Operational Risk Management

As companies grow, innovate and embrace digitalisation over time, they must set up and maintain agile practices in the management of their operational risk.

This includes the effectiveness and efficiency of their control environment to facilitate informed decision making, achieve strategic goals and meet the rising expectations of both internal and external stakeholders, such as regulators, investors and consumers.  

The Operational Risk Process is articulated over five pillars:
  • Risk appetite
  • Risk identification
  • Risk assessment
  • Risk mitigation
  • Risk monitoring

 

Operational Risk is described by the Basel Committee on Banking Supervision as:

"the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. As such, operational risk captures business continuity plans, environmental risk, crisis management, process systems and operations risk, people related risks and health and safety, and information technology risks."

We help you manage your operational risk as you grow, innovate and embrace digitalisation.

We help you manage your operational risk as you grow, innovate and embrace digitalisation.

PwC brings together experience across all operational risk management components to help you take the best of efficient Operational Risk Management.

The success of Operational Risk Management is realised through the full implementation of an Operational Risk Framework tailored around five elements:

  • Culture and Awareness
  • Policies and Procedures
  • Data gathering:
    • External Loss Data
    • Risk and Control Self-Assessment
    • Scenario Analysis
    • Key Risk Indicators
  • Measurement
  • Reporting

Our Services

Governance and Risk Appetite

Appropriate governance is essential for effective and adaptable operational risk management. It is even more important for the people who are responsible for ownership of the ORM programme who will be unable to make a positive impact without a robust governance structure.

  • Guidance in respect of the upcoming regulatory changes and impact analysis
  • Guidance regarding the implementation of the Operational Risk Function, taking into consideration the regulatory requirements and best market practices 
  • Assessment of the governance ownership structure over the ORM function: CRO, COO, CFO, CCO, others
  • Risk appetite: support on its definition / enhancement and its relationship with the risk capacity, the risk tolerance and the risk limits of the company
  • Risk appetite: support on the translation of the Risk appetite defined at the organisation level down to the business units
  • Business Continuity and Recovery Plan: support on its development / enhancement

Risk Culture and Awareness

Is your risk culture where it should be? 

To stay out of the headlines, companies should identify, monitor, and manage their risk culture.

  • Board and Management training
  • Operational Risk Manager training
  • First Line of Defence training
  • Upskilling workshop on risk management (for ManCos) and definition of areas of focus
  • Assessment of the risk culture maturity

 

Policies and Procedure

Policies and procedures represent a vital "playbook" that aligns an organisation’s strategy and overarching policies to its operations, risk management and compliance responsibilities. At a time of continuous transformation and regulation, policies and procedures are even more important in a world requiring more transparency over their counterparties.

  • Policies and procedures governance framework
  • Policies and procedures maturity assessment
  • Policies and procedures tool / repository
  • Policies and procedures drafting and process mapping
  • Review of the Risk Management procedures in the context of process transformation
  • Business Continuity and Recovery Plan: support on its development / enhancement

Operational Events - Internal and External

Internal and external events (gain or loss) are one of the most important components of the ORM framework as they are objective and related to actual events. With a regular data approach, this could lead to insights on how to prevent further risks.

  • Implementation, assessment or enhancement of the internal loss / gain data capture proces
  • Root cause analysis of the internal loss / gain data in relation to the business model
  • Assessment of risks related to project / changes
  • Design of action plans
  • Creation of data visualisation dashboards for the risk manager, board, management, internal audit and external audit

 

Risk & Control Self-Assessment

Identify and map risks and mitigating controls to processes and procedures, and facilitate a Risk & Control Self-Assessment process. Identify operational or compliance risks where additional controls are required.

  • Provide a flexible but structured approach to designing or improving the RCSA throughout the company 
  • Identify and map key risks of the company and/or key processes
  • Classify and quantify the risks identified (impact and probability)
  • Identify and map mitigating controls to their related processes and risks, especially for oversight of delegates
  • Specific review of insurable risks and identify which risks might be insured
  • Gap analysis against best practices to improve business performance
  • Support on the RCSA for complex matters such as Information Technology, cyber, privacy or sustainability
  • Standardise and benchmark processes, where the same functions are performed in multiple locations
  • Creation of data visualisation dashboards for the risk manager, board, management, internal audit and external audit

Scenario analysis

The current COVID-19 situation made concrete the exercise of stress test and business continuity.

  • Use the scenario analysis methodology
  • Support on the scenario analysis for complex matters such as cyber, privacy or sustainability
  • Creation of data visualisation dashboards for the risk manager, board, management, internal audit and external audit

 

Key Risk Indicators

KRIs are an essential part of the ORM framework to make both efficient and effective. However, most KRIs are either not complete or not covering the risks of the company.

  • Identify the KRIs to support the risks of the company, especially with third-party vendors
  • Gap analysis against best practices to improve the definition of the KRIs
  • Support on the definition of KRIs for complex matters such as cyber, privacy or sustainability
  • Support on the review and analysis of KRIs
  • For third-party vendors, support on the review of controls reports (i.e. ISAE 3402, SOC1, SOC2) for effective information gathering
  • Creation of data visualisation dashboards for the risk manager, board, management, internal audit and external audit

 

Risk Measurement

Compiling all risk data (i.e. internal and external gain / loss data, RCSA, Scenario Analysis, KRIs) is a challenge. Taking the right decisions based on  them is another.

  • Assess the risk measurement process and methodology and more particularly the comparability and compatibility of various risk data
  • Creation of data visualisation dashboards for the risk manager, board, management, internal audit and external audit

Risk Reporting

The risks are better tackled when they are distributed within the company, and especially to key stakeholders who must receive adequate supporting information.

  • Creation of day-to-day data visualisation dashboards for the risk manager
  • Creation of Executive Summary and Detailed visualisation dashboards for other actors such as the Board, management, internal audit or external audit

ORM Tool Selection and Implementation

Organisation usually have multiple disconnected systems and often use Excel or Word documents to support their operational risk management day to day activities.

A tool can help streamline risk management processes, enhance operational risk incident management, ease data interpretation and reporting.

  • Define business requirements
  • Select IT solution provider
  • Tool implementation support

 

Training - ORM framework

PwC's subject matter experts can provide you with a multilayer dedicated training curriculum to address the various aspects of the Operational Risk Management framework, specifically targeted to your company and your various teams (e.g. Front Office, Risk Management, Internal Audit, etc.). 

Contact us

Alexandre Lambin

Audit Partner, Internal Audit Leader, PwC Luxembourg

Tel: +352 621 334 226

Jean-Philippe Maes

Advisory Partner, Banking Risk Leader, PwC Luxembourg

Tel: +352 49 48 48 2874

Follow us