Regulators are focusing hard on how operational risk training is being conducted within firms, for clues as to the overall strength of the risk culture and for understanding of how well the program delivers value. This blog explores elements of training programmes that regulators would want to see.
Today regulators are keen to understand if operational risk programs are getting training right. Are op risk teams receiving the training they need to successfully implement all of the elements of a strong operational risk framework? And is the rest of the organization – the business – being given the training it needs to engage with operational risk activities in ways which will deliver value for the program and enhance its ability to meet its strategic goals?
All too often the answer to these questions is “no”. Training is regarded as a tick-box compliance exercise, and its ability to deliver significant value to an organization is ignored. For regulators, one sign that organizations are engaging with operational risk seriously and are seeking to adhere to best practices is a good overall approach to training. Seven key elements of a strong approach to op risk training are:
- Benefitting the business – Op risk regulators are looking to see that the training being given – both to the op risk team and to the business – is of real benefit to the wider organization. If the training is just a box-ticking exercise for the regulators, which doesn’t contribute to the business’s understanding of its own operations, they are very likely to criticize it. The training an organization gives should enable employees to articulate the benefits of operational risk management, and to be able to demonstrate those benefits.
- Understanding governance structures – Training should help the organization understand the reasons why governance is needed, and how it should operate. Overall, governance structures should properly segregate responsibility, and leave the Board with overall authority. Op risk teams should be sure they understand governance frameworks, roles and relationships in detail. The business should be able to see why the governance structure “makes sense” and how it operates. The board’s risk committee should receive training to fill any expertise gaps it may have.
- Explaining the opportunities within RCSAs – Op risk teams should be trained to create RCSAs that really engage with the business’s strategic goals and challenges, because this is what the regulator is looking for, and it is also what will get the business on board. In turn, the business should be guided into understanding about why RCSAs can help them to achieve their goals, how the assessments should be completed, and the ways in which the information can be used to help the business deliver more value.
- Selecting KRIs that make sense – Like RCSAs, key risk indicators (KRIs) and key control indicators (KCIs) can provide the business with important information that can help it achieve its strategic goals. Op risk teams should be trained to select the right KRIs, and set the right thresholds, in partnership with the business, so the business isn’t deluged with lots of less-than-useful data. In turn, the business should be taught how to work with KRI dashboards and reporting – in particular, to better understand and act on the red, amber and green signaling system that is often used.
- Capturing and using loss event data – Through training, op risk teams can learn how to validate the strength of their loss capture program – for example, by ensuring that event capture is consistent with the internal audit team’s work. Op risk teams should also learn about how to use event analysis to challenge RCSAs. In turn, the business should be trained about why event capture is important, and how to log an event within the organization. Culturally, it should be made clear that there are no punitive repercussions for logging an event.
- Engaging the business through scenarios – Op risk teams should be taught what good quality scenarios look like – these need to be both plausible and realistic stories. As well, scenarios need to be exceptional events that are firmly based in reality. Ideally, op risk teams should be taught how to work with the business to develop good scenarios. In turn, the business should receive training in how to participate in the scenario process – how to co-develop scenarios with the op risk team, how to participate in scenario workshops, and how the output of these exercises can help the business deliver on its strategic goals.
- Producing insightful reporting – In some ways, reporting is the most important task an op risk team will undertake, because fundamentally it is about communicating with stakeholders, to help them understand the operational risks they face and make better decisions. And yet it is often a significantly neglected area – reports are difficult to understand, are not actionable, or leave readers drowning in data. Op risk teams that receive training in how to produce good reports enable the business to gain insights about operational risk and to make good decisions. At the same time, it’s important to train those who read the reports in how to do so – what the information means, how the data could impact the business, and what decisions should be considered. Regulators are particularly keen to see best practices in this area.
In short, regulators are looking for high-quality understanding of operational risk processes and information across the organization. Supervisors want to see training support engagement between the op risk teams and the business, and vice versa, to deliver value across the board. Not only is this approach to training best practice, but is also helps the regulator to judge that training is not just a tick-box exercise. Much has been made of the term “culture” over the past few years – this is the sort of culture that regulators are seeking to find within firms today.