Operational risk management – helping your C-suite to see opportunity
Sword GRC Blog
Operational risk management - helping your C-suite to see opportunity
Convinced that risk management will support better business decision-making within your organization, but need to be able to obtain greater executive team buy-in? Internationally recognized speaker, writer and advisor in Operational Risk Management, Dr Ariane Chapelle – Associate Professor at University College London for the course ‘Operational Risk Measurement for Financial Institutions’ – addressed this issue in a recent Sword GRC webinar entitled ‘Demonstrating the value of risk management to executive teams.’
If you missed the presentation, highlights are summarised in this short post. For those who would like greater detail, ‘Demonstrating the value of risk management to executive teams’ is available to view on demand.
HOW TO DEMONSTRATE THE VALUE OF OPERATIONAL RISK MANAGEMENT
EVERYONE IS DIFFERENT
“Every CEO, senior management team and organization is different. Given the diverse personalities, the management style and the culture involved, there is no ‘one size fits all’ approach to promoting risk management internally.”
Chapelle suggests that key sources of differences include the organization’s risk culture. “What is the tone from the top? What does leading by example – or not – by senior executives look like? Is the board ‘sold’ on risk management? In which case, you are probably going to have an easier ride.”
Another driver of difference is regulatory pressure which will differ from country to country – the UK being the ‘toughest’ followed closely by Europe and the US. The size of the organization will also be a factor. “When you are growing in size, you can totally expect increasing regulatory pressure so that must be on your radar,” she says.
A third source of difference is risk awareness. “This essentially comes from whether or not you have been ‘burnt’ in the past. What is the legacy; what is the history of incidents that may or may not have raised risk awareness?”
Chapelle sites corporate culture as another source of difference. Are you dealing with a young, start-up thinktank or are you dealing with an established organization that may be more resistant to change? She suggests that you take into account all of these elements and leverage your strengths. If you have a supportive senior management team, her advice is to implement risk-related objectives for all key functions and use risk-related KPIs for escalations, control assessments and action planning. “The less supportive the CEO, the more charismatic you need to be as the Head of Risk,” she suggests.
Regulatory pressure according to geographical location can be used to strengthen your case. Startlingly, regulatory fines during the calendar year 2021 totalled £239,045,800. * “Make sure that you are ready for the compliance burden and the regulatory scrutiny the goes with it,” advises Chapelle.
Further ways to leverage your strengths include the use of past incidents or near misses to raise awareness and evidence operational risk; highlight losses at peer organizations to raise awareness; yet remember that past losses are not necessarily indicative of future ones. Consider which threats are no longer in place and which ones persist. “If you have incidents that haven’t been addressed and they persist in your system, then this is a weakness and a predictor of future events.
“One tell-tale sign of an organization’s risk culture is the transparency of the socialization of incidents and lessons learned. In my view, the best risk culture is within firms that share these experiences, without blame, anonymizing incidents and generalizing the lessons learned. Where were weaknesses in controls overlooked? Could exposure happen in other departments?”
Acknowledging that it’s a generalization, Chapelle suggests that smaller, younger organizations tend to be innovative and high-energy. Within these, risk management can be positioned as an enabler and stabilizer of performance. Conversely, within larger, more established and perhaps more conservative organizations, there will be risk management practice in place. Legacy controls should be used to build what Chapelle terms an ‘invisible framework’ for risk management; keeping jargon within the risk management function; leveraging existing information; filling the gaps and, ‘making friends’ since operational risk management within firms is people-centric.
“RISK MANAGEMENT IS ABOUT DELIVERING THE INTENTIONAL, NOT THE ACCIDENTAL’
It’s important to be able to demonstrate to the C-suite that when a crisis strikes, your risk function has the ability to handle it well. Risk management credibility is built up during quiet, non-crisis times by filling gaps in risk exposures and completing action plans. Chapelle stresses that risk management is about differentiating ‘luck’ from ‘skill’ and that ‘delivering effective risk management solutions with enthusiasm can go a long way’, particularly within organizations where the C-suite is less receptive.
5 PRINCIPLES FOR POSITIONING THE IMPORTANCE OF RISK MANAGEMENT
Be adaptable – listen to C-suite concerns, they are usually reliable indicators; prioritize concerns and investigate them, without running the risk of over controlling or ‘crying wolf’
Be precise – detail cases of past incidents and near misses, with precision rather than generalization on causes, costs and remediation. Citing internal events is more powerful than those of peers
Quantify incidents – quantify direct and indirect losses in monetary terms to make them relevant. Remember, lost opportunities and remediation costs are often far greater than direct costs
Be positive – maintain the aim. Position risk management as an enabler, empowering growth. An investment, rather than an expense.
Be proactive – don’t confuse risks with incidents; remediate large events are low risks; overlooked weaknesses are high risks. Focus on mitigation, monitoring and scenarios and make good use of risk management performance metrics.
EVIDENCE THE IMPORTANCE OF RISK MANAGEMENT
Towards the end of the session, Sword GRC Solutions Consultant, Charley Griffith reveals how Sword GRC’s operational risk management solution can help Financial Services organizations across the globe to manage risk, enterprise-wide and evidence best practice.
Read more about Sword Operational Risk Manager