So you survived the chaos of 2009 but it's time to fast-forward to 2010. How about focusing the second half of 2010 on delivering value to your financial institution through more effective risk and compliance management? In other words, developing the payback to your institution and shareholders for the investment they've made in people, process, and technology.
One way to start this is by looking at these four aspects of your risk and compliance programs:
People. Are operational risk management and regulatory compliance activities and staff integrated relative to the functional organizational structure?
Process. Is there a consistent process for the many risk assessments, compliance reviews, financial control testing, and audits? Is this data shared across your specialists?
Technology. Are you wishing for, or is an executive asking for, a quick consolidated report of top ten risks, associated losses, and control failures to help make informed decisions on investments, mitigation, and loss prevention? Do you use too many unconnected and redundant spreadsheets?
Budget. Is the CEO asking you to do more with less this year?
If the answers are "yes" to these questions, then you are ready for an Operational Risk Management (ORM) system. If no, then you may need more time to advance your practices (or build up more frustration) before the full value of an ORM system can be realized in your risk management, compliance, and audit activities.
To fully realize the benefits of risk and compliance integration, an ORM system is needed to help manage your exposures by consolidating and streamlining risk assessments, control testing, compliance reviews, action plans, and audits.
Three Categories of Risk
We start with this top down view that bankers are generally exposed to three categories of risk: credit, market, and operational. Of course there are strategic and reputation risks too, but the first three are where we make and lose money.
Credit and market risk can be quantified and actively managed within a few business units (lending and finance). The newest category is operational risk; now internationally defined as the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events, and it can include IT, legal, and compliance related risks.
Operational risk applies to all business units, including lending and finance. Examples of operational risk work effort include: FDICIA and SOX financial controls; risk assessments for vendors, ID theft red flags, business continuity, information security, data privacy; consumer lending and deposit compliance reviews; fraud loss tracking; and control testing.
Three Systems to Manage Risk
From a technology perspective, there are three corresponding sets of systems to support these risk management activities: credit stress testing and loan analysis systems: interest rate/asset/liability stress testing and analysis; and now a new class of systems for tracking operational/compliance risks.
Most bankers use spreadsheets for management reporting for all three; some use software packages for credit and market risk analysis; a growing number use ORM systems.
To effectively address the above definition of operational risk, we need to get to the business units and analyze their activities for exposures, losses, controls, and compliance. To move there, we need a sponsor, a consistent approach, a management reporting database, and a budget. So we are back to where we started with the four questions and why they are important layers of an integrated risk and compliance program.
Be Proactive. Be Efficient.
To be proactive with operational and compliance risks; to realize efficiencies of streamlining risk assessments, control testing, compliance reviews, and audits; to allow a centralized risk and compliance team to gain momentum; to offer a better experience to the business units when they interact with risk and compliance; and to deliver value to the bank, you need to understand how an ORM system can be an integral component of your program.