Operational Risk is an umbrella term for a broad range of risks linked to people, processes, systems and external events. These risks are, and always have been, at the heart of the Governance, Risk and Compliance (GRC) agenda. However, current regulatory focus and recent media headlines make this a good time to take a fresh look at operational risk training. Find out more in this blog from Eukleia’s Principal Learning Consultant, Liz Hornby.
At this time of year, we are all looking forward to what the New Year might bring. For risk managers in the financial services sector, this includes reviewing their organisation’s risk management frameworks and ensuring that they are fit for purpose for the year ahead.
Key operational risks for 2019 are likely to be linked to people, systems and external events – and recent cases have shown that these risks are often difficult to separate as they have become increasingly linked and interdependent.
Operational risk: focus on people
In the last 10 years, in the aftermath of the financial crisis, there has been increasing recognition that people are an organisation’s first line of defence. However good your policies and procedures and systems are, culture and conduct are the vital ingredients that protect organisations, customers, markets and reputations.
For every regulatory risk that crystallises within an organisation, from benchmark fixing to mis-selling, there is an employee who did not follow the organisation’s values, policies and procedures and processes – and usually more than one who did not recognise a problem or failed to escalate it.
The Senior Managers and Certification Regime (SMCR), which will encompass the entire UK financial services sector by the end of 2019, recognises the importance of people risk and is built on the foundations of individual accountability and responsibility at all levels of an organisation.
Operational risk: evaluate systems
The recent departure of TSB’s CEO, Paul Pester 1, in the wake of the bank’s IT meltdown and his uncomfortable appearance in front of the Treasury Select Committee threw the spotlight only too well on systems risk; a risk that grows as organisations and their customers become increasingly dependent on technology.
The importance of systems risk was also highlighted in a recent speech by Megan Butler, Executive Director of Supervision – Investment, Wholesale and Specialists at the Financial Conduct Authority (FCA). She spoke about the risks associated with cyber crime and technology resilience2. In the speech, she also shared some of the main findings of the FCA’s ‘Cyber and Technology Resilience: Themes from cross-sector survey 2017 – 2018’3.
The key takeaways from her speech include:
- Firms have reported significantly more outages and cyber attacks over the last year
- Cyber security is not just a technology risk; it is a human (people) risk
- According to the FCA’s survey, nearly half of firms do not upgrade or retire old IT systems in time
- Only 56% of firms say that they can measure the effectiveness of their information asset controls.
Under the SMCR, Senior Managers are required to demonstrate that they have taken ‘reasonable steps’ to identify, mitigate and monitor system risks and will be held personally responsible for failures that fall within their Statements of Responsibilities.
Operational risk: mitigate the impact of external events
External events are the ‘wild card’ of operational risk. The ever-changing legal and regulatory environment keeps many risk professionals up at night and next year this will be combined with the uncertainty of Brexit and a turbulent global economic and political landscape. This could create a perfect storm.
How operational risk training can help
Effective training mitigates operational risk and focuses on ensuring that all employees know:
- How to recognise ‘red flags’ in their role
- How to recognise when systems are at risk or under attack
- How to recognise when processes are failing or have failed
- How to escalate operational risks, including near misses
Beyond these key knowledge checks, it is also important that training addresses the softer skills too. Employees must be motivated to protect their organisation and comfortable challenging decisions, asking questions and escalating problems without the fear of reprisal.
We’ve just relaunched a range of courses on key operational risk topics. Find out more and access a free trial here.
1. The Guardian (2018), ‘TSB chief Paul Pester steps down after IT meltdown’↩
2. FCA (2018), ‘Cyber and technology resilience in UK financial services’↩
3. FCA (2018), ‘Cyber and Technology Resilience: Themes from cross-sector survey 2017 – 2018’↩