Gustavo Ortega, Director, Operational Risk at AIG speaks with the Center for Financial Professionals, ahead of the 6th Annual Risk Americas 2017 Convention where he discusses whether operational risk management can survive as a risk discipline in a simpler and a more de-regulated market and the accountability of risk on CEO.
Gus, can you tell the Center for Financial Professionals about yourself and your experience within the industry?
I have over 15 years of industry experience focusing on enterprise risk management, risk strategy and internal audit at global multi-national institutions, such as Morgan Stanley, UBS Investment Bank, Commerzbank (fka Dresdner Kleinwort), and currently American International Group, Inc. (AIG). I am the head of corporate operational risk management at AIG with direct responsibility for maintaining the firm’s op risk policy, governance, frameworks and eGRC tool in order to execute a cohesive and globally consistent op risk management system.
Does operational risk management survive as a risk discipline in a simpler and a more de-regulated market?
The political landscape and current regulatory environment is rapidly changing. However, the primary answer to this questions is yes – operational risk management is a “must have” for financial institutions regardless of the political and regulatory implications. We cannot forget operational risk remains a serious threat to the financial industry and it’s been evidenced through material operational risk losses suffered by financial institutions over the past decade. Enterprise risk management (ERM) is the overarching process that provides a single view of all risks within an organization. Such risks include financial, operational, and strategic risks. By definition, ERM employs a comprehensive system to assist business leaders in identifying, measuring, prioritizing, and managing risks that affect their strategic business goals. Operational risk forms part of ERM, and it is defined as the risk of loss, or other adverse consequences, resulting from inadequate or failed internal processes, people, systems, or from external events. Operational risk includes legal risk but excludes business and strategic risks. Over the past 10 years, financial institutions, in particular banking, have suffered from very significant operational risk losses suggesting that this is a risk discipline that simply cannot be ignored. Operational risk is pervasive and manifestations of its risk can occur in large scale. Operational risk losses used to be reported in the millions; now these errors are being quantified in billions of dollars. Financial institutions like banks, insurers, hedge-funds, credit unions and others, must continue to apply operational risk frameworks and risk control disciplines that allows for business leaders to identify control gaps, improve processes, and focus on risk remediation activities, irrespective of a specific regulatory mandate. I believe business leaders have finally recognized the value of effectively managing operational risk through more robust systems and a greater need for sound risk management culture.
Does accountability for managing operational risk lie with the CRO or the CEO?
It is clearer than ever that operational risk has moved from an interesting risk management concept to an integral risk management practice. It is also important to note there is a big difference between managing operational risk and providing risk oversight. The duty of the CRO is to uphold risk policies, maintain integrated risk and control frameworks, ensure sound governance and risk culture, and play a critical role in the organization’s decision-making on business strategy. The CEO is the executive responsible for an organization’s overall operations and performance. The CEO establishes the company’s business strategy and priorities, along with setting the corporate culture. This individual is held solely accountable for the organization’s success, and its failures. Thus, accountability for the actual management of operational risk ultimately lies with the CEO. Risk Officers define risk tools, deploy risk frameworks, adopt risk policies, provide risk oversight, and form part of the foundational framework that sets forth appropriate checks and balances that allows for businesses to conduct operations in a well-defined risk and control environment. However, risk is ultimately owned by the business executives (first line management), and it is the responsibility and accountability of first line staff to manage all risks, including operational risk, in accordance with each business’ risk appetite.
What’s ahead for operational risk management?
Operational risk remains one of the most crucial risks that financial institutions must effectively manage and quantify. For this reason, challenges remain around loss attribution, effective risk assessment practices, and integrating operational risk reporting systems. But for all the challenges that exist within operational risk management, there are also opportunities. For example, areas like cyber and conduct risk can benefit from unified frameworks already in use to manage operational risk. Many institutions have adopted operational risk methods to help them manage cyber risk, behavioral risk, regulatory, and third party risk. We should expect to see more convergence of risk disciplines over the next few years. I also believe that operational risk management will continue to dominate the risk agenda for the foreseeable future, in particular, for the banking and insurance industries.