Home ›› 14 Jun 2022 ›› Editorial
Breakthrough technology, increased data availability, and new business models and value chains are transforming the ways banks serve customers, interact with third parties, and operate internally. Operational risk must keep up with this dynamic environment, including the evolving risk landscape. Legacy processes and controls have to be updated to begin with, but banks can also look upon the imperative to change as an improvement opportunity.
The adoption of new technologies and the use of new data can improve operational-risk management itself. Within reach is more targeted risk management, undertaken with greater efficiency, and truly integrated with business decision making.The advantages for financial-services firms that manage to do this are significant. Already, efforts to address the new challenges are bringing measurable bottom-line impact. For example, one global bank tackled unacceptable false-positive rates in anti–money laundering (AML) detection—which were as high as 96 per cent. Using machine learning to identify crucial data flaws, the bank made necessary data-quality improvements and thereby quickly eliminated an estimated 35,000 investigative hours. A North American bank assessed conduct-risk exposures in its retail sales force. Using advanced-analytics models to monitor behavioural patterns among 20,000 employees, the bank identified unwanted anomalies before they became serious problems. The cases for change are in fact diverse and compelling, but transformations can present formidable challenges for functions and their institutions.
Operational risk is the risk of losses caused by flawed or failed processes, policies, systems or events that disrupt business operations. Employee errors, criminal activity such as fraud, and physical events are among the factors that can trigger operational risk. Most organisations accept that their people and processes will inherently incur errors and contribute to ineffective operations. In evaluating operational risk, practical remedial steps should be emphasised to eliminate exposures and ensure successful responses. If left unaddressed, the incurrence of operational risk can cause monetary loss, competitive disadvantage, employee- or customer-related problems, and business failure. Operational risk management (ORM) is a continual recurring process that includes risk assessment, risk decision making, and the implementation of risk controls, resulting in the acceptance, mitigation, or avoidance of risk. Every organisation faces circumstances or fundamental changes in its situation that can present varying levels of risk to that business, from minor inconveniences to a situation that could put the entire company at risk.
Operational risk management is often discussed in the context of financial services.An operational risk management process is necessary for organisations that want to avoid potentially disastrous issues. Operational risk is the risk of financial losses and negative social performance related to failed people, processes, and systems in an MFI’s daily operations. As MFIs decentralise and offer a wider range of financial products and alternative delivery channels, the operational risks multiply and it becomes increasingly important to manage them effectively. There are five categories of operational risk: people risk, process risk, systems risk, external events risk, and legal and compliance risk.
Even as financial institutions ramp up their cybersecurity efforts, cyber risks, including ransomware and phishing, have become more frequent and influential, affecting their operational continuity.
This is especially true in the post-pandemic world where threat actors leverage security weaknesses in firms’ IT infrastructure to perpetrate serious (and profitable) cyberattacks.
Increasingly, financial institutions are relying on third-party providers, which means they have to thoroughly identify, evaluate, and control third-party risks throughout the lifecycle of their relationships with those companies. However, with increasing digitisation and hyper-connectivity in the financial landscape, vendors, suppliers, and contractors that their third-party vendors work with also create risks that must be identified, evaluated, and managed.
According to one survey, in 2020, almost 40 per cent of mid/large digital financial services organisations experienced an increase in fraud since before Covid-19. Operational risk losses from internal scams can stem from asset misappropriation, forgery, tax non-compliance, bribes, or theft.Fraud committed by external parties includes check fraud, theft, hacking, system breaches, money laundering, and data theft. The risk of both internal and external frauds arises from diverse factors, including the massive growth in transaction volumes, the availability of sophisticated fraud tools, and the security gaps created by increasing digitisation and automation.
Any operational risk management plan must have a process in place for the ongoing monitoring and reporting of these risks, in part to demonstrate how effective the plan has been. This process should ensure that the solutions put in place are continuing to be effective and are still managing the risks.
Establishing effective risk management capabilities is key to enabling better business decision making and an important tool that the C-suite can use to gain a competitive advantage.
It is easy to see that there may be considerable overlap between these in terms of the source of a particular loss. It is also apparent that some are closely related to the discipline of business continuity management whereas others must be treated via standard risk management and/or good corporate governance practices. Damage to physical assets is a typical BCM issue leading to the preparation of a business continuity plan, possibly underpinned by a number of subsidiary plans such as an information and communications technology disaster recovery plan. Conversely fraud issues will usually be addressed through conventional risk management practices supported and strengthened by strong company policies and procedures.
The difficult operational risk question – what risks are to be addressed - will be confirmed in the business impact analysis (BIA) phase of the business continuity management program if it has not already been separately considered. Indeed it is better to resolve it through the BIA process as this rigorous process may offer unexpected solutions. The BIA is the foundation of effective business continuity planning and it is the appropriate stage in which to examine all supporting processes and activities.
It is useful to bear in mind, however, that business continuity plans primarily deal with the post-incident timeframe. It is the retained risks flowing from the BIA for which effective continuity and recovery plans must be developed. Attention must also be given to the impact upon the risk profile if/when certain continuity measures are implemented. For example the loss of a primary data centre, with attendant fail over to a standby centre, has a dramatic impact on the risk profile as the organisation now has multiple single points of failure. This is not to suggest that we establish a standby to a standby to a standby... but rather to stress that consideration must always be given to alternative solutions – e.g. manual methods – at least for short-term response.
In the past decade, there has been major progress in the development of artificial intelligence (AI). AI algorithms excel at data analysis and have evolved to the point where they surpass human performance for a wide variety of tasks. More and more businesses exploit these technological advances to optimise different kinds of processes such as marketing, sales and e-commerce, manufacturing and logistics. In today’s growing data-driven world, this trend is expected to continue on the back of widening opportunities for use cases, including in the area of operational risk management.
Machine learning engines can analyse large amounts of data from various sources. This information generates real-time prediction models that allow risk managers and security teams to address risks quickly. The models are fundamental to develop early warning systems that assure the uninterrupted operation of the organisation and the protection of its stakeholders. 1. AI also provides the ability to evaluate unstructured data about risky behaviours or activities in the organisation’s operations. AI algorithms can identify patterns of behaviour related to past incidents and transpose them as risk predictors. 2. Fraud detection traditionally requires intense analysis processes for financial institutions and insurers. AI systems can substantially decrease the workload of these processes and reduce fraud threats by using machine learning models that focus on text mining, social media analysis, and database searches. 3. AI tools can also process and classify all available information according to previously defined patterns and categories and monitor access to these data sets.
The following procedure can be used to implement AI models within your company, both to reduce “AI risk” and to take advantage of the benefits that these tools can bring to your organization:
The first step to implementing a risk management system supported by AI is to identify the organisation’s regulatory and reputational risks. Conduct a risk assessment, based on current frameworks and your company’s organisational values. Use it to determine the data you need to collect and how you want to process that information.
The first step to building an effective ORM capability is to fully assess the bank’s existing risk profile and then construct a database and a map of all internal and external OR risk events. The bank then develops key risk indicators (KRI) that serve as early warning signs of potential problems. Management publishes some of these KRIs within the organisation, and it uses others as part of its ongoing ORM surveillance. Once the bank identifies and categorises each risk, it can decide on mitigation options.
Next, the bank clearly articulates its overall appetite for risk. This is partly an exercise in setting goals for financial measures, such as the amount of capital the bank is willing—and allowed by regulators—to have at risk, but it is equally a matter of establishing the bank’s cultural and governance priorities. Management sets the tone with its behaviour, decisions and actions.
The key to effective ORM is training people to anticipate what could go wrong, especially when a business unit is about to do something new, such as introduce a product, change a customer interface, alter the way employees are compensated, or outsource part or all of a core business process.
As banks increasingly use Agile teams to innovate, they can make sure that ORM experts are part of the effort. One major European bank, for example, has ORM staffers as integral members of the Agile teams on its innovation campus, where the bank develops and tests new business practices and offerings. Another European bank has built up a dedicated cyber-risk team that simulates realistic cyberattack scenarios and takes action to prevent them from happening.
Identifying and mitigating operational risk is too large and important a task to be left only to the ORM experts. Frontline managers can act as the bank’s eyes and ears on ORM by reviewing a short checklist of questions, starting with whether their business unit is involved in changes that could materially affect the way it operates. The questions include: How well does your team understand the operational risk appetite guidelines, thresholds and regulatory requirements for your business area? Have you mapped the bank’s systems that would be affected by your proposed changes?Are you aware of the risk/compliance breach events that have occurred in your business in recent years? How would your proposed changes affect the KRIs the bank regularly tracks in your area?
The writer is MD and CEO of Community Bank. He can be contacted at masihul1811@gmail.com
