Driving Business Value from Operational Risk Management

CRO Risk Council & POPP risk GROUP

The focus of this study1 is on transitioning the theory and current practice of operational risk today into a business value-added2 discipline.

This paper is the property of the POPP risk GROUP LLC (POPP) of Canton, Massachusetts. We encourage you to distribute this paper freely to employees of your firm, and to your regulators, but respectfully request that these results not be shared with any consultants or service providers. The material contained in this paper represents a competitive advantage to POPP, which would be dramatically reduced if our competitors were given access to the information contained herein.



Today's Business Burden

Operational risk needs to continuously add value to the business to survive and flourish.‚Äč

With the regulatory emphasis on operational risk shifting away from measurement, many practitioners are coming to realize that operational risk does not deliver the necessary business value from either a measurement or management perspective. As a result, many in the business today see operational risk as a burden.


Over the last 14 years, we’ve been so focused on covering the regulatory bases (including the Basel accord on operational risk and the governmental emphasis on strong regulation following the great recession) that we haven’t taken the time to confirm that the practices we implement to satisfy regulatory requirements actually deliver business value. Operational risk needs to continuously add value to the business to survive and flourish. If it is not adding business value, then the operational risk function is at risk of being severely cut by executive management.



Opportunity for Positive Change

Practitioners agree, that as an industry, we cannot afford to take a step backward. We must embrace the reality of today and seize the opportunity to enhance the art and science of operational risk management. One study participant put this in perspective when they said, “We’ve all seen the substantial losses that operational events can cause, which many would agree played a significant role in the last financial crisis.”

An integral part of doing business is taking operational risk and managing it efficiently and effectively. We need to look hard at where operational risk provides business value (and give it more attention) and where it provides little or no value (and whenever possible and practical, reduce the time spent on those activities). We need to eliminate confusing roles & responsibilities, ensure the right people are in place, and rationalize overlapping functions. Finally, we need to engage the businesses as they have a strong vested interest in helping us get the mechanics of operational risk right.



Findings and Recommendations


Three Findings

We believe the following findings describe the current state of operational risk management: 1.

Finding 1

Nobody asks the business to articulate what is valuable to them. The businesses want to know which risks could cause material loss to their businesses. One CEO explained, “It’s not always the financial impact that can cause the most harm because in today’s world reputation can be so easily damaged …”. Many on the corporate risk team assume the RCSA3 will give them most of the answers, which is unfortunately not the case. The RCSA focuses on expected losses and does not effectively cover unexpected and catastrophic losses. Unexpected losses are often most important to the business head and their direct reports. These are the risks that could ruin earnings for a quarter or a year and could cause a complete business management turnover if they were to manifest in a business. 2.

Finding 2

The Risk Control Self-Assessment (RCSA) is a core element of operational risk functions, but provides little business value. Unfortunately, many RCSAs occur too frequently, are burdensome and complex, overlap with other assessments from the IT risk and compliance functions and are completed out of step with the natural rhythm of business processes. This is further exacerbated by the fact that the output of RCSAs consistently lack value, fail to provide new insight and are often put on a shelf not to be reviewed again until the next RCSA process cycle.

Finding 3

Significant confusion around corporate operational risk’s4 role and responsibilities. There is a lot of frustration by the business risk officers around the fact that they perceive the corporate risk officers to provide little to no business value. This is true as to how corporate risk officers: provide advice, challenge business decisions and risks, design and execute risk assessments, lack relevant business knowledge and their general attitudes around working with the business.


Three Practical Recommendations

The main focus of the operational risk function should be on providing value to the business. The business should be the ultimate adjudicator as to whether or not something adds value, rather than letting regulatory compliance focus their efforts. We all know that regulatory compliance, while critical, does not always translate into value for the business as regulators approach this with a much different perspective and priority (e.g. ensuring stability of the financial system and mitigating systemic risk). As a result, we suggest:

Recommendation 1

Focusing our efforts on practices that have proven to add business value. It is important that we leverage those operational risk practices that have proven to add value to the business at other organizations. In order to best assure this is successfully accomplished, we suggest: (a) an open, bi-directional communication channel with each of the businesses to assert, then test business value; (b) clear, separate processes to identify, respond, monitor and report on the risks (outside of risk appetite) that are most worrisome to the business head (i.e. unexpected risks); and (c) empower the business to “accept” risks subject to the risk being within risk appetite. This involves developing a thoughtful cost/risk analysis, and following clear escalation protocols, all in a highly transparent way.

Recommendation 2

Terminating (or at least streamlining) what’s not adding value (but what is adding cost). We need to reexamine those processes that don’t deliver on the value promise. We must reduce their frequency, streamline and simplify them, consolidate them, embed them or simply stop doing them. 

Recommendation 3

Defining how corporate risk should interact with the business. We should reexamine the working relationship between corporate risk and the business to assure regular, value-added interactions. We should work to understand: (a) what kinds of people are needed in corporate risk; (b) how / if they align with the business; (c) what their tangible deliverables are and ensure they are clearly defined and agreed; (d) how corporate operational risk should conduct itself; and (e) where are there overlaps in roles & responsibilities that we can eliminate and consequently provide cost savings.



Positive Observations

This section describes six operational risk program attributes that are positive and worthy of note:

Attribute 1

Financial Institutions are highly focused on cyber risk. Most of the firms that we spoke with have a cyber-risk framework and committee. This is important as cyber risk, in all forms, is considered one of the biggest threats to the financial industry.

Attribute 2

 Systematic coverage of new initiatives. Everyone agreed that the new initiative process (with regards to operational risk) is valuable as it addresses one of the biggest sources of new risk: new products, processes and systems. One business manager commented, “Operational risk [in general] doesn’t tend to change outcomes, but the new initiatives committee routinely comes up with new outcomes.”

Attribute 3

Establishment of a risk officer forum. These forums include all operational risk officers from the business and corporate risk functions and serve as a great way to identify what’s adding value (and what’s not). Additionally, they serve as a mechanism to solicit feedback on new ideas and build awareness and equity with the businesses and others outside of the operational risk function.

Attribute 4

Many have the basics of risk culture5. Risk culture is really the last bastion of operational risk management. When policies, programs, procedures and protocols fail, it is the firm’s risk culture that must ultimately prevent losses (e.g. see something, say something). Elements of an effective program include, for example: (a) having 6 – 12 key risk behavioral attributes6 that are important to the institution; (b) testing them as a part of the annual employee survey; (c) establishing linkages with HR (feedback, escalation and risk-based compensation); and (d) offering one or more risk culture training courses.

Attribute 5

Establishment of business risk committees7. These business specific risk committees are most effective when they focus the majority of their time on sourcing, discussing, prioritizing, and responding to unexpected risks. This is compared to committees that are more focused on reviewing issues, actions and updates. These committees create business value as they focus on those operational risks that could significantly damage that specific business.

Attribute 6

Control optimization. Many firms are identifying, analyzing and strengthening (as necessary) the key controls surrounding their operational processes. In some cases, firms have been able to reduce key controls by as much as 50%.


1 We interviewed 67 individuals at 22 financial institutions. This included seven CRO Risk Council firms and 15 global and regional financial institutions in the US and Canada. Interviews were with: CROs, business heads, CEOs, senior business executives, first line operational risk officers, second line operational risk officers, heads of operational risk, and executives in compliance and enterprise risk. We employed an open-framed interview style (e.g. broad questions were used to set the context for the answer, rather than specific survey questions). See section “Our Research Approach” for further insights into the process behind this study.

2 By business value we mean, for example: (a) reduction in the number and size of expected losses; (b) higher quality processes, due to a better, documented understanding of those processes; (c) improvement in the predictability of business profitability by avoiding large unexpected losses; (d) improvement of audit scores and regulatory reviews; and (e) achieving business objectives (e.g. new anticipated business volumes).

3 The RCSA is designed by corporate risk management to enable the business to self-assess their expected risks. This occurs for each business and corporate process by identifying and quantifying the inherent risk, assessing the effectiveness of the key controls and producing a residual risk. This residual risk is then “actioned” or “accepted” as is.

4 The corporate operational risk function is the second line of defense which is responsible for challenging the conclusions of the first line, in addition to, for example: defining corporate policy, procedures, roles and responsibilities, risk appetite, reporting, etc. The first line is the business which owns the risks and responses and is responsible for executing the corporate risk policies, processes and reporting that the second line specifies. The first line also defines and owns their own policies and procedures. The third line is the internal audit function. The Canadians split both the first and second line into two parts, namely [1A], [1B] for the first line and [2A] and [2B] for the second line. [1A] is the actual business. [1B] is the embedded operational risk function. [2A] are the corporate risk disciplines (e.g. HR, Legal, IT Security, Compliance, etc.) and [2B] is the corporate operational risk function. For the purposes of this paper, we will use the first of the two definitions.

5 More on risk culture can be found in the 2016 CRO Council paper entitled, “Enterprise Risk Management (ERM) Effective Practices”. Please call or email for a copy.

6 Some examples of key risk behavioral attributes include: (a) the business owns the risk; (b) each risk should be specific with a specific response (e.g. action plan, accepted, contingency); (c) everyone is encouraged to report risks (from anywhere) without fear of negative consequences.

7 In small to medium sized financial institutions, there is one business risk committee per business that covers all of the businesses’ risk types – including operational risk. For large institutions, often each business has its own operational risk committee.





CRO Risk Council
Copyright © 2018 POPP risk GROUP LLC. All rights reserved.
Confidential and Proprietary to the POPP risk GROUP LLC





510 Chapman Street, Suite 201, Canton, MA USA +1.617.851.7677