Workshop – Operational Risk Assessment of Change

15/08/2018By Gail Danvers
Change management is one of the 11 key principles mandated by the Basel Committee for the sound management of operational risk. The subject is of particular importance now, in the age of regulation, when so much change is driven by the new regulatory requirements. Gail Danvers, Director at psd and specialist in Risk and Governance executive recruitment, recently hosted a workshop to explore the operational risk management side of change.

Gail Danvers, Global Head of psd‘s Banking & Financial Services sector, recently co-hosted a workshop to explore the operational risk management side of change with Helen Pykhova. Helen, a practitioner with over 20 years’ experience in financial services, is well-known in the industry as a respected Operational Risk trainer, as well as being Chair of the Operational Risk Committee of the Association of Foreign Banks (AFB) and Director of the Institute of Operational Risk, responsible for the Institutes Educational portfolio.

In a review of how 60 systemically important banks in 20 jurisdictions have implemented the 11 principles mandated by the Basel Committee for the sound management of operational risk, change management scored the
lowest. The subject is of particular importance now, in the age of regulation, when so much change is driven by the new regulatory requirements.

The aim of the workshop was to educate and debate with other risk professionals on the subject of Operational Risk Assessment of Change.

The workshop highlighted challenges such as a lack of monitoring of risks following approval and an absence of formal post-implementation reviews. In addition, Second Line of Defence roles are often inadequately structured and there is an absence of a holistic definition of “change” leading to the governance framework not covering all types of change.

In a live poll during the workshop only 19% of attendees indicated that their firms do use an Operational Risk system or software that includes a “Change” module. Within the group, only 40% responded that “significant” change is defined and consistently risk assessed.

How to define the thresholds above which the “change” must undergo a risk assessment:

There are a number of parameters to define the thresholds such as:

  • Cost
  • Resource (number of people)
  • Criticality of tools / systems involved
  • Regulatory / legal / customer impact
  • Impact on business objectives
  • Is change within risk tolerance / appetite.

What tools are best suited to assess how “risky” the change is?

When asked what tools are best suited to assess how “risky” the change is, the group summarised:

  • Specific risk assessment for the change initiative, usually conducted to support the “Go/No-Go” decision – via RCSA (Risk and Control Self-Assessment) or ORA (Operational Risk Assessment);
  • Alternatively, the change becomes a trigger to revisit existing firm’s RCSAs (as an example, for regulatory-driven change);
  • Scenario analysis – to examine what if? extreme but plausible outcomes, change KRIs and analysis of Operational Risk incidents;
  • Central “Product and Change” office and change risk team (or for agile, embedded risk specialists), stepped governance based on the size and scale of change.

How to Transition Risks and their Ownership upon Completion of the Change Programme into BAU.

It was discussed amongst these risk professionals that the most effective way to do this is to involve BAU managers from the beginning, communicate effectively and provide training and education on the change with regular frequency. Changed processes need to be documented and validated by sponsors and BAU teams, and there should be defined indicators on performance and risk, transitioning remaining risks at the point of sign off.

Too Much Change Overall? How to assess the aggregate impact of change on the risk profile of the firm.

Assessing the aggregate impact of change on the risk profile of the firm was also discussed. Understanding the impact of multiple changes and the speed and ability of the firm to implement them is integral. Staff surveys and evaluations on expertise, knowledge and availability will help to determine whether the firm can cope. RCSAs may highlight a lack of resources or lack of process understanding in assessing how change is impacting the risk and control environment.

The workshop created an engaging environment and generated useful discussion around this subject which is crucial to ensuring that transition is well-controlled, and that existing processes are not stressed and weakened.

Thank you for hosting yesterday’s event. The content was really useful!

Thank you for hosting an excellent workshop!

At psd we have been recruiting Board, Senior Management and Executive Director Level within the Banking & Financial Services sector for a number of years. Our team of highly experienced recruitment consultants have an exceptional knowledge of the Banking & Financial Services sector and a strong network of candidates, with track records of achievement in this and allied sectors. We recruit across the whole of the UK and work on both permanent and interim roles and operate in most functional disciplines.

If you are interested in discussing the recruitment of risk management professionals, please contact our Head of Global Banking & Financial Services, and Risk & Governance specialist, Gail Danvers.

About the author

Gail Danvers

Director

Gail leads psd's rapidly expanding Banking & Financial Services and Risk & Compliance capabilities. She specialises in Executive, Non-Executive and Director appointments and has an excellent track record of delivering on CRO, COO and CFO appointments, working both with Big Four and global institutions, as well as the growing fintech sector.