Operational risk: what do the regulators expect?

The financial industry is global, so it's not surprising that supervisors in different countries share common concerns when it comes to operational risk. Listen to regulators from the US Federal Reserve System, the Bank of England and the UK Financial Conduct Authority and you will hear a number of familiar themes. Whether you are a newly regulated entity or an approved person preparing for your first visit from regulators, it's useful to bear in mind some essentials on how to demonstrate good practice.

Know your key risks

One important question is so simple that it can sometimes be missed in the piles of files, reports and colourful risk charts: what are the main risks to your business? In other words, what are the adverse events that could harm your profitability or cause problems for your stakeholders, especially your customers?

The more you are specific about the risks and how they should be mitigated, the more you will demonstrate ability and credibility. Try to define risks as potential negative events, not as processes or control failures: 'technology' is not a risk, it's a theme. All firms rely on technology. Be more specific. Are there parts of your systems that are outdated or in need of maintenance? What are your plans to address any increased risk of disruption, which may have negative consequences on your firm and its customers?

Similarly, 'compliance and regulatory change' is top of mind for everyone. It's not a risk; it's a fact and a constraint. What is your firm doing to keep up to date with regulatory requirements and adjust where necessary?

Highlight what is being done to prevent risks and mitigate the consequences if they happen. Speak confidently, because you know your business and will act to preserve it. At the end of the day, good risk management is good management. We all manage risks in our private and professional lives without necessarily calling it risk management. This is little different.

Flaunt your risk reporting

Risk reporting is an effective way to show regulators how information is collected and circulated within the firm. The balance between too much and too little risk information is hard to strike and aggregating diverse views or qualitative data is challenging. Nonetheless, some broad-based rules can help. Always make sure risk reports are read and, above all, followed by action where necessary. The existence of red flags in risk information without timely reaction or relevant action plans only demonstrates poor governance.

Highlight strong governance

The head of information security for a highly reliable technology organisation told me recently that: "Risk assessment is not important – what matters is what we must do."

Whether it is about cyber crime or any other risk, risk assessment is only a means to an end: a way to allocate and prioritise risk mitigation resources in a consistent manner. Risk management doesn't end with risk assessment; it's a starting point. Risk governance should ensure that risk decisions are taken by the competent people within the firm, and that breaches of limits and recommendations for mitigation are followed by action.

The use of indicators capturing the number of overdue risk management actions or overdue audit recommendations is a good reflection of how seriously executives take risk management. They are sometimes referred to as 'discipline indicators'. I know of firms that enforce a 'zero objective' across their businesses - zero being the number of overdue items and delays allowed on audit deadlines and risk management action plans.

Culture: a matter of trust

Strong governance is related to what regulators value the most, as it is the necessary condition that gives rise to all the positive signs above: risk culture. Corporate culture and risk culture cannot be dissociated.

Good culture, in the eyes of regulators, is a positive answer to the question: 'can we trust you?' That means trust in terms of being transparent about the vulnerabilities you have identified and are mitigating; where the firm takes more or less risk; how effects on customers and stakeholders are considered in the decision-making process; and whether issues are self-identified and self-reported.

Attitude is crucial. Supervisors take a dim view of firms whose employees are defensive and reluctant to share risk information during regulatory visits. That can only lead to more defiance, more scrutiny and more tension in the relationship.

Financial services can't avoid regulation, so let's embrace and make the best of it. Firms that manage their risks genuinely and cautiously - much like one would do for a family business - always come out on top. In an ideal situation, regulators want firms to be collaborative, open and trustworthy. Like everyone, they have limited resources and need to prioritise their actions in areas where they are most needed. Firms that come across as genuine and transparent in their risk management will benefit from being regulated at arm's length, with no unnecessary scrutiny. Firms that don't will soon wish they had acted otherwise.

Ariane Chapelle is honorary reader in operational risk at University College London and the director of Chapelle Consulting, a UK-based risk management advisory firm