Book of the year: Chapelle wins for best practices work

In 2017, Ariane Chapelle told an audience of sceptical financial professionals at a conference in Vienna that operational risk would in time become a greater source of concern for the financial industry than credit risk and market risk. Three years later, perhaps sooner than first imagined, she believes that moment has arrived.

“Back then, I said that credit risk and market risk are not the most threatening risks for the banks, because they understand them well, which is less the case for operational risk. Now, three years down the line, it is almost indisputable that operational risk has the lion’s share of attention,” she says.

The Belgian-born academic has become one of the foremost practitioners in the market, helping drive good op risk management to the top of the agenda for a roster of clients including many of the world’s largest banks. Her book Operational risk management – best practices in the financial services industry has been praised for furthering this message with clarity and good sense, and has been adjudged Risk.net’s Operational risk book of the year.

The progress that the industry has made is perhaps underlined by its resilience during the recent Covid-19 market dislocation. Almost overnight, the banking industry shifted to an entirely new model of working, without (so far) suffering a major failure, such as a collapse of a payments system or a successful cyber attack.

But Chapelle has some trenchant criticisms to offer the industry. Firstly, resilience in the face of Covid-19 does not mean that banking had assiduously prepared for major dislocation as a result of a pandemic. In the UK, the current regulatory drive towards forcing firms to focus on ensuring operational, rather than merely financial, resilience had been grounded instead in instances such as the outages customers experience during the attempted migration of 1.9 million TSB accounts from Lloyds to Banco Sabadell in April 2018.

The pandemic has also demonstrated the value of scenario analysis, and this is something that is often, and inexplicably, underutilised in the operational risk management of many institutions, says Chapelle. In addition, Covid-19 underlined the interdependence of risks. Too frequently, the first line of defence (1LoD) and second line of defence examine risk on a discrete, case-by-case basis with insufficient attention paid to the linkages between events.

Chapelle has some trenchant criticisms to offer the industry. Firstly, resilience in the face of Covid-19 does not mean that banking had assiduously prepared for major dislocation as a result of a pandemic

“In financial risk management, it is the correlations between risky assets [that] determine the level of a portfolio. Yet in operational risk management, firms look at risks independently, rather than having a portfolio approach. Covid-19 has underlined the interdependent nature of risks, and the necessity to have more of a systemic approach to risk management,” she says.

Analysis of the interdependence of risk can be learned from other workplaces. One of Chapelle’s favourite concepts outlined in the book is that of bowtie analysis, which is borrowed from industries where it is in common use, such as the oil and gas sector. Rather than looking at a failure in isolation, this approach encourages examination of ‘the causes of the causes’ – a series of seemingly unrelated incidents to establish commonalities, to highlight recurrent weaknesses in an organisation, that can be then addressed with one thematic action plan to fix a series of underlying issues, rather than responding incident to incident.

Chapelle is a great believer in demystifying the business of non-financial risk, and believes that risk managers often unnecessarily complicate the issue with redundant jargon and insufficient clarity, in the mistaken belief that sounding complex indicates intelligence and profundity of thought.

Moreover, the simplest answers are often the right ones. Firms struggle to define risk appetite, yet the solution is there to be found in existing credit risk policy. Rather than developing an entirely new philosophy for operational risk, banks should look to what they know well and build out from there. By mining the rich and deep data that lies in the front office of a business for many years, banks can often find the answers to what seem intractable questions.

Risk supervisors sitting in the 1LOD need to develop a more harmonious partnership with the markets businesses, however, she argues. All too often, an adversarial relationship develops between risk-takers and what are seen as risk-deniers. But rather than simply asking the risk-takers to put up and shut up – which often seems to be the response – Chapelle says risk supervisors need to change their approach.

“Nothing makes me angrier than the words ‘oversight’ and ‘challenge’. They need to say ‘I’m here to demonstrate how good you are’, rather than starting with aggressive and antagonistic vocabulary. To some extent, regulators are guilty of fostering this approach,” she says.

Another concept that shines through in her work is the idea of positive risk management. Chapelle believes banks need to rediscover the value of taking calculated risks – that risk management should be seen as the enabler of improved performance, not a brake on profitability.

“Risk managers should be a lot more uplifting – otherwise, they will be the people that everyone else avoids in the hallway,” she concludes.

The book is also the first dedicated work of its kind to be translated into Chapelle’s native French, published in March 2020 as Gestion des risques opérationnels – guide des meilleures pratiques en banque et assurance.