5 minute read
Operational risk frameworks in the age of COVID-19: in data we trust! - by Thibaud de Barmon
operational risk frameworks in the age of COVID-19: in data we trust!
by Thibaud de Barmon
Advertisement
The past 10 months have changed firms’ operational landscape in ways that few would have thought possible. To date, this change hasn’t led to major disruptions, but there is no doubt that the level of operational risks firms are now exposed to is on the rise.
What does this mean for the practice of operational risk? Because the current changes are both profound and lasting, we believe they will particularly impact the way risk frameworks anticipate, measure and communicate. For operational risk this will mean major adjustments in three areas: more complex and dynamic scenario analysis; more granular self-assessments of the risks and controls; and agile reporting and escalation of risks and vulnerabilities. This article looks at each in turn.
the development of scenario analysis
Firms’ operational environment is still very much in flux, and a new normal is still at least several months away. Yet new constraints are profound and environmental changes are very uncertain. For operational risk managers forward-looking tools will thus be crucial, and the scenario analysis process will be the key one.
Through well-designed scenarios, risk managers can assess both the first and second order impacts of any operational risks. Seven months into the worst pandemic in a century, the first order impact of a pandemic is now pretty much known: thanks to the rapid adoption of remote working, it appears financially and operationally manageable.
The longer-term and second order impacts on the contrary are still incredibly uncertain, as much as possible firms should try to anticipate them. This is no easy task, but we believe that it can be achieved by extending and refining the following three types of scenarios:
The scenarios most impacted by changes in the business environment because these lead to increases in impacts of many other events such as rogue trading, modelling failures, and processing errors.
The scenarios most impacted by the loss of access to the more secure legacy workplaces because remote working weakens external defenses and increases the chances of successful intrusions such as cyber intrusions, data leakages, and external frauds.
Adjacent to this, the scenarios most impacted by the loss of proximity between first and second lines because these weaken internal controls and thus increase both the probability and impacts of rogue trading, processing errors, and internal fraud events.
The challenge is that most of these impacts are bound to grow gradually over time as increased distance between staff, lower productivity, and looser controls lead to bigger internal disruptions and failures. Scenario analysts may thus consider longer time horizons (several years rather than a few months to a year) and more complex measurement techniques (use of split storylines).
Such added complexity is certainly a challenge but also an opportunity for their operational risk functions as their transversal and multi-disciplinary constructs will make them the best placed to respond to these challenges.
self-assessments of risks and controls
In a still fluid risk environment, backward-looking tools are bound to be challenged. Risk Control SelfAssessments (RCSAs) will be no exception, especially in their ability to assess new inherent risks.
Yet RCSAs still can be very useful in their ability to determine in granular and analytical fashions the difference between inherent and residual risks. This difference will be particularly helpful in assisting the measurement of second order impacts we mentioned in the previous section. Yet this requires detailed internal data on key controls with a particular attention to those impacted by the new constraints, especially the large-scale adoption of remote working. We see here four areas of focus:
Time-critical external controls especially daily ones (payment releases, transaction matching, settlements) because their deterioration is often very gradual but their failure can lead to major disruptions.
Performance-based external controls such as call-handling and fraud detections. These too should be particularly sensitive to staff and productivity levels and their deterioration if they persist could lead to widespread frauds or litigations.
Independent but co-located internal controls (P/L, risk reporting, scoring, model validations) between first and second-line functions. Lockdowns and remote working have made those controls more formal, time consuming and highly dependent on quality of risk data. Their performance thus needs to be monitored carefully.
Lastly, firms should consider improvements during the pandemic may be the sign of reduced activity that have been achieved at the expense of future risks and controls. Firms should thus consider if improved change controls actually mean too many changes to allow safe executions further down the line.
Overall, RCSAs will need to be less backward-looking, more predictive, and more dynamic and identify changes in both external and internal behaviours. These will require more frequent and granular assessments and harnessing far wider sets of internal data than is currently the norm.
Reporting risks in a stress environment is always a challenge because both risk exposures and risk appetites keep changing. For operational risk this implies a move towards forward-looking, sensitivity-based reporting which is particularly difficult because of the small size of the historical and external data available.
Transaction records, life-cycle events, staff levels, customer queries and complaints, system availability and performance, the universe of data available to assess operational stress is vast and can make a big difference. We would therefore recommend firms to substantially extend the use of these datasets and go far beyond RCSAs and scenarios. They could consider performance indicators and cross-reference them to dynamically predict levels of operational stress for key functions and services.
Doing so requires substantial data mining and machine learning capabilities but also transversal and multidisciplinary expertise that is often present in operational risk functions. The development of such capabilities is probably the biggest challenge and the greatest opportunity this pandemic may bring to the practice of operational risk.
conclusion
The pandemic and the profound changes in the operational environment that go with it will stretch many operational risk frameworks to their limits. Key elements such as scenario analysis and RCSAs are bound to be challenged but coupled with the right multi-disciplinary expertise and new data-driven technologies they could also be transformational and turn operational risk frameworks into sophisticated and highly-effective risk management platforms. In doing so they have the potential to turn the operational risk discipline into, not just a useful function, but an indispensable one for both firms and their regulators.
author Thibaud de Barmon
Thibaud de Barmon has been working in financial services’ operations for the past 25 years, first as a practitioner, running large investment banking programmes and backoffices and as a UK regulator. From 2008 to 2020 at the FSA and the Bank of England he ran the department of risk specialists dedicated to change, IT and operational risks. He was particularly involved in the supervision and policy developments of operational risk and resilience, banking restructuring, structural reform, Brexit and Fintech.
He now runs Milton House, an advisory consultancy dedicated to operational effectiveness and operational resilience in financial services.
