Operational risk management not aligned with strategy in many financial institutions: survey
- Published: Friday, 11 December 2015 09:04
Aligning operational risk management with strategy is critical for financial institutions to effectively identify, assess and mitigate risks, however many have yet to fully align risk and strategy, according to a new survey report released by KPMG LLP and The Risk Management Association (RMA).
Only 17 percent of the survey's Basel Advanced Measurement Approach (AMA) respondents, which span North America, the Middle East, Africa and the Asia-Pacific region, said that their firms fully align operational risk management with strategy. This was slightly higher at North American institutions, with 19 percent achieving full alignment of operational risk management with strategy. These results bring into question whether operational risk is fully considered when financial institutions implement significant strategic change.
"Integration of operational risk management across the organization coupled with the collection and analysis of robust risk data is an essential component to a financial institution's successful business strategy and regulatory compliance efforts," said Tim Phelps, US Operations Risk Network Leader at KPMG LLP. "Financial institutions must continue to evolve their operational risk management efforts due to heightened regulatory expectations and a focus on enhanced prudential standards for 'strong' risk management."
Financial institutions are beginning to address the issue by restructuring their operational risk management frameworks to help ensure compliance with heightened regulatory expectations and to drive greater strategic value. However, much remains to be done, as only 13 percent of North American financial institutions surveyed have completed resetting their operational risk management framework. Results are consistent across Europe, the Middle East, and Africa, but reach 50 percent in the Asia-Pacific region.
"Integrating operational risk management across the organization is critical to drive culture, and also to take a non-siloed approach to managing cyber risk, third party/vendor risk, and business continuity planning," said Edward J. DeMarco, Jr., General Counsel and Director of Operational Risk of RMA. "Organizations who are able to fully integrate operational risk management will be in a superior position compared to their competitors as they transform, whether through product and service innovation or through M&A activity."
Additional findings include:
- More consistency needed in approach to multiple risk assessments: only 38 percent of AMA respondents in North America said they have established a consistent risk control self-assessment (RCSA) approach for multiple risk assessment types (i.e., operational risk management, compliance, business continuity planning, vendor, and information technology security). As these efforts continue to progress, firms can expect enhanced risk management effectiveness, integration, and efficiency.
- Quality data and metrics improving risk intelligence: 77 percent of North American AMA respondents said their ORM reporting dashboards are supported by robust and integrated data and metrics, edging out the 70 percent of respondents at AMA firms worldwide. The quality of data collected is critical in financial institutions' efforts to improve their risk intelligence.