Ever since operational risk, or as some prefer to call it, non-financial risk, was “created” through the consultative papers to what is commonly known as “Basel II”, two “holy grails” have existed: how to evidence that managing operational risk adds value to the firm and how to measure whether the firm’s operational risk management measures up to industry peers and regulatory expectations?
As early as 2003, industry bodies such as the Risk Management Association (RMA) have sought to assist their members through data comparison services – in the case of the RMA, in partnership with RiskBusiness, developing and delivering the KRI Library, seeking to get widespread buy-in from firms to submit and benchmark leading risk and control indicators.
Others, led notably by the British Bankers Association, sought to facilitate the comparison of operational risk-related loss events between members through their GOLD (Global Operational Loss Database) initiative.
But why, you may ask, is comparative industry data so important? Consider a newly identified, never-seen-before, emerging risk, perhaps a malicious systems act undertaken by a member of staff during a remote termination interview – the firm, once it has identified the emerging risk, may ask whether the risk is applicable to them, then go further to assess their exposure to that risk. Perhaps the firm establishes that it does in fact have significant exposure and that there are a number of control measures which it could implement to protect itself from the risk manifesting.
Now, the business, or the second-line risk function driving the risk assessment, needs to find or obtain budget to implement these missing controls, so perhaps a submission is made to the firm’s risk committee or to its board of directors, asking for budget. When the requesting party gets its opportunity to present its case, one of the common questions they can expect will be along the lines of okay, we accept you think we have an issue that we need to address, but what are our peers doing about this? Without empirical evidence, the budget request is highly likely to be rejected, leaving the firm exposed.
In a similar fashion, risk committees, executive committees, audit committees and boards of directors frequently expect the second line to present to them the “top risks”, “major threats”, “big business concerns” or “threat landscape” facing the firm for the next year or foreseeable future.
A common response to such a request is to use Google to locate publicly available “top risks”, with reports regularly published by many august bodies, including the so-called major audit firms, legal firms, insurance firms, industry bodies and such.
But the potential downside of just regurgitating such reports is the question as to how sure you are that those risk/concerns/issues are relevant for OUR firm? After all, we are unique…. How much more relevant would it be if the second line could canvas internal subject matter and senior management opinion to derive an internal view on the top risks facing the firm, then to share and aggregate its views with those of its peers, and then present the peer group benchmarks to the relevant committee or board?
Irrespective of your area of accountability or speciality in operational/enterprise/non-financial risk management, no matter how much experience you have or the size of the organisation you are responsible for, providing direction, oversight and challenge to, attempting to fulfil your responsibilities without comparative intelligence is akin to navigating a desert without a compass, a map, any co-ordinates or any knowledge of exactly where you are.
RiskBusiness’ specialised solutions are designed to help firms bring greater structure, evidence and external context into those decisions, from emerging risk alerts and risk intelligence to benchmarking tools that help firms compare exposure, controls and industry priorities.
For risk leaders looking to strengthen their evidence base and move beyond internal opinion alone, RiskBusiness provides specialised solutions that support more informed, defensible and proactive risk management.
