have changed. Accordingly, they should update their ORM practices and initiatives.

Operational Risk vs. Compliance Risk

In the post-financial crisis/post-COVID era, financial institutions must contend with operational and compliance risks. While potential synergies exist between these functions, it’s essential to understand that there are differences as well.

The BCBS defines compliance risk for financial institutions as the “risk of legal or regulatory sanctions, material financial loss, or loss to reputation.” These risks usually result from a failure to comply with laws, regulations, rules, related self-regulatory organization standards, or any codes of conduct applicable to banking activities.

This definition considers compliance risk as a sub-risk category. However, the definition proposed by Federal U.S. regulators defines compliance risk as a discrete risk discipline. While regulators disagree on categorizing compliance risk, they agree on the definition of operational risk as the risk resulting from a failure to establish internal controls, thus exposing the organization to operational losses, fraud, or cybersecurity breaches.

Synergies Between Operational Risk and Compliance Risk

Synergies exist between operational risk and compliance risk in all these areas:

  • Governance models: Create a single committee to address both operational and compliance risks, and to create, interpret, and execute risk management policies
  • The risk oversight process: Provide improved oversight to the organization’s first line of defense (LOD), i.e., the business lines that generate, own, and control compliance and operational risk
  • Risk management framework: Provide a structured approach to manage, mitigate, and communicate risk across the organization
  • Controls evaluation: Promote single and integrated controls testing for operational risk and compliance
  • Data and reporting: Collect and aggregate operational and compliance risk data, and create an integrated risk report
  • Issue management: Identify and prioritize systemic issues, and coordinate various business functions for sustainable issue remediation
  • Employee training and incentives: Improve risk awareness and reinforce desirable behaviors to minimize risk

By identifying these synergies, financial firms can get better visibility into risks and their potential impact. They can also ensure that high-value risk information is available to senior managers and the board.

Best Practices Common to Operational Risk Management and Compliance Risk Management

To make the most of these synergies, it’s useful for organizations to follow these best practices:

Adopt a risk-based approach to compliance

By adopting a risk-based approach to compliance, firms can demonstrate that they are incorporating evolving regulatory requirements into their overall risk management architecture. This is a more robust way to address operational and compliance risks than a typical check-the-box approach.

Map processes to risks and controls

When processes are mapped to risks and controls, it becomes easier to identify, assess, prioritize, and address operational and compliance risks. Mapping also helps implement robust procedures to escalate and report issues and perform root cause analyses. Further, it improves collaboration and communication pathways between process and risk owners.

Identify risk management technology

The right technology can improve the risk management program’s effectiveness, especially if automation is introduced via AI software, Machine Learning algorithms, or Natural Language Processing-based chatbots.

Monitor risks and controls

Controls and metrics are essential to continually manage and mitigate compliance and operational risks. And since these risks are constantly evolving, it’s crucial to monitor both risks and associated controls to maintain an effective risk management program.

Aligning processes with resource planning ensures that the right resources are available to quickly address identified risks. Also, monitoring processes allow the organization to improve capacity planning and allocation for risk management.

Set up change management

To stay abreast of emergent risks, a change management program is vital. The program should support controls and process testing, indicate when new resources are required, and guide technology investment strategies.

Introducing ODD360 to Streamline Operational Due Diligence and Risk Management in Financial Services

Operational due diligence has become more complex – but no less important – in the post-COVID era. And yet, many fund managers, hedge funds, investment management firms, and endowments continue to rely on manual ODD processes and workflows that affect ODD efficiency, timelines, reporting, and audit responses.

CENTRL’s ODD360 brings advanced automation to simplify ODD and increase efficiency by 50%. With ODD360, due diligence professionals can effectively use data for due diligence and access a single source of truth from one centralized location.

ODD360 streamlines DDQ and RFI workflows processes and auto-extracts DDQ answers for analytics. Further, it provides audit trails, dynamic dashboards, plus an intuitive user experience that’s invaluable to keeping up with today’s ODD trends and requirements.

To see ODD360 in action, book a demo.

Similar resources

More resources