THE recent op risk management (ORM) training survey conducted by OpRisk & Compliance magazine and Protiviti indicates a clear mismatch at global financial institutions between needed and desired ORM training capabilities and having the actual resources to deliver such training. Responses were submitted by 85 individuals representing financial services organisations across geographies and asset sizes. Approximately half the respondents were from either the European Union or the US, with 38% of those responses indicating firm size from institutions over US$50 billion in assets.
Survey data indicates that training needs evolve throughout an ORM function's lifecycle. As indicated in the figure below (which indicates the percentage of those respondents who noted the indicated training area as either their first or second highest priority need), in the initial phases of an ORM function's development training needs centre around the 'building blocks' of ORM: RCSA and structured scenario analysis, along with a need to begin to receive training on risk measurement. As the function matures, and generally begins to expand from a small centralised team to a more distributed environment involving others in the organisation, not surprisingly training needs generally increase, especially over general ORM topics.
With continued maturity of the ORM process, respondents with a function in place for greater than five years demonstrate specific needs, such as additional training on risk measurement and capital allocation concepts, with a decreasing number of respondents in that category indicating a need for training on scenario-based approaches. Training over RCSA methodologies also experiences a rebound at this stage, perhaps reflecting either a desire to continuously improve the ORM function by learning the latest innovations or indicating a greater need across the organisation due to RCSA activities taking place in a more decentralised manner. In concert with the underlying business needs of a more experienced ORM function, the training needs shift from understanding how to gather data and support operational risk management in the early years of development to the underlying models and methodologies used in better measuring the risks indicated by the data gathered.
A clear gap exists today in operational risk management training, with approximately 55% of those responding indicating less than 20% of their organisation received training on operational risk management concepts. Comparing this result with an almost equal amount of participants who expressed a goal of having 60% or more of their institution to be trained yields a substantial gap between the current and desired state. Compounding this gap is the level of training currently offered by respondents. The majority (54%) of participants indicated that employees receive four hours or less of ORM training today, with 15% indicating that zero training is currently offered. This level of time invested is supported by 42% of survey respondents spending less than US$100,000 on ORM training, and only 4% indicating over US$500,000 estimated ORM training spend. Reflecting the relative youthfulness of operational risk management as an established discipline, firms rely predominantly (62%) on external training sources for their ORM training needs, with external conferences an overwhelming (51%) primary source.
The survey highlights the evolving nature and role of ORM functions globally. While many respondents indicated that little or no time or funds were currently being invested in ORM training, the needs for training identified were clear and evolve with the maturity of the ORM function. As evidenced by the growing number of conferences and courses in the marketplace today, external sources are stepping in to fulfill these needs.
As ORM continues to spread and embed itself into each institution, demand for training should continue to grow and the content of external offerings will increase in sophistication. Over time, ORM functions will provide more training internally, reflecting a customised approach to an organisation's needs. Investing in training over the next couple of years will be critical to further evolve and refine the impact of ORM functions.
Protiviti (www.Protiviti.com) is a leading provider of independent business and technology risk consulting and internal audit services. Protiviti helps clients identify, assess and manage operational and technology-related risks encountered in their industries, and assists in the implementation and the processes and controls to enable their continued monitoring. Protiviti, with more than 45 offices in North America, Europe, Asia and Australia, is a wholly owned subsidiary of Robert Half International Inc. (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index.
For more information on the results of this survey, please contact the authors at [email protected]
The week on Risk.net, July 7-13, 2018Receive this by email