Many businesses today see operational risk as a burden – indeed, business functions often do not understand operational risk and how it can be valuable to them.
These are the findings of a CRO Risk Council 2018 study featured in the latest installment of RMA’s Governance, Risk, and Compliance (GRC) Audio Conference Series. Speaking at the conference, POPP risk Group CEO William Popp outlined that risk managers should concentrate their efforts on practices that have proven business value - these include formalizing a regular bi-directional communications channel with key stakeholders, establishing an unambiguous accepted risk policy, focusing individual business risk committees, and capturing unexpected and catastrophic change management risk. He also recommended creating/refining the business unexpected risk process, refocusing operational risk scenarios, and restructuring all operational risk committee reports.
The survey also revealed that most operational risk management efforts center on the risk and control self-assessment (RCSA), but many respondents believe it provides little business value. As such, Popp recommended the reduction of the frequency of the RCSA and to:
- Distill the top three risks;
- Control weaknesses and accepted risks for each RCSA;
- Create comparative reporting by mapping losses, issues, and relevant external losses against risks sourced in the RCSA;
- Streamline and simplify all appropriate operational risk processes;
- Consolidate multiple business risk assessments into a single business risk assessment;
- And lastly, only use KRIs to monitor specific risks.
With the survey identifying increased confusion around corporate operational risk roles and responsibilities, Popp also advised the corporate risk function should become the business’s independent, value-added advisor. This can be achieved by hiring business people and then training them in risk; changing the tone of the corporate risk function so that it sees itself as a value-added advisor first and foremost; and establishing a single corporate point person for the business.
Additionally, Popp highlighted the need for communication as the underlying driver of business value. This meant business executives and risk officers looking and talking about where operational risk provides business value, and developing a plan forward based on those findings.