Operational Risk Reporting
Paul Rosen
Operational Risk
In this series so far, Paul Rosen has discussed risk appetite, risk identification and risk evaluation within the operational risk cycle. In this video, we will look at risk reporting.
In this series so far, Paul Rosen has discussed risk appetite, risk identification and risk evaluation within the operational risk cycle. In this video, we will look at risk reporting.
Operational Risk Reporting
5 mins 44 secs
Key learning objectives:
Understanding how to implement good operational risk reporting
Understanding how risk reporting is different for different levels of risk impact
Understand the importance of good risk culture in risk reporting
Overview:
There’s no right way to report risk, but there are many bad attempts which end up hiding the real risk position and potentially confuse the business with irrelevant information. At distinct levels of an organisation, the focus will change with regards to risk reporting. It is more methodological and regulatory at Group level but with more immediateness and calls to action at a functional level.
What is necessary to ensure good risk reporting practices?
Operational risk management is everyone’s responsibility, so the reporting approach, style and tooling must support that to make operational risk management accessible.
Good ORM reporting at a functional level comes down as three core aspects:
- What is the business-as-usual ORM environment?
- What has gone wrong outside of the BAU that needs escalation?
- What is our position of risk vs. our appetite?
What are the different scenarios that could arise when a risk crystallises?
It is important to reiterate that no matter how effective the risk mitigation is, it is likely that two scenarios will arise over time, predicated on something going wrong.
Firstly, something could go wrong which you measure the impact of and find that the impact was the same as or less than your residual risk position expected out of the RCSA.
Secondly, something could go wrong which has an impact greater than the residual risk position you had approved, or where you hadn’t identified the risk in your processes.
An institution with insufficient maturity in the ORM approach will treat the two in an equivalent manner. This compounds the problem through same post-incident reporting and write-ups for both approaches and this is wrong. It is important to invest less in duplicative reporting and skip trying to remediate the risk if it does not need to be so (as in the first case where a risk crystallises with an impact lower than the assessed risk).
Missing a risk or assessing a risk lower than a crystallised event likely requires re-assessing the risk and remediation of the underlying issue to help get the risk back within appetite. It’s here that management time is better spent, understanding the root cause of the issue and ensuring it is better identified, evaluated and controlled going forward.
Why do we need a good risk culture?
Good risk culture ensures that unless there is obvious individual accountability, such as fraud, that the investigation, analysis and remediation are not a ‘punishment’ or a blame process. Issues will not be escalated openly if management or other lines of defence pounce on individuals or seek to always attribute errors to people, rather than is often the case, poor management instruction, unstable systems that require investment or other less easy to fix issues.
When we report, we need to triage that reporting to those things that management needs to know (all material errors) but then focus on those that they said they didn’t accept or where they didn’t know about it.
Paul Rosen
There are no available Videos from "Paul Rosen"