Working with operational risks is not a tick-in-the box exercise. A structured team works with operational risks and incidents leads to a better risk culture, increased efficiency in the organisation and creates business value. The Financial Conduct Authority is increasingly undertaking independent reviews of regulated firms which are focused on risk culture. However, while the FCA guidelines on risk culture set out the principles to be followed and how to define, measure and manage it, there is no practical guidance on how to embed a sustainable risk culture in operational systems.
To do that effectively in 2020 and in the future requires a proactive people-centred risk culture where the whole organisation sees operational risk management as a value creating activity. That value comes from improved workplace productivity and preventing incidents happening or recurring, with evidence that structured analysis of root causes of risks and effective implementation of solutions can save a considerable amount of employees’ time.
Analyse root causes not symptoms
In operational processes, issues and risks are often created upstream but the symptoms are seen downstream. For example, when entering an order, an incorrect definition of a financial instrument can lead to incorrect settlement data discovered much later in the process.
When these issues are identified the priority should be to address the immediate problem and then fix the root cause. That might be to re-engineer the process, including supporting systems, and how the team works. It may require the presence of senior leaders, the involvement of cross-functional teams and sometimes even external stakeholders to drive speedy and effective problem solving.
An effective risk culture requires a transparent and simple governance
A tailored and simple governance structure is the foundation for effective management of operational risks. This must be practical and reinforce the organisation’s policies and standards to create a consensus on definitions and common view of how things should be done, with risk reporting seen as everyone’s responsibility. There should also be a recognition that this needs to go beyond a technocratic reliance on institutional control frameworks and tick-box exercises to satisfy regulators.
Effective processes are needed to capture, visualise and manage risks, issues and incidents which give instant feedback to the person who identified a risk or logged an issue or incident, and provide everyone involved with a shared view of the situation. Roles and responsibilities then need to be clearly articulated, and the right resources allocated. The processes must follow a pattern of: do it yourself, if you cannot solve it yourself then involve the team, if you cannot solve it within your own team then bring in other teams and if that is not possible then initiate a project.
At one client we worked with, their operations staff continuously encountered problems in counterparty reconciliation of position valuations for collaterals. To solve this, they brought together representatives from operations, the front office, risk, and IT to look for the root cause. What emerged was that this was a symptom of many issues ranging from the portfolio system receiving an incorrect official closing price to the necessity of re-engineering the collateral management process. The operations staff could not possibly solve these on their own, but the combined knowledge of several departments meant the whole end-to end process could be analysed, root causes could be identified and jointly solved.
A transparent information flow of risks and incidents throughout the whole organisation will then enable it to prioritise effectively, and make informed decisions especially on functional or cross-functional team work to solve risks, issues and incidents.
Involve and motivate your people
There are a number of key steps organisations can take to involve and motivate people to create a proactive and transparent risk culture. The first is to set a clear direction so that all employees understand why a new approach is being implemented. This should then be followed by a focus on a particular area where there are issues and where there is clear potential to improve, all backed up by data to ensure there is a real understanding of the problem and what will make the difference. This must take place in an environment of openness and trust where everything is put on the table.
Then in developing solutions, people at all levels must be involved and contribute to the process. That requires starting with an end-to-end view where the team selects the right problems and addresses root causes.
When any new processes are implemented, they should be simple and transparent with two or three relevant leading and lagging KPIs so that everyone understands how it works, the present position and what the target is. In the beginning, the KPIs can be as simple as measuring the number of identified and solved risks and issues. When the organisation is more mature, it is possible to implement more advanced KPIs, for example the percentage of failed trades of the total amount of entered trades for a specific financial instrument.
Leaders and managers will need to take a proactive role in supporting and coaching and in making sure they know what the real issues are. They should also recognise that implementing new behaviours takes time and the process will be slow and ensure the new ways of working are fully up and running before expanding them to more and more teams.
In 2020 and beyond, this combination of identifying the root causes of any risks, involving everyone in the solutions and making sure they are realistic is the best way to create a risk culture that will both meet the regulator’s requirements and add value to the business.
Jan Hanika is a financial services expert and Gustaf Göranson is operational excellence expert, both at PA Consulting