Operational Risk Management Lessons Learned During COVID-19
During the COVID-19 pandemic, in addition to dealing with financial challenges such as a drop in assets or liquidity, organizations have been faced with issues that go to the core of operational risk management - people, systems, processes and external environment.
The crisis acted as a real-life stress test of existing frameworks and processes, and lessons learned from the pandemic will trigger changes to how firms view and manage their operational risks.
Agility and Risk and Control Self-Assessments (RCSAs)
Risk assessments, a core operational risk tool, attract a fair share of criticism. While widely used by firms in financial services, they typically generate a mixed response, not only from business stakeholders but also from practitioners themselves.
An industry study published by the Operational Riskdata eXchange Association (ORX) reflected the view that RCSAs were seen as simply not delivering enough value, and not sufficiently influencing business decisions.
At the inception of the pandemic and during multiple lockdowns when staff moved to a working from home (WFH) environment, some firms deprioritized and delayed the RCSAs, with the intention of executing them later down the line. Others, on the contrary, demonstrated agility and used the RCSAs effectively to promptly scan the changing risk and control environment.
A full refresh is unnecessary, however a short and focused review to ascertain what controls have weakened the most is essential.
Undoubtedly, there are areas where day-to-day practices may have deteriorated, as organizations went with continuity over controls; a necessary step to carry on business. Common examples include discontinuation of face-to-face supervision; call forwarding to an unrecorded home or mobile number; and less secure record management with printing and disposal of information at home.
Given the changes, this is the exact moment to demonstrate the true value of operational risk management. A consolidated view of weakened controls and increased risks presented to the Executive teams, the Board and the regulators, provide much-needed transparency and allow the organization to take decisions – including consciously accepting the level of risk or introducing required mitigants.
Based on the poll conducted by the Best Practice Operational Risk Forum, comprised of experts from a variety of multi-national firms, 40% of respondents were able to promptly obtain and deliver this view; either via top-down or bottom-up RCSAs.
Fig 1 Source: Best Practice Operational Risk Form
The lesson here is about the use of risk assessment tools within the organization, and reliance upon them at times of crisis – instead of discounting or labelling them as ‘time-consuming’. It is also about the agility, brand and skills of operational risk practitioners who lead the risk thinking and continue to positively influence the risk culture of the institution.
Situational Awareness and Scenario Analysis
Historically, operational risk Scenario Analysis (SA) within financial services firms served one primary purpose – risk measurement and capital calculation. More recently, the industry seems to have tackled this challenge, with many organizations (77% as seen from the live poll conducted by the Best Practice Operational Risk Forum) expanding the use to both risk management as well as measurement purposes.
During the outbreak of COVID-19, the pandemic scenario was added to the list of ‘must-haves’, prompting organizations to explore extreme but plausible outcomes and consider actions (risk management) as well as evaluate their potential impact on the capital position (risk measurement).
Similar to the RCSAs, while all firms have the SA tool at their disposal, it was the firms with a situational awareness mindset who promptly applied the tool in practice and showed maximum responsiveness.
Leadership teams with the right perception about the wider environment and a good comprehension of the meaning and projection of the future state (or, in other words, situational awareness) ran scenarios early on at the inception of the pandemic and were more prepared in their thinking and planning of required actions.
The lesson, yet again, is about the embeddedness of operational risk management tools and their value proposition, deriving business benefits rather than applying a ‘tick-box’ approach. It is also about the risk culture of the organizations and the situational awareness mindset of senior leaders who come together at times of crisis.
As concluded by Best Practice Operational Risk Forum, while scenarios are not yet considered the most valuable tool in the operational risk framework, they are deemed to generate significant business value (as perceived by 36%, figure 2). This is the area of focus for the future: how to make the risk owners want to use the SA process, moving from ‘moderate’ and ‘minor’ value-add to generating significant benefits.
Figure 2 Source: Best Practice Operational Risk Forum
Risk Function: Collaborator, not a Gloomy Critic
"All of us might wish at times that we lived in a more tranquil world, but we don't. And if our times are difficult and perplexing, so are they challenging and filled with opportunity", a quote attributed to Robert Kennedy which couldn’t be more relevant to this current moment.
Risk department is sometimes perceived as a gloomy critic that only focuses on the negatives - threat analysis; emerging risks; incidents and losses. To excel in the risk profession, it is equally important to emphasize the opportunities. In reality, this is not given enough airtime.
In a live poll conducted by the Best Practice Operational Risk Forum, less than half of respondents admitted to having a structured approach to identifying and evaluating the upside of risk (fig 3).
Figure 3 Source: Best Practice Operational Risk Forum
Plenty of opportunities have emerged from COVID-19, including, for example, enhanced operational resilience and potential savings due to reduction in use - or even cancellation - of alternative disaster recovery sites if the majority of staff can work effectively from home.
The lesson is about reinforcing positive risk management, an enabler not a show stopper, assisting business units to arrive at a balanced picture of threats and benefits in order to weigh them up and take prudent, risk-aware decisions.