Enabling Self Sustainability
Lessons Learned from Financial Industry.
Due to various high-profile operational risk events such as the Barings collapse, mortgage loan crisis, Madoff Ponzi scheme, etc. the regulator’s stance on the business risk and continuity teams has evolved and become more draconian and control focused over time. To mitigate the risk of conflict of interest, collusion and other events destabilizing the industry regulators demanded separation of the operational risk and oversight functions from the business units. Thus, to meet these demands, companies established independent Business Risk and Continuity teams. The teams were independent corporate functions mandated to partner with business units to help senior executives understand, monitor and mitigate the company`s overall operational and business risks via formal reporting to committees. Subsequently, companies then introduced the first, second and third lines of defense concept per below.
1st Line: The Operational Risk Management function works with the business units to monitor, assess, analyze, and report on risk events to corporate operating committees. The RCSA (Risk Control Self Assessment) is used in conjunction with business units to perform the above tasks and arrange for final sign-off by senior management often via committee meeting minutes.
2nd Line: Compliance and other control functions were tasked to monitor their areas of specialty within business units and the operational risk output to provide a second layer of independent oversight and control.
3rd Line: Internal Audit conducts audits of business units and the 1st and 2nd lines of defense functions to ensure another independent layer of oversight.
Theoretically, the regulators were and are correct. The lack of independent operational risk oversight, monitoring, escalation and reporting was and still is an existential threat to financial services.
Practically, the solution introduced by companies was not as simple as the issue recognition suggested and there were many more variables companies needed to consider to effectively implement an independent Business Risk and Continuity team. The complexity stemmed from the fact an independent team does not innately have the technical operational knowledge to confidently and effectively facilitate business assessment, analysis and solution discussions. Operational and business risk professionals are highly dependent on business units to openly explain their business processes, controls and risks which takes a lot of time and effort. This leads to conflict which undermines their credibility. Without a strong business partnership, the Business Risk and Continuity teams naturally become isolated and toothless not independent and strong.
Common Challenges
IT and Business Risk Continuity Team not Aligned Organizationally: lack of partnership between the Business Continuity Planning (BCP) function and IT, a key to effective BCP strategy and implementation, leads to manual and ineffective processes during risk events. The relationship between technology infrastructure enhancement and modernization and an effective BCP strategy is not commonly understood and achieved within companies.
Lack of Risk Mindset in Corporate Cultures: companies do not train, ingrain and reward staff level employees and senior leaders alike for having risk management mindsets. This cultural gap
encourages short term thinking, less downside risk mitigation, non-focus on BCP strategy and
planning and issues with alignment between business units, IT and business risk continuity teams.
Skill-set Gaps within the Business Risk and Continuity Teams:
Soft skills necessary for successful BCP strategy and implementation such as communication, facilitation, organization and solution providing are neither plentiful nor highly rewarded by companies.
Technical skills to better understand business processes, controls, risks and technology to implement a BCP strategy and plan are not plentiful or easily acquired by companies.
Limited Senior Management and Leadership Focus: lack of appropriate awareness, focus and knowledge of BCP by business leaders is wide-spread and detrimental to it`s effective implementation within companies. Inconsistent and uninformed messages from senior leaders to staff are easily dismissed or construed as unimportant and not a priority. Thus, negatively impacting the effectiveness of the BCP strategy and implementation process.
Unintended Consequences: the Business Risk and Continuity team has become a bureaucratic corporate reporting team that is isolated and toothless not independent and strong. The result of this evolution is higher monetary and reputational costs associated with ever increasing high risk events that are not properly managed.
The Path Forward
Imbed Business Risk and Continuity Planning into the Business: to optimize the effectiveness and mitigate the costs of BCP strategy and implementation, the function should be more aligned with IT and imbedded together into everyday business processes and practices. To ensure long-term business sustainability, a healthy independence should be maintained to avoid potential conflict of interest and collusion highlighted by regulators demand for 3rd party operational risk oversight.
Embrace and Instill a Risk Management Culture and Mind-set in the Business: leaders should encourage and promote risk based decision making processes, as everyone loves the upside, but jobs and careers are lost due to the downside, and BCP training for all staff levels. Then monitor and financially incentivize those who practice these behaviors. In parallel, they should actively support and empower the Business Risk and Continuity teams to perform their valuable functions. A corporate culture that openly embraces and rewards risk management is imperative to its sustainability.
Integrate Business Risk Continuity Processes into the Business: this function should be part of regular operational and technology infrastructure protocol not isolated until they are needed. Regular live business contingency tests including post mortems should be conducted without prior preparation to fully understand the capabilities and challenges under real risk event conditions. Less than real tests lead to fake results and costly fire drills when under actual duress which consume employee time and paralyzes the operations of the company.