By Oliver Houghton and Rigardt Jonker
In our first article, we asked the question does Risk Management need to evolve? We concluded that there is lots of room for improvement (evolution). The article also ended with a reference to how Covid-19 upended all industries and how there may been certain cues for Risk Management of what route the potential evolution of risk management should take. A reminder that the article predominantly uses a Operational Risk and Enterprise Wide Risk Management lens when dissecting shortcomings in the risk industry, although certain principles will apply to all risk types. However, keep in mind that risks are connected with each other, and that Operational Risk underpins every risk type. Also, quite often when financial risk types (for example Credit Risk) realise, it is due to the manifestation of operational risks, for example a credit risk loss may be due to collateral not being perfected, which could be due to human or system error, but the influence of Operational Risk is unavoidable.
What happens when a business is under the blowtorch?
In times of stress, organisations and individuals often find clarity… and backbones to make the tough calls, for example shutting down a non-performing business unit. As the reality of a difficult situation for a business becomes clear, harsh consequences become tangible and thinking ability becomes piqued. It then becomes easier to distinguish between the essentials and the “nice-to-haves”, the urgent and the “that can wait”, the “waste of time” and the valuable. The Covid-19 pandemic offered up lessons for Risk Managers, and these need to be taken on board.
Lesson 1: A business is all about survival and it’s customers
There is an old saying which Winston Churchill made famous towards the end of World War 2, “never let a good crisis go to waste” and in Covid-19 we had a very global crisis that played out with broad and lasting impacts. A crisis normally reveal failures, lessons, successes and potential pathways become clearer. The first lesson for Risk is this:
“An organisation, any organisation, exists for only two reasons – its survival and its customers. If neither exist, nothing else will”.
This lesson speaks to the need for Risk Managers to have a much deeper understanding of the business that they support. This extends to its strategy, products, services, customers, segments, partners, underlying financial fundamentals and the drivers of the business. This is not a new sentiment, but still we see far too many instances of business and risk operating in siloes. If business is placed at the heart of the risk management process, risk managers will be much better placed to apply the tools of risk frameworks in a relevant and value adding way.
Think of how different businesses responded to the outbreak of Covid-19 in the early stages. Priority was assigned to customer and employee health, servicing customers, and protecting financial fundamentals. These would have been the first areas of priority. Why? Without healthy employees, the organisation cannot service its customers. Without healthy customers, the financial fundamentals become vulnerable. Without customers, the business ceases to exist. These are strategic responses; responses born out of necessity.
Consider how the management of organisations responded to the pandemic when the lock-downs started coming into effect.
Priority was given to risk exposures covering financial fundamentals, including credit risk exposures, financial and liquidity ratios etc. Operational Risk data (RCSA’s, Losses, Scenarios etc) would have taken a backseat.
Why would that have been the case? Financial risk disciplines track real data which has relevance for the business strategy, its status, and its vulnerability. It is relevant. The Operational Risk data is tracking “other” data, which is most often disconnected from the business strategy and status. Its relevance is generally far less clear. It is no longer an excuse to say that Operational Risk is difficult to measure. If it is worth measuring, then it needs to be measured accurately. Also, every risk has strategic implications, so just because “Strategic Risk” is excluded from the definition of Operational Risk, does not mean that we must ignore the connections to strategy. It also begs the question whether sufficient risk data is available for users to understand the interconnectedness of risks, ie proper integrated risk reporting. Keep in mind that decision makers will take a view of possible actions considering all risks the organisation is exposed to, they don’t have the luxury of segmenting their responses per risk type, but this is another warning light for Risk that properly integrated risk reporting is required.
Lesson 2: Risk is about the strategy of the business
The nature of an organisation determines the type of risks that are in play. An organisation’s strategy determines the extent that these risks are in play. Lesson: “Risk comes from the nature and strategy of the business, not from risk frameworks or risk libraries.”
This lesson will require Risk Managers to challenge themselves and their view of the risk landscape. On the face of it, the lesson may appear counter-intuitive to what has been practiced for years – “Operational Risk arises from factors within the internal and external environment”. This is not wrong, but it is only half of the picture. The nature and strategy of the business defines the type and extent of exposure to operational risks. This has not been sufficiently understood, nor has this been explicitly incorporated into current Operational Risk Management methods.
- This misunderstanding is evident in many organisations. There are three simple things that can be checked to assess the level of relevance of Operational Risk content in an organisation:
Ignoring business realities: A sign that the business context is missed is if an organisation is identifying and assessing risks based on a risk library (regardless of how comprehensive the risk library is). Whether the organisation is identifying operational risks from a library or not, the starting point is crucially important – what does the business strategy dictate? Not every operational risk is relevant or important for a business. - Ignoring risk realities: Review the Operational Risk reports of the business. If these reports contain the same list of risks (and controls) every reporting cycle, reflecting colours (Red, Yellows and Greens?) that hardly ever change, then the organisation has missed the real Operational Risk profile. The business is stuck in a governance and control regime; business value is compromised for the sake of demonstrating what the organisation has interpreted as “sound risk management practice”.
- Ignoring risk activities: A further flag that Operational Risk content and focus may lack relevance, is when the majority of the risk manager’s time is spent compiling reports, performing control assurance, reviewing issue status, and assessing control remediation efforts. This is an indicator of one-dimensional response to risk management. In the first article of this series, the point was made that “control” is merely one option in the array of suitable risk management responses, and often a control response is inappropriate, as it is most often directed towards achieving governance and policy compliance, versus business strategy and risk optimisation.
How would this correspond to the lessons learnt out of Covid-19? Firstly, the Operational Risk reports, data and tools were generally not needed to make the decisions required to adjust to a new way of working. Secondly, organisations that appreciated the gravity of the pandemic did away with bureaucratic, costly, and slow governance requirements to enable rapid, responsible, and relevant decision-making. Thirdly, organisations that intended to survive, brushed reactive risk and control priorities aside and embraced, fully, new strategies for a new competitive environment and a new purpose – encompassing radical organisational transformation from rigid structures to adaptable, digital, flexible operating models, supported by empowered workforces.
The comfortable, slow-moving, governance pre-occupied operational risk management cycle of pre-Covid-19, was summarily dismissed. As mentioned earlier in the article – in times of stress, thinking ability becomes piqued. Executives and senior managers could see clearly – they had to. The Operational Risk content that had been monitored for years, was only ever being entertained, for the sake of the governance machine. When it came to the crunch, when decisions had to be made overnight, it was easy to see what was useful and what was not.
So where does this leave the Operational Risk discipline? The first step to making amends would be by making the Operational Risk content that is reported more relevant to the business. The best way to do this, would be by anchoring the Operational Risk data that is reported on business fundamentals. Blindly pursuing the requirements of the Operational Risk Framework is not assisting the business in achieving its objectives. With Covid-19, it was obvious that all business decisions were made based on business fundamentals… nothing else. Should it not be the same in business-as-usual cycles?
Operational Risk needs to adapt to be fit-for-purpose for new business purposes, new strategies, flexible operating conditions, and new risk characteristics. ORM needs to become spontaneous, plugged into business plans and close to business performance. This is where the risks are and always have been. The costs to the business of not doing this is prohibitive and potentially fatal.
Regulators have also attempted to push Banks in that direction with Resilience requirements which looks at the health of the key processes that is needed to execute the key functions of a bank and serve customers. However, keep in mind that in article 1 we touched on the unintended consequences of trying to comply with regulations without holistically solving for the business and risk needs.
Lesson 3: Breakout of the mould
To make a difference, the discipline Operational Risk Management needs to breakout of the mould. The current frame of reference is overly dominated by regulation, the Operational Risk Management Framework, its associated policies and related risk management methods. Lesson three is about escaping from the comfort zone of doing things because it has always been done that way, challenging what has not worked, making the existing risk management tools relevant, designing new risk tools, but, most importantly, getting dirty in understanding what makes businesses tick.
To breakout of the mould, reflection is needed on how operational risks have been managed; think about what activities are performed in the name of Operational Risk on a daily basis, and be honest about what has not made sense and all those aspects of the role which have been challenging. Break the current frame of reference and reconstruct it. Below are some thoughts on perspectives that need to change:
Frame of Reference | Typical Mould | Typical Effect | Breakout Mould |
|---|---|---|---|
Regulation | Piecemeal, project-based implementation |
|
|
Governance, Risk and Control | Policy compliance orientation |
|
|
Lines of defence | Rigid separation of lines |
|
|
Understanding of Risk | Risk and control focus |
|
|
The ORMF and the ERMF | Basic elements required by regulation |
|
|
.Existing “moulds” have contributed directly to reduced value from Operational Risk. These mould have been known about for a long time, but nothing has been done to break them. It is accepted, and has become the norm; despite the dire consequences for the effectiveness of the discipline. The lessons in this article are simple, but does require courage to rectify. It requires Operational Risk Management to question the status quo and design a direction which goes against the traditional current.
The Operational Risk Management discipline is in desperate need to evolve, tangible value is long overdue. The Covid-19 pandemic and the multiple crises that have ensued, has shown which disciplines need to transform, and Operational Risk is one of them.
The Future is Here. Connect the dots.