This article was paid for by a contributing third party.More Information.
Adapting to technological change in op risk management
Baker McKenzie‘s Jonathan Peddie explains how the role of operational risk manager has evolved in recent years, how financial firms are managing increasing demand for data privacy and transparency, and how technological advancements over the coming decade will change operational risk and its prevention
The scope and scale of operational risk managers’ responsibilities has grown dramatically in recent years. How can managers keep pace and drive efficiency in their op risk management processes?
Jonathan Peddie: Whether outsourcing, data compliance or conduct issues such as mis-selling, risk managers need to design and implement effective processes to identify, manage and monitor op risks. A key element of this – as the UK Financial Conduct Authority (FCA) has made clear through enforcement notices – is to establish an appropriate, consistent risk appetite from board-level downwards. This will drive key decisions such as those around how much tolerance to allow and whether – and to what degree – substitutability and recoverability of systems and processes is required. For conduct issues, processes to monitor and promptly remediate non-compliant behaviours will be especially important. Critical to all of these activities is adequate resourcing – although technological solutions are of increasing relevance – and the ability for risk managers to raise issues when necessary at board-level, which the Senior Managers and Certified Persons Regime (SMCR) will facilitate.
Although 2019 op risk losses were down on previous years, theft, tax evasion and embezzlement remained prominent. Is regulation such as the SMCR the answer to tackling conduct risk?
Jonathan Peddie: Regulation can only go so far. Rather, culture has been an acknowledged key root cause of the major conduct failings across financial services in recent years. The SMCR, by clarifying responsibility and accountability at senior management level, is seen by regulators as an important tool in improving culture and therefore reducing conduct risk. In a foreword to the FCA’s discussion paper on transforming culture in financial services, Jonathan Davidson, director of supervision at the FCA, said there is no single culture for firms to aspire to, but that “healthy cultures have some specific characteristics that reduce harm”. In his view, regulation has to hold the individual as well as the firm to account. In effect, regulatory penalties should not simply be the cost of doing business, and senior managers need to have clearly articulated what they are accountable for and their key responsibilities.
Data compromise is a perennial concern for op risk managers. How are financial firms coping with increasing demand for data privacy and transparency due to regulation such as the European Union’s General Data Protection Regulation (GDPR)?
Jonathan Peddie: With the advent of GDPR, data compliance is now much more than a box-ticking exercise of having all the right policies in place. The best firms at managing risk have taken steps to see that compliance is embedded at a deeper level, ensuring that data protection has become part of the culture of their organisation. This reflects requirements under GDPR to ‘bake in’ data protection to business practices, from the design stage through the entire lifecycle of a project – “data protection by design and by default”. Data sharing – in the context of open banking, open finance and beyond – can complement or clash with individuals’ rights under the GDPR, so firms must adopt a connected approach to navigate these potentially competing demands.
Customer demand and technological advances are putting pressure on financial firms to overhaul their creaking IT infrastructure. What can be learned from the market’s experience about the risks involved?
Jonathan Peddie: Migrating or upgrading from various legacy systems to new IT platforms can be complex, requiring detailed planning and testing. Despite such preparations, some issues will invariably arise. Contingency planning is therefore essential on the basis that not everything will always go to plan. It is also important to ensure improvements to IT infrastructure are not too ambitious, and that those involved – including key IT contractors – are sufficiently experienced and ready. Attestations and supporting evidence should be sought in this regard. Depending on the scale of the project, management at an appropriately senior level must fully understand, consider and scrutinise key aspects of any project and, in particular, where relevant, non-executive directors must challenge it – all of which should be documented.
As well as identifying significant risks to a project’s success, management should ensure sufficiently robust contingency plans are in place to protect customers – and, if relevant, to safeguard market stability – should the risks crystallise. The appointment of independent advisers can provide both objective and expert review for managers as they scrutinise major projects. Larger firms with dedicated Prudential Regulation Authority (PRA)/FCA supervision teams should keep them updated on the progress of important projects.
Regulators have identified operational resilience as a key pillar in maintaining the stability of the financial system. What actions should firms prioritise in building resilience?
Jonathan Peddie: Firms should prioritise understanding the systems and processes that support their key services to customers, including those outsourced to third parties. It is vital to appreciate the impact of an individual system or process failing and how easily it can be substituted or speedily restored. Firms often wrongly assume interruptions will be of a short duration. Putting in place and regularly testing contingency and fallback plans – although potentially expensive – is essential and should form a key part of business continuity planning. Outsourcing technology, due to its very nature, is subject to only indirect control and therefore requires particular oversight and consideration. It is no coincidence the FCA has recently published a consultation on outsourcing and third-party risk management, which follows the European Banking Authority’s (EBA’s) updated guidelines on outsourcing arrangements that took effect in September 2019.3,4
Climate risk is scaling the op risk agenda, but is particularly complex for firms to measure and manage. How can firms improve their risk assessment and governance processes in this area?
Jonathan Peddie: To improve their processes, firms should integrate an assessment of climate change risks and opportunities into their business, risk and investment decisions. In doing so, they can also take advantage of climate-related disclosures, for example, from securities issuers in deciding whether to offer customers a specific product or service. A forward-looking and strategic approach is also required. This implies a move away from short-termism to take account of risks that could impact in the medium to long term. In this respect, following and sharing best practice is desirable. To this end, the Climate Financial Risk Forum, an industry group co-chaired by the FCA and PRA, has been established to reduce the obstacles firms face in devising such forward-looking approaches by developing practical tools and methodologies.
What will keep op risk managers awake at night in 2030?
Jonathan Peddie: Technological change is gathering pace. The use of artificial intelligence, machine learning, distributed ledger technology and other similar tools will be integral to the operation of most businesses and the provision of services to customers in the future. It is essential that boards, senior management and risk management fully understand these financial technology applications, or risk failing to effectively manage the operational and regulatory risks to which their businesses are exposed. An investment in the training and development of all staff is called for, as well as an understanding of the supervisory expectations of regulators, which face their own educational challenges in this regard, and whose rulebooks may inevitably be a little behind the curve.
Jonathan Peddie is a partner at Baker McKenzie and chair of its Financial Institutions Industry Group
jonathan.peddie@bakermckenzie.com
+44 20 7919 1222
bakermckenzie.com
Read more about Risk.net’s Top 10 operational risks for 2020
Sponsored content
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@risk.net