Operational Risk Reporting

Operational Risk Reporting

Paul Rosen

Operational Risk

In this series so far, Paul Rosen has discussed risk appetite, risk identification and risk evaluation within the operational risk cycle. In this video, we will look at risk reporting.

In this series so far, Paul Rosen has discussed risk appetite, risk identification and risk evaluation within the operational risk cycle. In this video, we will look at risk reporting.

Speak to an expert

Speak to an expert today to access this and all of the content on our platform.

Operational Risk Reporting

5 mins 44 secs

Overview

There’s no right way to report risk, but there are many bad attempts which end up hiding the real risk position and potentially confuse the business with irrelevant information. At distinct levels of an organisation, the focus will change with regards to risk reporting. It is more methodological and regulatory at Group level but with more immediateness and calls to action at a functional level.

Key learning objectives:

  • Understanding how to implement good operational risk reporting

  • Understanding how risk reporting is different for different levels of risk impact

  • Understand the importance of good risk culture in risk reporting

Speak to an expert

Speak to an expert today to access this and all of the content on our platform.

Summary

What is necessary to ensure good risk reporting practices?

Operational risk management is everyone’s responsibility, so the reporting approach, style and tooling must support that to make operational risk management accessible.

Good ORM reporting at a functional level comes down as three core aspects:

  • What is the business-as-usual ORM environment?
  • What has gone wrong outside of the BAU that needs escalation?
  • What is our position of risk vs. our appetite?

What are the different scenarios that could arise when a risk crystallises?

It is important to reiterate that no matter how effective the risk mitigation is, it is likely that two scenarios will arise over time, predicated on something going wrong. 

Firstly, something could go wrong which you measure the impact of and find that the impact was the same as or less than your residual risk position expected out of the RCSA.
Secondly, something could go wrong which has an impact greater than the residual risk position you had approved, or where you hadn’t identified the risk in your processes.

An institution with insufficient maturity in the ORM approach will treat the two in an equivalent manner. This compounds the problem through same post-incident reporting and write-ups for both approaches and this is wrong. It is important to invest less in duplicative reporting and skip trying to remediate the risk if it does not need to be so (as in the first case where a risk crystallises with an impact lower than the assessed risk).

Missing a risk or assessing a risk lower than a crystallised event likely requires re-assessing the risk and remediation of the underlying issue to help get the risk back within appetite. It’s here that management time is better spent, understanding the root cause of the issue and ensuring it is better identified, evaluated and controlled going forward. 

Why do we need a good risk culture?

Good risk culture ensures that unless there is obvious individual accountability, such as fraud, that the investigation, analysis and remediation are not a ‘punishment’ or a blame process. Issues will not be escalated openly if management or other lines of defence pounce on individuals or seek to always attribute errors to people, rather than is often the case, poor management instruction, unstable systems that require investment or other less easy to fix issues.

When we report, we need to triage that reporting to those things that management needs to know (all material errors) but then focus on those that they said they didn’t accept or where they didn’t know about it. 

Speak to an expert

Speak to an expert today to access this and all of the content on our platform.

Paul Rosen

Paul Rosen

Paul Rosen is responsible for the First Line of Defence, Front Office Regulatory Advisory and Operational Resilience at NatWest. He previously worked in the Williams & Glyn divestment from the Royal Bank of Scotland. He is a fellow of the Institute of Chartered Accountants in England & Wales and a member of the Association of Corporate Treasurers.

There are no available videos from "Paul Rosen"