By Shankar Bhaskaran, Managing Director – India, MetricStream
Organizations are at the threshold of a new operational risk paradigm. The risk landscape is undergoing a seminal transformation due to cutting-edge technologies, newer business approaches and ever-evolving risks and regulatory frameworks. It is becoming more evident now that existing risk management models and practices needed to keep pace with the rapidly changing landscape are lagging as many organizations continue to take a reactive approach to risk management. The global crisis in the banking and financial services sector in the first quarter of 2023 underscored the problem. For Chief Risk Officers (CROs) tasked with keeping their organizations resilient, modernizing the operational risk management (ORM) approach is more important than ever.
In India, the risk landscape has come a long way. As per the Ministry of Finance, reported bank frauds amounted to Rs. 61,229 crores in 2016-17. This figure progressively dropped to Rs. 648 crores from April to December 2021-22. However, organizations like banks and financial institutions need many more measures to efficiently handle the heightened risks to make the most out of the buoyancy.
It’s time that CROs and risk managers reevaluate their strategies to improve operational risk management (ORM) to remain relevant and effective. They must adapt their approach to address competing risks and priorities while taking steps to enhance organizational readiness for future challenges.
Moving from Risk to Resilience
While ORM continues to evolve through lessons learned from significant and lesser-known risk incidents, the landscape is in a perpetual state of flux. There are always new forms of operational risks that businesses must consistently manage.
A significant challenge for ORM is the inability to detect new risks in the operational environment. Inconsistent processes across various functions and a lack of common understanding add to the problem. Operational risks are usually intangible, and their impact is difficult to quantify. For example, how does one quantify the impact of a data breach on an organization’s reputation? Without the right processes and technology, it is impossible.
So, how does an organization become resilient? From a pragmatic standpoint, CROs don’t necessarily have to adopt an entirely new strategy; they can further develop their existing ORM approach.
To build an operational resilience framework, one should start with identifying, assessing, and prioritizing risks, followed by formulating strategies to mitigate and address these risks. The implementation of controls comes next, with a concurrent assessment of their effectiveness to ensure they serve their intended purpose.
Identifying critical operations and establishing impact tolerances is the next step that helps safeguard against disruptions. At the same time, resilient business continuity programs and response strategies are essential for rapid recovery in adversity.
Compliance with operational risk capital requirements is the next crucial step. Lastly, it is essential to understand that the process is ongoing, with continuous assessment and refinement of the entire program to adapt to evolving threats and changing business landscapes.
The Modern Approach to Operational Resilience
In the current landscape, CROs are responsible for conventional risk management and staying well-informed about market trends and regulatory advancements. They are expected to align their risk and resilience strategy accordingly. This calls for a reevaluation of the ORM program.
Here are some key considerations while modernizing the ORM approach:
Looking Beyond Conventional Risk Categories: Broadening the scope beyond traditional risk categories and incorporating more relevant, contemporary, and emerging risks is essential. These include economic volatility, digital vulnerabilities, human-related risks, environmental concerns, geopolitical turbulence, and liquidity challenges. Understanding the interdependencies among these risks is also mission-critical.
Harnessing Predictive Analytics: CROs can harness the power of AI, machine learning, and advanced analytics to gain predictive insights into risks. These data-driven insights enable quick identification of trends, patterns, and correlations, empowering organizations to mitigate risks and curtail operational losses proactively.
Utilizing Risk Quantification: Risk quantification, which involves expressing risk in monetary terms, provides a means to evaluate risk exposure and impact. This enables risk teams to prioritize risks effectively and equips CROs with the tools to communicate the organization’s risk stature to executive management effectively.
Maintaining Incident Response Blueprint: A playbook outlining the response strategy for various risk scenarios is advisable. In the face of high-risk events, having predefined roles and responsibilities and a clear understanding of corrective actions enhances organizational readiness and resilience.
Implementing Technology-Driven Solutions: Given the rapid evolution of contemporary risks, an agile risk and resilience strategy is essential. Technology-based software solutions can support CROs in spearheading such programs by automating risk management processes. These solutions revamp risk reporting with advanced analytics, incorporate autonomous assessments based on asset value and business impact, and deliver actionable insights promptly. They also free up bandwidth for risk teams to focus on more critical tasks.
Operational resilience technology can help ensure that all components of an operational resilience framework are easily accessible to view in a single, connected platform, simplifying the tracking and managing of the risk. It can enable data harmonization across teams, business units, and functions. The other benefits include providing automation capabilities for risk assessments, control testing, continuous control monitoring, third-party due diligence and other processes.
In Conclusion
CROs and risk managers must adapt their approach to address evolving challenges and prioritize risk readiness for business continuity. With the right technology, CROs can move the needle from risk to resilience with an operational strategy that provides a solution to combine regulatory requirements and risk management practices into compliance, cybersecurity, vendor risk management, and business continuity plans.
