It Takes a Village to Manage Operational Risk



Whose job is it to manage operational risk?

  • The Chief Risk Officer? Check
  • Operations Management? Check
  • Compliance? Check
  • Data Management? Check
  • Technology Providers, FinTech and RegTech? Check
  • Yours and mine? Check!

This morning I had the pleasure and privilege of moderating a great panel discussion on Big Data Analytics for Risk Management. The distinguished panel included Dr. Bob Mark, who was at one time CRO for a Tier 1 bank; Dr. Ravi Kalakota, who advises some of the biggest banks in the world on data strategy; and Shirish Netke, who is CEO of Amberoon, a San Francisco based startup that uses advanced machine learning for a highly visual AML monitoring solution.

On this one panel we were able to speak from the perspective of the Chief Risk Officer, Chief Data Officer, Operations Executive and Technology Provider. It turns out that all of our roles are necessary for risk management.

Data-driven operational risk management is absolutely critical. Regulators expect it, boards and shareholders expect it, and it significantly impacts the bottom line because of risk-adjusted capital requirements, and actual losses.

For too long, operational risk management has been characterized by qualitative, rather than quantitative methods. Heat maps, Key Risk Indicators, and prose statements abound in banks of all sizes.

What are the big challenges?

  1. The necessary quality and timeliness of data simply isn’t there. Those banks that have invested in enterprise-wide Master Data Management projects have found the task overwhelming and, in many cases, abandoned the effort. In any case, for most, there simply isn’t sufficient funding for such a massive project unless it is regulator-required.
  2. The tools for analyzing the limited data that is available tend to use brute-force rules-based filtering. Because of the huge potential cost of missing something important, banks have to be very conservative in the setting of rules, which results in huge volumes of false positives. (Shirish used this wonderfully unsubtle illustration to explain false positives and false negatives).
  3. Development organizations do not have the subject matter expertise to develop point solutions for specific operational risk management projects. This is exacerbated by trends to outsource operational development.
  4. Enterprise data management organizations lack the funding for a series of focused projects to collect data from multiple sources, harmonize and cleanse it, and manage it for ongoing quality.

We explored a particular area of risk management – Anti-Money Laundering monitoring – as an example that applies to a wide range of risk management activities. What we discovered in our conversation is that:

  • The CRO can’t manage money-laundering risk without due diligence from operations and compliance executives. They in turn need good data, no matter what processes are in place. The CRO and ops/compliance execs need the CDO.
  • The Ops and Compliance execs can’t monitor transactional activity effectively without throwing huge numbers of people at the problem, and even that is in itself error-prone. Ops and Compliance need the CDO and technology providers
  • The CDO can drive targeted, domain-specific programs for data management only with the right funding. Since line of business priorities typically drive project funding, it is up to the CRO to fund risk-driven data projects. (The lines of business will benefit, but not enough for them to provide significant funding).
  • The internal technology organization is overwhelmed with demand for product enhancements, with limited scope for operational and reporting needs. Risk and compliance subject matter expertise is also in great demand and very expensive. RegTech has a great opportunity to address this need.
    • False positives represent a high cost in managing AML operations.
    • False negatives represent a significant regulatory risk. 
    • Regulators continue to push for a risk-based approach to AML, but it is hard to implement.

The RegTech challenge, in partnership with its banking customers, is to minimize costs without increasing risk.

So, our conclusion is that only through multiple village chiefs (CRO, CDO, Ops and Compliance Execs, CIO with RegTech) can big progress be made in managing operational risk.

With good, well-analyzed data, operational risk will be far better managed in the future. But whichever perspective you have, don’t forget to partner with the rest of the village!

Graham Seel, a 30 year banking veteran, runs BankTech Consulting. He is an expert in commercial banking, and provides strategic insight and internal business cases to banks. He works as a fractional Customer Success Executive to Fintech firms, facilitating their partnership with banks. This blog was originally published on LinkedIn.