Eight things we kept hearing at GCOR XI in Boston
1. The concept of Operational Risk is evolving. It always has been evolving — one of the keynote speakers spoke about the gradual “scope creep” from the original Basel II definition — but this shift seems to be something more significant. As cyber security and third party risk become major strategic concerns for boards and executives (not to mention increased regulatory attention), Op Risk is gaining significant clout at the board room table. One panelist says her Op Risk group is now involved from the beginning in discussions about product redesign.
2. Forward-looking metrics. Boards are starting to ask “where is risk going” – in other words, what do we need to worry about beyond what our KRIs and KPIs show us? One panelist described this as being able to “look around corners”. Loss event data is moving to the appendix of board reports — what directors really want from op risk is advice and insight on not just what happened, but what we’ve learned from it and where the company should be focusing attention. (Thanks to our colleague Ben Smith from RSA for his presentation on measuring and communicating risk.)
3. Third party risk. No surprise this topic was top of mind. Lots of discussion around oversight and monitoring of vendors, automating and simplifying the assessment process for both organizations and suppliers, and increasing regulatory attention to suppliers and third party management.
4. Cyber Risk. Again, no surprise here. Just about every breakout session included at least one session on cyber security. Banks have definitely moved beyond this being an “IT Security” issue, and has become a primary focus for operational risk professionals, management and boards.
5. Reputation risk. This came up a lot, along with other “subjective” risks – in other words, elements of operational risk that are harder to quantify: people, brand, legal, ethics, behaviours, culture, etc. Yes, it is possible to build metrics around these concepts, but what other techniques could be used to better understand, assess, and act on potential risks in these areas? (See also: artificial intelligence)
6. Data Governance. Both at the reporting level (challenges around traceability – how was this report developed? where are its limitations?) as well as from a collection point of view (security, privacy), organizations are looking for strategies to ensure they have trusted, transparent and aggregated data. Although banks talk about achieving a “cradle-to-grave” management of data, in reality very few (none?) have reached that holy grail. (See also: GDPR.)
7. Artificial Intelligence. How can we leverage new technology to reduce manual data collection, and learn more from the data that we have? Can techniques like machine learning be used to analyze and quantify textual data that can then be factored into risk measurement? (For example, think about how customer feedback could be mined using natural language analysis to contribute to a reputation risk score.)
8. GDPR. You’ll be seeing this acronym a lot in the next year. It’s the European Union’s General Data Protection Regulation, which comes into effect in 2018. It touches on issues of data governance, privacy, and regulatory compliance.
Overall, I came away from the conference with a new appreciation for how deeply these “2nd line” professionals care about ensuring their organizations are “doing the right thing” and upholding the highest standards of legal, moral and ethical behaviour. I’m looking forward to continuing these conversations in the coming months.