Ignoring Operational Risk Management? Here’s What It Might Cost You 

Financial risks are a constant focus for banks and credit unions. Whether it is credit, interest, or liquidity, financial institutions have developed an array of reports and systems to control these risks.  

Operational risk, however, has not received the same attention. This dynamic is resulting in a struggle to manage the risk effectively.  

What is Operational Risk? 

Operational risk is the risk of loss due to errors, breaches, or interruptions caused by people, internal processes, systems, or external events.  

The impact of operational failures is wide-reaching.  

1.) Financial Losses  

Financial losses can stem from errors and fraudulent activities. Drivers can include embezzlement by an employee, fraud committed by consumers, or errors resulting from system failures.  

Sometimes, these financial losses are not direct. For example, banks are required to maintain capital buffers to manage an operational risk event if one were to occur. A regulator’s assessment of how well a bank manages operational risk can affect how much capital the bank has on hand to conduct normal business activities.  

2.) Reputational Damage

Reputational damage refers to the harm to a bank’s reputation caused by an event such as a cyber breach that leads to the leak of non-public personal information that may impact your customers. In the wake of a breach, customers may have to monitor their credit history more carefully or shut down or change their credit card or other financial information. That certainly doesn’t help build rapport.  

In addition, lax Bank Secrecy Act controls can result in money laundering by drug cartels or terrorist organizations. Not the image you want to portray!  

3.) Operational Inefficiencies  

Poorly managed risks can result in inefficiencies, delays, and increased operational costs. These are activities that waste resources, time, and effort.  

The following factors can cause operational inefficiencies: 

• Improper planning. From the start of developing a new product or service, inefficiencies can arise from resource shortages, delays, costs, lack of consideration of risk, and technology/third-party impacts. 
• Miscommunication or lack of communication between lines of business can lead to errors, duplicated efforts, or missed deadlines. This dynamic can create a siloed approach to risk management where: 
  • One department does not know what the other is doing,  
  • Executive management does not have an overall view of essential activities, the associated risks, and whether the proper controls are in place. 
• Inadequate training results in employees taking longer to complete tasks, making mistakes, and not fully understanding the risks of their job function.
  

4.) Regulatory Penalties 

Non-compliance with regulatory requirements can lead to significant fines and sanctions, severely affecting a bank’s operations.  

What can you do?  

Addressing operational risks involves a multi-faceted approach across your organization to reduce the cost of poor management. Here are some of the strategies to consider: 

1.) Develop a uniform method for understanding and assessing risk.  

Departments are often siloed, each adopting different approaches to mitigate risk. In these cases, no individual or committee fully understands the risks involved or the measures institutions take to address them. 

Risk Assessments 

One way that banks and credit unions can bring about a shared understanding is by using risk assessments. Risk assessments help identify the threats and risks that could impact the organization’s earnings and capital. It also allows the user to document the controls established to mitigate the risks and threats.  

Having a centralized risk and identification process brings about conversations between risk managers and the different departments to determine: 

• Where the risk is, 

• How the institution is controlling it, and  

• If the same approach is applicable in other areas. 

2.) Inventory of Key Risk or Performance Indicators (KRI/KPI).  

There is always a degree of risk when running any organization. The key is to try to get ahead of the threat before it occurs or negatively impacts the business.  

Example: Employee Turnover 

Developing an inventory of indicators can provide such insight. For example, turnover at the organization can be costly and negatively impact your reputation if these are customer-facing positions.  

Human Resources tracks this number but creating an indicator so that senior management or the Board of Directors has insight into the same can be helpful, especially if the number increases above a set tolerance and resources are needed to address the issues.  

Depending on the organization, most will have an inventory of 40 – 60 KRIs/KPIs. You want to monitor these key activities that will influence your earnings and capital.  

3.) Documentation of your risk appetite.  

A Risk Appetite Statement (RAS) is a formal declaration by an organization outlining the types and levels of risk it is willing to accept in pursuit of its objectives.  

Usually, the Board of Directors or Senior Management/C-Suite executives include several people with distinct roles and views on how to grow a business. Some may be more aggressive, whereas others may be more conservative. A risk appetite statement will help guide decision-making by defining the boundaries it is willing to work within.  

4.) Establish a formal risk governance structure.  

Often, risk management is mixed in with other departments, such as IT or finance. However, establishing a formal governance structure is essential for building a strong culture of risk.  

Alignment & Clarity 

It can help ensure operational risk management practices align with the organization’s goals and strategy and allow stakeholders to make key decisions. It is essential to develop accountability and transparency in the program. Roles and responsibilities will be clear, as well as knowledge of who owns the risk, and will communicate and report on critical risks and mitigation approaches needed. 

5.) Leverage automated ERM tools to streamline your program.  

Risk management teams at banks and credit unions have to cover a lot of ground as they: 

• Conduct risk assessments 

• Set and monitor KPIs 

• Establish and adhere to a risk appetite statement 

• Prepare essential reports for leadership, their BOD, auditors, and regulators. 

• Strive to build a transparent, holistic governance structure that protects the institution and its customers or members. 

Integrated risk management software can automate much of this work and free up risk management professionals for more strategic initiatives. Investing in risk management software reduces the chances of human error and boosts the effectiveness of busy risk management teams. As a result, many financial institution leaders have started to embrace automation. 

Want to learn more about how WolfPAC helps the nation’s top banks and credit unions build modern, scalable risk management programs that protect their bottom line and communities?  

Visit our website or contact us today to speak with one of our risk management experts.  

Related Reading: 

• Why Automated Risk Management Beats Spreadsheets and Manual Methods

• 5 Best Practices to Prepare for Your Next FI Regulatory Exam

• Free Regulatory Exam Prep Guide

More About WolfPAC: WolfPAC Integrated Risk Management® is a fully integrated suite of software and expert advisory services designed to make the hard work associated with risk management easier. Our low-friction platform keeps you one step ahead of emerging risks and ensures that regulators and executives are 100% satisfied with your reporting.