Op risk managers must be ‘change agents’, says Fed official

Operational risk professionals should pivot from acting solely as risk managers to being strategic advisers to senior management and boards of directors, an officer at the Board of Governors of the Federal Reserve System told delegates at the OpRisk North America conference in New York today (March 16).

Gwendolyn Collins, who heads the Fed's risk policy, and systems and operational resiliency policy teams, said the role of op risk managers had become more strategic than in the past and required a broader skill-set than before.

"Today, op risk managers are expected to be change agents, often leading business process reviews and transformations, as well as full business line strategy transformation," she said. "Op risk managers are expected to be builders, engineers and innovators, setting up strong internal control environments, sound governance and processes; putting in place committees and task forces where needed."

Op risk managers must handle "new regulation, new technology, and dynamic financial management processes", and must be more tech-savvy and capable of identifying and assessing cyber risk across firms – especially where growth and acquisitions have made technology infrastructure more tangled, she said.

"We are all finding there are pockets of our firms that are in dire need of this expertise which you bring to the table," Collins said.

She described cyber security as the "leading topic in boardrooms today", and explained how the growing threat of internal and external cyber attacks has increased operational risk within financial institutions, placing new demands on managers' time and attention.

"Op risk managers have moved from managing and monitoring ongoing IT risk to being able to serve as strategic advisers in considering and evaluating options and plans for firms to take in the area of cyber security," said Collins.

She also emphasised the importance of linking operational risk reports to specific strategic initiatives in order to make them relevant to senior management and board-level executives. This would help op risk managers get their voices heard in board meetings, she noted.

Collins made a distinction between members of the strategy team at banks and op risk professionals, saying the former lacked the ability to summarise op risk information in a clear and concise way for consumption by senior management and board members.

"You will have strategy teams that think internal controls can be summarised in certain bullet points," she said. "We all know that unless you really understand the core backbone of the internal controls and understand what their vulnerabilities and weaknesses are, you are not going to be able to communicate effectively to the board."