This chapter explores the challenges of bringing about successful culture change that supports an effective operational risk framework. It considers planning, marketing and communication, training, and sponsorship. It explores the challenges of implementing a framework that works effectively in the digital paradigm and agile approaches that exist today. In addition, this chapter investigates the “use test” requirements of operational risk regulation and explores how activities that change the culture can contribute to meeting the required standards.

WINNING OVER THE FIRM

With a strong governance structure in place, an operational risk function can turn to the important next step: winning over the organization. The time invested in culture and awareness activities is indicative of the likely success of the framework. To be successful, operational risk must be identified, assessed, monitored, controlled, and mitigated across the firm, and this can be achieved only through an energized organizational change program.

The operational risk framework must be designed to reflect the culture of the firm. An approach that is a roaring success in one firm might fall flat in another. Even the best-designed framework needs to be promoted and communicated in order for operational risk management to be adopted and applied throughout the organization. To achieve this, the operational risk function should undertake three important activities—marketing, planning, and training—before it attempts to implement the other elements of the framework.

The role of culture and awareness in underpinning a sound operational risk framework is illustrated in Figure 5.1.

MARKETING AND COMMUNICATION

Every function in a firm has its own brand, whether it has invested any effort into cultivating that brand or not. Each function has a reputation, either good, bad, or between the two, and this reputation is key to whether the function can achieve its goals. If the operational risk function is seen as a trusted partner, it will be able to progress more quickly toward its goals. If it is an unknown or misunderstood department, then its goals may be frustrated at every turn.

Colleagues, peers, managers, and employees will have formed an opinion of whether this function is one with which they want to work. If they have never heard of the department, there is even more work to do.

Unlike most departments, the operational risk function needs to work with everyone in the firm, as operational risk can arise in every nook and cranny of the organization. To build those working relationships, a firm-wide marketing effort is needed at the launch of the department, and also at every major rollout of the framework.

The firm might have a well-established approach to launching new initiatives, possibly through poster campaigns, e-mail blasts, or town halls. Whatever works well can be leveraged, and if there is nothing to leverage, new approaches can be tried. In fact, new methods of communication tend to draw notice, and so can even be preferable to the standard methods.

In addition to these internal marketing methods, it is important to allow time for face-to-face meeting with all of the key stakeholders. During those meetings it can be helpful to ask, “What are you hoping we will do?” and “What are you hoping we will not do?” The answers to those two questions provide insight into the current perceptions held about operational risk, both as a function and as a discipline. In addition, the answers to those two questions provide an opportunity to find and leverage mutual goals and aspirations. Armed with the answers to these questions, formal and informal marketing campaigns can be designed to ensure that the following minimal goals are met:

1. The organization knows what operational risk is.
2. People know what to do when they see operational risk.
3. Managers are aware of the benefits of good operational risk management.
4. Managers are aware of the dangers of poor operational risk management.
5. Main supporters are identified and there is a plan for how to leverage that support.
6. Main protagonists are identified, and there is a plan to win them over.

The efforts taken in promoting cultural awareness and developing a relationship with key stakeholders are recouped later in reduced political roadblocks and improved support for operational risk management activities.

A framework that is technically excellent but has little organizational support will never endure and will not succeed in ensuring that operational risks are identified, assessed, controlled, and mitigated. A framework that is built on a bedrock of strong culture and awareness can continue to evolve and mature as experience develops. That development will ensure that risk identification, assessment, control, and mitigation are continuously occurring and improving.

AGILE

It is important for the operational risk function to fit the current culture of the firm. In both fintechs and banks, innovation is a key element of their business strategy, and an operational risk structure that does not support such approaches is unlikely to be effective.

An agile methodology in the technology function will use an iterative approach to development that can be more challenging than a waterfall development approach when it comes to the identification of risks.

A waterfall approach relies on robust business requirements at the beginning of the project, and at that stage it is possible for a new product approval process to identify the potential operational risks in the design. In contrast, agile development focuses on the fast delivery of a minimum viable product (MVP) rather than a slower delivery of the final complete product.

As the agile approach allows for minimal documentation and optimum iteration during the project, capturing the changing specifications of the product and its associated risks can be very challenging for the risk function.

There are several ways to integrate operational risk into an agile approach. First, if the first line has a strong understanding and ownership of operational risk, then they may be well equipped to identify, assess, monitor, and mitigate risks as they arise at each iteration with coaching from the operational risk team only as needed.

If that maturity is not yet in place in the business, then the operational risk function can embed themselves in the agile process and provide insight and challenge in the daily or weekly stand-up meetings and check-in processes.

Finally, an agile project could be allowed to proceed unchecked with the resulting operational risks assessed at the end, before launch to the customer. Any identified risks would then need to be mitigated and retested before launch.

The operational risk team can also embrace agile methodology in their own processes. I have had some success taking a “sprint” approach to establishing an operational risk program for all critical processes. In several firms we have prepared a list of stories that we wish to complete for each critical process in the firm and then used a Kanban board to track all of the stories to completion during an intense two-week sprint per process. Sample stories for such an approach are:

• Map the process.
• Complete an RCSA.
• Identify all compliance controls.
• Identify all SOX controls.
• Complete a business impact analysis and business continuity plan.
• Identify and validate any models.
• Identify and complete due diligence on any third parties.
• Identify critical applications and assign access appropriately.

By using a two-week sprint and recognizable agile methods, we have been able to meet the business where they are, using language that resonates with them and only impose the risk-build work on them for a two-week period before moving on to the next critical process.

TRAINING

If operational risk is to be managed effectively in every corner of the firm, then it may be beneficial to roll out firm-wide training in addition to a general announcement e-mail or town hall.

There are many ways to deliver effective training, and the type of training should reflect the culture of the firm. Training can be efficiently delivered to all employees using the intranet. If the firm already has an online training program, then an operational risk training module could be added to that. If possible, everyone should be invited to complete the most basic training, with more in-depth training for those who might be involved in specific activities.

A basic training module can facilitate cultural change in the firm, educating employees on the importance of operational risk management, and explaining the role of the operational risk team and any operational risk coordinators, specialists, or managers. There is no need for basic training to be overambitious. It can be short and to the point. For example, the goal of basic training could simply be to make employees aware of operational risk and make sure they know what to do when they see it.

Additional in-person and group training will be needed for the practical implementation of the elements of the framework. For example, before a loss data collection program is launched, it will be necessary to train everyone who will be involved in entering losses. There are many considerations when entering an operational risk loss event, and these are addressed in Chapter 7. Without adequate training, the integrity of the data is likely to be compromised.

Similarly, training will be needed before any risk and control self-assessment (RCSA) activities are launched. There are multiple sources of expertise to assist with the design and roll-out of training. The firm may have its own training and development function that can assist with this or might even manage it entirely.

Possible topics for introductory operational risk awareness training are:

• What is operational risk? (Definition and examples)
• Why should we manage it? (Examples of operational risk events)
• What should I do when I see it?

There are some key success criteria for good training, which should be incorporated into the training design and delivery, including:

• Setting clear learning objectives and being sure to cover them adequately.
• Having realistic expectations of the learning curve of the trainees.
• Providing feedback so that trainees are comfortable that they have mastered the materials.

PLANNING

Planning can make or break an operational risk function. Good planning involves setting clear goals, realistic milestones, and achievable deliverables that add value. Publishing milestones beforehand, and then meeting them on time, builds the positive reputation of the function.

An operational risk framework is a complex and evolving challenge, and to keep its development under control, it is important to apply strong project management skills to the design and implementation of each new element. It is good to plan for short-term and long-term goals so that the function can demonstrate its current successes, as well as its long-term importance to the firm.

Once the elements of an operational risk framework are up and running, they need to be monitored to ensure that they maintain their integrity and do not deteriorate over time. Indeed, an operational risk framework should continue to evolve with experience and in response to feedback from participants, partners, and sponsors. The validation and verification requirements introduced in Chapter 4 are important elements in ensuring that the framework continues to be embedded in the organization and that the quality and integrity of operational risk activities are maintained.

Poor planning can seriously tarnish the image of the department as it can lead to promises that are not kept and deadlines that slip. Every day spent planning is a solid investment in a successful framework and protects the brand of the function within the firm.

Alternatively, progress against the initial implementation plan may be represented in a milestones project chart as illustrated in Figure 5.2. (This example includes a project line for the development of a global OR system, including a request for information [RFI] and a request for proposal [RFP] from software vendors.)

Once an operational risk framework is implemented, the program should move from a project management phase into a business-as-usual phase. Once a program moves into business as usual, establishing effective tracking and monitoring of repeating deliverables will be important. This will be necessary not just from a practical management point of view, but it will also provide documented evidence of the program's continuous activities. This evidence will be useful to regulators and auditors in assessing the effectiveness of the framework.

THE “USE TEST”

The “use test” is a regulatory standard that requires a bank to show that risk management standards are being used across the firm to support management decision making.

The Basel Committee on Banking Supervision established how a bank can demonstrate that the operational risk framework is embedded and effective and so meets the use test. In June 2011, the Committee published “Operational Risk—Supervisory Guidelines for the Advanced Measurement Approaches.” In this document, the use test is described as follows:

A bank may use various approaches to articulate and demonstrate the integrated use of its ORMF [Operational Risk Management Framework]. …

The level to which the broader ORMF processes and practices have been embedded at all organizational levels across a bank is referred to as “embeddedness.”…

A bank should have sustainable and embedded ORMFs and policies that are used in its risk management decision-making practices, with clear evidence of the integration and linkage between the measurement and management processes of the ORMF through the entire institution.¹

There are several ways in which this “embeddedness” must be demonstrated according to the Guidelines. First, operational risk must be a key factor in the bank's strategic and business planning processes. Second, the board should approve an operational risk appetite and tolerance statement and there should be controls in place to stay within that appetite (which is considered more fully in Chapter 14).

Third, the business units must be able to demonstrate how they are using the operational risk framework to inform their decision making. The Guidelines also provide details of how reporting can be used to meet the use test requirements, but the important cultural aspects for consideration in this chapter are the first and the third points above.

It is not enough to have a corporate operational risk framework, and it is not enough to have an engaged board of directors. Senior management and the business units must demonstrate that they use their knowledge and awareness of operational risk and appropriate risk measures when making business decisions.

The role of culture and awareness in the framework is vital to meeting this requirement. The business units need to analyze their own operational risk outputs when making decisions. Therefore, operational risk should be under consideration when a business decides to take on a new product, exit a region, expand its workforce, or change its strategy, for example. Operational risk management and measurement need to become an integral part of a business's management practices.

By engaging the business in the early development stages of the operational risk framework, and by training them carefully and comprehensively, the corporate operational risk function can assist the business unit in meeting this regulatory requirement. Simply put, does the business genuinely use operational risk information in its decision making? A well-constructed, well-documented, and well-managed operational risk framework should supply it with the data that it needs to meet this requirement in practice and to be able to demonstrate to a regulator or auditor how it has met this requirement.

The loss data, RCSA, and KRI elements that businesses gather through their first-line-of defense operational risk program can and must be integrated into their day-to-day decision-making processes. Scenario analysis, capital modeling, and firm-wide risks can also provide context for decisions and can be provided to them by the second line of defense, the corporate operational risk function.

The use test is taken seriously by regulators. Often, it results in them going directly to a business unit to see how it is participating in the operational risk framework and to review documented evidence of how it incorporates operational risk considerations into its business decision making. It is no surprise that a regulator is most satisfied if a business can demonstrate that it reached a “no” decision based on an operational risk level that it found unacceptable or a “yes” decision based on careful consideration of the risk metrics and potential risk losses.

The implementation of an operational risk framework is likely to require significant organizational change. This can be achieved through proactive marketing, careful planning, excellent training, and an energized enthusiasm from the operational risk team. The business also needs to fully embrace operational risk management and measurement in order to ensure that it is truly “embedded” in the firm.

KEY POINTS

• The use test requirements mean that the firm must be able to demonstrate that operational risk management and measurement is “embedded.”
• “Embeddedness” is considered successful if the business unit is using operational risk as a key input into its decision-making processes, the board is fully engaged, senior management is fully engaged, and reporting is effective.
• Effective internal marketing, planning, and training activities are essential in order to successfully embed an operational risk function in a firm.

REVIEW QUESTION