ORX to launch controls benchmarking service

App will be delivered via start-up tech platform led by former HSBC op risk chief

Computer blueprint
Image: Getty/Risk.net montage

Operational risk consortium ORX is developing a product that allows firms to benchmark their control libraries against those of their peers, as banks and insurers look to bring rigour and standardisation to an area of non-financial risk management that has often been accused of being disparate and patchy.

The new application, which leverages ORX’s new control library, will allow firms to review their existing internal control library against typical control types in the reference library, as well as help speed up the development of new controls. Beyond a straightforward comparison by business line or by region, users will be able to see how their controls compare with their peers – for instance, whether they’re automated or manual, preventative or detective.

The app, which is expected to launch later this year, is set to be delivered via a start-up vendor, the Innovation Data Platform (iDP), which is led by Mark Cooke, who until last year served as head of operational risk and general manager at HSBC. He also served as chair of ORX during his tenure at the bank.

“The ORX reference controls library is designed to help members either review or help accelerate the development of their own library. It is an added bonus that we can then leverage iDP to build an application that aims to support controls benchmarking,” says Steve Bishop, director of research at ORX.

Seven banks are understood to be working with the venture, helping to design the data, security and validation standards. ORX says that it is a ‘risk-as-a-service’ platform being developed to host ORX services and potentially other third-party applications. According to its website, ORX and McKinsey are backers of iDP, along with other consultants and industry firms.

Each bank and insurer will have its own dedicated domain within the platform in which to house its data securely, including that required for the ORX controls application. iDP will then allow firms to transfer data into a benchmarking service operated by ORX in order for them to run comparisons with their peers on an anonymised basis.

The sharing and benchmarking of controls information marks a departure from the sharing of operational loss information that has been the foundation of ORX, say members.

“Now, we have a standard way to discuss controls, because we’ve created the taxonomy, so we can categorise controls in the same way we categorise losses by risk type. It’s important for ORX to expand into sharing information around the controls environment, and this helps accomplish that,” says an operational risk executive at a large US bank.

Now, we have a standard way to discuss controls, because we’ve created the taxonomy, so we can categorise controls in the same way we categorise losses by risk type

Operational risk executive at a large US bank

Plenty of other vendors are also eyeing the risk controls space – among them Acin, which has spent several years building a peer-to-peer network focused on anonymised benchmarking and intelligence sharing on control libraries. According to a recent blogpost, in March this year, Acin added 4,600 risk controls aimed at banks’ support functions, on top of its existing front-office suite, drawn from 12 global banks.

The ORX benchmarking service will piggyback off the firm’s reference control library, in turn based on the ORX reference risk taxonomy. The reference control library, which was published to ORX members in early May, provides a linkage between the ORX risk taxonomy and the controls that firms have put in place. Firms will be able to use the library as a starting point for developing their own libraries from scratch or refining the ones they already have.

Member banks can compare all their controls with their peers to see where control gaps exist, network members can identify areas of weaker risk, when compared internally, or areas that reduce the likelihood of risks occurring by strengthening preventative controls or reducing the severity through stronger detection controls.

Many firms see this as a step towards formalising an area that has historically been a somewhat haphazard approach to gathering controls in one place, with larger firms in particular often maintaining disparate libraries of control across different divisions and jurisdictions.

“Major players will have 60,000 records to describe controls. Where there’s no standard, it means no-one can make sense [of] whether there are gaps,” says Cooke.

“If ORX can begin to create consensus on an industry taxonomy, and if their data begins to be mapped to this, that can be quite powerful to us,” says Gus Ortega, head of technology, innovation and operations risk management at Voya Financial.

The ORX reference library – which draws on control library data collected from nearly 50 banks and insurers that are members of the ORX consortium – “provides a framework for the typical control types currently used by the industry today to mitigate each risk in the taxonomy”, says Bishop.

Many firms use their risk control self-assessment process to identify controls, but lack a formal structure for aggregating those controls. Only 35% of financial organisations have developed a control library, according to ORX, although most other organisations have plans to develop a control library. However, these libraries are challenging to develop, with a majority taking one to two years to complete.

“There’s an inventory of all the controls, but I don’t know how well organised the controls are,” says the operational risk executive.

As new products are developed and business mixes evolve, controls also need updating. Many firms are currently wrestling with adapting their control environments to account for emerging risks such as climate change.

Risk managers believe that a reference control taxonomy will help create uniformity within the various business units that face similar risks but have evolved controls in a highly idiosyncratic fashion.

“If the first line doesn’t have the taxonomy in front of them, then they miss things. Having a taxonomy provides a guard rail,” adds one former head of operational risk.

  • LinkedIn  
  • Save this article
  • Print this page  

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact [email protected] or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact [email protected] to find out more.

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: