Regulators are now explicitly connecting operational risk and operational resilience. Are they overlooking the obvious by not linking operational resilience to all of GRC?
It is a good sign that the Basel Committee on Banking Supervision (BCBS) explicitly connects up operational risk with operational resilience in its recent consultation paper. However, financial regulators should really be going even further – operational resilience should be connected across all of governance, risk and compliance (GRC). It’s possible this is something that the BCBS consultation paper hints at.
Strengthening the connection with operational risk
RiskLogix has been pointing out the strong existing connection between operational risk and operational resilience for a while now. The UK Financial Conduct Authority’s (FCA’s) own consultations on operational resilience, including December 2019’s Building operational resilience: impact tolerances for important business services, are viewed by the operational risk industry as making too sharp a distinction between the two approaches, and not focusing enough on how they should be connected at a fundamental level. For example, scenario analysis should be an important component of both operational risk and operational resilience, with both data and outcomes from scenario exercises in each area informing the other.
Another area where operational risk and resilience are connected is the area of controls. For example, there are two control types in operational risk that should be important data points for operational resilience. These “impact” controls are:
• Detective – these are controls for after a risk occurs, and are designed to identify that a risk event has taken place
• Corrective – again, a control for after a risk event takes place, and are designed to “put things right”. For example, they can include disaster recovery.
Overall, firms should be seeking to leverage their operational risk frameworks, including risk and control data, when considering how to build out their operational resilience programmes. There should be a deep relationship between these two disciplines, and dialogue between other areas such as risk and control self-assessments (RCSAs), key risk indicators (KRIs), and loss event data should be ongoing.
Establishing the GRC connection
The BCBS’s consultation on Principles for Operational Resilience links operational risk up with operational resilience throughout the document, which is a positive step in the right direction. Interestingly, in its definition of operational resilience, the document includes the need for banks to consider operational resilience in light of their “overall risk appetite, risk capacity, and risk profile.”
This is where it gets interesting. To the casual reader, this language could seem like the BCBS is talking purely about the operational risk elements of risk appetite, risk capacity, and risk profile. However, the document does not say that and seems to be casting its net wider, to include enterprise risk. This makes sense – after all, the impact of an operational risk loss event can be felt in market risk, credit risk, strategic risk and reputational risk. The recent Covid-19 pandemic is an excellent example of this – in operational risk terms it is an external type of loss event, a natural disaster. However, impacts on all of the above listed risk types continue to be in abundant evidence. From experience, it seems clear that operational resilience frameworks should be aligned with enterprise risk programmes as well. The BCBS should be more explicit in its next operational resilience paper, and lead the industry on this.
So, how about the other areas of GRC, such as compliance and internal audit? The words “compliance” and “audit” are not found within the BCBS paper, but surely these essential components of a GRC framework need to be in dialogue with operational resilience too? For example, at the start of the March 2020 pandemic lockdown, thousands of traders found themselves working remotely almost overnight, and firms scrambled to make their compliance policies, processes and systems, such as trade surveillance, catch up. This seems to point to a clear relationship between compliance and operational resilience.
Internal audit has a role to play, too. After all, internal auditors focus much of their attention on the robustness of many of the things that operational resilience is concerned with. According to the Chartered Institute of Internal Auditors, it is their job to “to provide independent assurance that an organisation’s risk management, governance and internal control processes are operating effectively,” going well beyond financial risks and statements. Certainly, going forward, internal auditors are going to have to explicitly include operational resilience in their work, but already today a negative internal audit report can be an important sign that a part of the organisation lacks operational resilience.
In summary, the BCBS paper is important because of the direct link it makes between operational risk and operational resilience. However, it is also important because of what it hints at – that operational resilience needs to be connected to enterprise risk management. From there, it’s not difficult to see how operational resilience needs to be connected with to GRC as a whole.