Balancing Acts: Are Financial Firms Effectively Addressing the Full Spectrum of Key Operational Risks?

The Financial services sector is highly focused on managing credit risk, market risk, financial risk, and fraud – with an aim to protect the investments made by clients and to ensure profitability. They are constantly monitoring interest rates, stocks & shares, and currency fluctuations and making contingency plans for those that default on payments to make sure the books balance. Many financial institutions have large teams focused on this area, but what about those daily operational risks or strategic risks that could affect their ability to offer their services? These are equally important for financial services firms – to ensure they remain operational and deliver their vital services.

In this blog we take a deep dive into the key operational risk areas facing the financial services sector and explain how the latest GRC technology is supporting risk teams to get a holistic view of risk and implement the right controls to keep operations running.

What are the biggest operational risks facing financial firms?

Cyber Security & Data Privacy – Most financial firms rely on a digital operating model – relying on a whole host of systems & applications to keep their organisation running. This has made IT & Cyber risk management a top priority in these firms. They must monitor cyber threats like phishing attempts, hacking, and ransomware attacks and put controls, policies, and training in place to mitigate the risk. They must also comply with the relevant data privacy regulations by implementing the necessary compliance procedures and policies to mitigate compliance risk in this area.

Technology Failures & Outages – Relying on so many systems & applications makes technology failures a huge risk. Loss of power, internet downtime or the failure of a key system can seriously impact operations and must be carefully controlled.

Third Party Risk – Financial services firms rely on a network of suppliers & vendors to keep their operations running smoothly bringing third-party risk management into sharp focus. Financial firms must perform regular vendor risk assessments, benchmarking, and scoring to understand the risks their vendors pose. They must implement KPIs and SLAs to ensure suppliers are performing in line with the agreed terms and set controls to mitigate unwanted risk.

Employee Related Risk – Staff themselves pose a risk to the organisation, there can be challenges around talent acquisition, staff retention, mistakes & misconduct, and contractor outsourcing – these should all be monitored as potential risks and organisations should introduce relevant controls and policies to reduce the risk.

Reputational Risk – Any risk areas that could create bad publicity and damage the company reputation should be carefully managed. Incidents such as bad customer service, negative environmental impact, unethical trading, and compliance breaches can see companies hitting the headlines and losing customers as a result.

Compliance Risk – Financial firms have certain operational procedures they must follow to achieve compliance with mandatory regulatory obligations. Compliance monitoring and regulatory change management procedures must be implemented to quickly understand areas of noncompliance – to address them before they become a risk.

Strategic Risk – Most financial firms will have a long-term strategy – sometimes this will be planned out over several years and will involve taking a lot of risks like opening new sites, entering new markets, adopting new technology, or implementing new operating procedures to ensure operational efficiency. There will be a whole raft of risks that could impact the organisation from achieving their strategy, and these risks should be carefully monitored to ensure the strategy remains on track. Firms should be able to use their risk management programme to make strategic decisions about the direction of the business so they can understand the likely positive and negative outcomes of activity – before they take the risk.

ESG related Risk – Environmental, social, and governance factors should also be carefully managed by financial firms. Having the correct governance procedures and operating ethically can generate business, the public want to deal with socially responsible ethical firms that respect environmental issues, therefore risks in this area should be carefully managed.

How can financial firms get visibility of operational risk?

To get visibility of operational risk across the entire organisation, firms should compile a thorough risk register of their full spectrum of operational risks. Each risk should be rated and categorised and allocated an owner. Regular risk assessments & monitoring should be implemented to keep track of risk levels. Firms should establish key risk indicators and ensure stakeholders are notified when risk reaches an intolerable level. 

It is not enough to just have a small risk team managing operational risk. Most risks happen on the front line, across a variety of different teams, departments, and sites. Therefore, it is important to embed risk management throughout the organisation by enabling individuals of all levels to carry out risk assessments, checks, and monitoring tasks that feed into the wider risk management programme. This helps risk teams to collect as much data as possible to build a realistic view of risk across the enterprise.

It is also not enough to just understand and monitor risk, organisations must have sufficient controls in place to reduce or mitigate unwanted risk. Every risk should be linked to a control and these controls should be checked regularly to monitor their effectiveness.

Risk should also be linked to a comprehensive incident management programme – after all many incidents occur due to risk events and failed controls. Similarly, if an incident keeps happening it should be added to the risk register and relevant controls should be implemented to lower the risk of it happening again.

Risk management programmes should have comprehensive reporting – enabling risk teams to quickly view a high-level summary of the risk register and to drill down into problem areas, control effectiveness, risk mitigation plans, and outstanding actions & tasks. It is useful for firms to be able to access heatmap reports to understand likelihood & impact and view bow-tie analysis to understand causes & consequences.

Integrating the “Three Lines of Defense” model into our risk management framework enhances visibility and control over operational risks by delineating clear roles across operational management, risk and compliance functions, and internal audit.

Challenges with Managing Risk Manually

Many smaller organisations start out using spreadsheets and manual processes to manage their risk management programme.  While it can be a good place to start for some smaller firms, as organisations expand, it becomes unmanageable. Complex processes like risk management require multiple users, complex data mapping, control monitoring, automation, strict data governance, and in-depth reporting & analytics – and spreadsheets simply don’t offer this level of functionality. 

Using manual processes results in:

• Poor quality risk data due to lack of data governance. 
• Duplication of effort and increased admin as data often needs to be transferred between forms and various spreadsheets.
• Disjointed & siloed processes – spreadsheets don’t integrate, making it hard to get a consolidated view of risk across multiple spreadsheets & data sources.
• No standardised risk framework, making to hard to prioritise the most critical risks.
• Access issues resulting from multiple employees trying to access the same spreadsheets -often resulting in over written data. 
• Poor accountability as there is no user tracking – making it hard to know who amended what.
• Disjointed processes – making it hard to link risks to the relevant controls or associated incidents.
• A lack of automation means all risk assessments are sent and chased up manually, data is transferred manually, and there are no automated notifications and alerts to flag problems or workflows to formalise processes and manage risks through to resolution.
• Time consuming and cumbersome reporting that only gives a moment in time snapshot of events.

How can GRC technology help financial firms to automate operational risk management?

GRC technology offers a wealth of functionality to support financial firms to automate their operational risk management process and get a consolidated view of risk. These intuitive solutions enable organisations to set up a comprehensive on-line risk register, where multiple departments can directly log risks, and risk can easily be categorised and rated using a consistent risk framework.

Risk assessments, questionnaires, and surveys can be rolled out via online forms with all data feeding directly into the platform. This makes it easy for risk teams to collect sufficient risk data to calculate the likelihood, severity and impact of risk and generate risk ratings. Transactional & operational data can be pulled into the solution from other systems & data sources via API connections – enabling teams to set Key Risk Indicators (KRI’s) and define risk tolerances based on real data.

Once the system is established and the risk register is completed, teams can set controls to monitor risk on an ongoing basis and automated notifications & alerts are sent when the degree of risk reaches an intolerable level. Organisations can define a risk appetite based on KPIs & tolerances and set controls to ensure they operate within it. Teams can establish a fully functioning ‘controls library’ and perform regular control testing to ensure controls remain effective.

Employees of all levels have personalised dashboards where they can perform risk related tasks such as completing risk assessments & control checks – without having to view complex risk registers. This enables risk teams to capture more data than ever before – building a broader view of risk. Automated workflows can be used to escalate risks, or to manage risk events through to resolution. All activity in the platform is date and time stamped and can be traced back to the relevant user ensuring accountability.

More advanced organisations use risk management platforms to uncover potential opportunities for growth. Instead of simply using the tool to mitigate risk, they use the analytics capabilities to weigh up potential outcomes – enabling them to take a calculated level of risk in pursuit of their strategic objectives.

GRC platforms create a risk aware culture. They eliminate time consuming admin tasks and reporting – leaving risk professionals time to analyse risk data and introduce measures to reduce risk & support decision making – rather than performing admin tasks. 

Software engages the entire organisation in the risk management process and ensures all stakeholders across the business can log risks and take ownership of risk. This makes risk management more accessible, accountable, trackable, and resolvable – providing visibility to leadership teams – and the automation saves time and valuable resources.

GRC platforms can auto generate instant reports – enabling an organisation to get a complete view of their risk profile and drill down into the detail to address problem areas.

If improving operational risk management is a key concern for your organisation, reach out to Camms for a demo and discover how the latest GRC technology could streamline and automate your processes.