Operational Risk Management Excellence Survey (executive ... · 2018 kpmg.com Operational Risk...

2018

kpmg.com

Operational Risk Management Excellence Survey (executive report)Financial institutions’ progress and challenges as they strive for Operational Risk Management Excellence

© 2018 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 793595

Contents

Introduction 2

Executive summary 3

Survey methodology and background 5

Background information and ORM organization 6

Strategy, value, and culture 10

Risk appetite and governance 14

End-to-end process risk assessment 20

Risk and control convergence 22

Control assurance and testing 24

Data, analysis, and reporting 28

Innovation and digital transformation 32

The road ahead 36


1Operational Risk Management Excellence Survey executive report

IntroductionOperational risk continues to be a heightened area of focus for financial institutions as the industry wrestles with challenges arising from cyber threats, third-party concerns, trading, conduct and culture issues, stress testing requirements, and technological innovations driving greater opportunities for process automation and digitization. While regulators recently reduced some requirements for smaller institutions, they maintain a keen focus on ensuring firms develop and maintain effective risk management structures to enable them to identify, assess, monitor, and manage risk with ever-increasing speed and accuracy. These events, combined with management’s efforts to derive greater risk intelligence through data mining and analytics to improve strategic planning, business performance, and customer experience, contribute to an increased focus on operational risk.

Against this backdrop, and at the request of financial institutions, KPMG LLP (KPMG) and The Risk Management Association (RMA) teamed to update and redeploy the Operational Risk Management Excellence Survey (the “Survey”) completed across North America, Europe, and Asia in 2014 by over 85 leading financial institutions, including 20+ global systemically important banks (GSIBs). The objective of the survey continues to be to give participants insights into leading industry operational risk management (ORM) practices in support of enhanced business value and heightened regulatory expectations, to help firms gauge positioning against evolving industry practices, optimize their ORM frameworks, and enhance risk management.

While most sections of the survey remained the same to allow for a comparison of results over time, several updates were made to address current industry and regulatory trends. Changes to this year’s survey include an enhanced focus on end-to-end (E2E) process risk assessments and additional sections for risk and control convergence, control assurance and testing, and innovation and digital transformation. The following pages highlight key Survey results and next steps in the evolution of the ORM disclipine.*

*The full set of questions, quantitative responses, and qualitative inputs is only available to Survey participants.


2 Operational risk management excellence survey executive report

Executive summaryThe results of the Survey reveal that financial institutions of all sizes continue to make important strides with respect to the following areas:

— Increased use of the ORM framework to challenge business models

— Heightened attention toward strengthening risk culture

— Broadened deployment of operational risk appetite at the enterprise, line of business, and legal entity levels

— Further standardization of risk and control taxonomies, rating scale, and linkage between processes, risks, and controls

— Greater effective challenge of first line of defense (first LOD) risk activities

— Broadened efforts to converge risk and control assessments, driven by executives across the first and second LODs

— Enhanced ORM data supported by clear governance, standards, and owners

— Continued adoption of innovative technologies to drive process excellence and analytics in ORM.

There is, however, significant work to be done by financial institutions as they strive toward operational risk excellence, including:

— Further positioning the ORM framework so that it is fully aligned with firm strategy and seen as an enabler of strategic change, business performance, and customer experience

— Elevating first and second LOD involvement and results in strengthening risk culture

— Enhancing first LOD communication and escalation of issues outside of established risk appetite

— Improving communication between the first and second LODs on emerging risks and changes to the internal and external environment

— Deploying E2E process risk assessments across business lines and divisions to develop a more complete picture of risk, dependencies, hand-offs, and redundant controls

— Expanding convergence efforts beyond risk taxonomies and rating scales to drive increased efficiencies and more effective analysis and management of risk

— Enhancing control testing to create more dynamic and efficient monitoring, escalation and management of exposure

— Establishing robust operational risk dashboards supported by integrated data and tools to deliver consistently meaningful reporting to business lines, risk teams, executive management, and the board.

The goal to achieve enhanced risk management while driving greater process efficiency, automation, and digitization, in the midst of a changing regulatory environment, will require greater strategic planning and dexterity in execution. The promise is that ORM excellence will deliver a competitive advantage and increased return on investment to firms able to achieve it.



Survey methodology and backgroundThe 64-question Web-based survey, which was developed in collaboration with leading institutions, focused on the following key areas of operational risk excellence and heightened expectations for risk management:

— Strategy, value, and culture, including queries about the benefits and objectives derived from the institutions’ enterprise ORM framework, and steps taken to strengthen culture

— Risk appetite and governance, including queries about the level of operational risk appetite deployment across the firms and alignment of risk appetite with strategy and incentives

— E2E process risk assessment, including queries about the scope of an institution’s E2E assessments, mitigating actions, and incorporation of regulatory exposures

— Risk and control convergence, including queries about current convergence maturity, areas of focus, internal and external drivers, and the firms’ convergence agenda

— Control assurance and testing, including queries about scope, implementation and enhancement efforts, and level of effort across the first and second LOD

— Data, analysis, and reporting, including queries about an institution’s efforts to accurately and completely aggregate, analyze, and report ORM exposures

— Innovation and digital transformation, including queries about near-term objectives, budget allocation, digital transformation maturity, and primary challenges.

The Survey consisted of multiple-choice questions that gauged the evolution of ORM practices and their deployment. Respondents could also elaborate on their responses by providing qualitative inputs.

Survey participants were composed of North American financial institutions of all sizes, including global systemically important financial institutions (G-SIFIs), large national banks, and regional banks. Respondents were categorized by asset size, with 44 percent of respondents at or above $250 billion in assets and 56 percent below $250 billion in assets. Survey results provided insights into evolving industry practices and areas where large institutions and smaller institutions diverge.

Forty-six percent of all respondents were commercial banks. The remaining respondents included investment banks, brokerages, investment management firms, fintechs, and other institutions.



Background information and ORM organizationAs noted in Chart 1 below, respondents above and below $250 billion reported that the following processes and functions were directly under ORM management:

What processes and functions are directly under the corporate ORM department (second LOD)? (select all that apply)

Chart 1

Less than $250 billion $250 billion or more

Multiple responses allowed

*For the “Other” category, respondents noted corporate insurance, independent IT oversight, independent reputational risk oversight, and second LOD oversight of sales practices, payments, operations, and fraud.

None of the above

Other

Fraud/investigations

Financial controls/SOX

Physical security

Reputational risk management

Validation

Model governance

Information security/cybersecurity

IT risk management

ORM risk/control testing

BCP/DR

New product review

Vendor risk management

ORM capital model

Scenario analysis/stress testing

External loss events

Internal loss events

ORM risk monitoring

Key risk indicators (KRIs)

RCSAs

ORM risk aggregation/risk profile

ORM risk analysis

ORM framework

ORM risk appetite

ORM policies 100%

93%

93%

93%

86%

86%

86%

79%

71%

71%

57%

57%

50%

57%

50%

43%

43%

36%

36%

29%

29%

29%

29%

14%

14%

0% None of the above

Other


Physical security


Model governance



Validation

IT risk management



BCP/DR

New product review

ORM capital model




ORM risk monitoring

Key risk indicators (KRIs)

RCSAs


ORM risk analysis

ORM framework

ORM risk appetite

ORM policies 100%

100%

100%

91%

91%

91%

91%

91%

91%

82%

73%

55%

45%

55%

36%

36%

27%

27%

27%

18%

18%

18%

0%

0%

0%

91%


6 Operational Risk Management Excellence Survey executive report

Results comparisonThe responses of participants of all sizes were generally in line. The major differences were:

— Scenario analysis/stress testing – 91 percent of respondents over $250 billion reported it was under ORM management versus 57 percent of respondents under $250 billion.

— Financial controls/SOX – 29 percent of institutions less than $250 billion reported it was under ORM management versus no respondents over $250 billion.

Change over time2018 results were generally in line with 2014 results. The major changes over time were:

— An increase in firms at or above $250 billion and those below $250 billion noting ORM capital model is directly under ORM management (62 percent and 30 percent, respectively, in 2014 versus 73 percent and 57 percent, respectively, in 2018).

— An increase in vendor risk management under ORM (~25 percent in 2014 versus ~50 percent in 2018).

Firms at or above $250 billion and those below $250 billion agreed that information/cybersecurity, risk aggregation, vendor risk management, risk appetite, RCSAs, and risk monitoring are areas of most importance to regulators. Seventy-nine percent of smaller institutions and 64 percent of the larger institutions also counted the ORM framework among the most important areas. Conversely, larger institutions noted model governance as one of the most important areas at a much higher rate than their smaller counterparts. The biggest disparity in responses between the two groups came with respect to scenario analysis/stress testing where, as can be expected given recent changes to regulatory requirements, 73 percent of respondents at or above $250 billion noted this as one of the most important focus areas, compared to only 38 percent of those below $250 billion.

Among respondents at or above $250 billion in assets (i.e., large institutions), 64 percent have fewer than 50 risk managers per line of business (LOB)/division embedded within the first LOD (Line 1b), while 18 percent have greater than 500 risk managers (Line 1b) per division. Among respondents below $250 billion in assets, all respondents have fewer than 50 risk managers embedded in the first LOD, and 21 percent reported having no first LOD risk managers.

Among large institutions, 73 percent have more than 50 FTEs in their second LOB ORM department, and 82 percent reported having a centralized ORM organizational model. Among the regional and smaller institutions, there was a relatively even spread of responses indicating second LOD ORM departments ranging in FTE count from less than 11 to greater than 50, and 93 percent reported having a centralized ORM organizational model.



Larger and smaller institutions also vary in areas that they aim to enhance over the next two years. As noted in Chart 2 below, respondents identified the following enhancement areas of focus:

What ORM areas have you targeted to enhance over the next two years? (select all that apply)

Chart 2



None of the above

Physical security

Other

Model governance

ORM capital model


BCP/DR

Validation



ORM policies






IT risk management

ORM framework


ORM risk appetite

New product review


ORM risk monitoring

ORM risk analysis

KRIs

RCSAs 86%

71%

86%

71%

64%

64%

57%

57%

57%

43%

43%

50%

43%

36%

29%

29%

29%

29%

14%

14%

14%

7%

7%

0%

7%


Physical security


Other

Model governance

BCP/DR

Validation


ORM capital model




ORM policies

ORM framework

New product review

ORM risk appetite

ORM risk monitoring

KRIs


IT risk management


ORM risk analysis




RCSAs 82%

82%

73%

64%

45%

36%

27%

36%

45%

45%

45%

36%

36%

18%

27%

18%

18%

18%

9%

9 %

9 %

9 %

0 %

9%

0%

0%



Results comparisonWhile the majority of small and large institutions listed RCSAs as an area for enhancement, key differences among institutions include:

— KRIs – 86 percent of respondents under $250 billion reported RCSAs as a target for enhancement, versus only 36 percent of respondents over $250 billion.

— Risk/control testing – 43 percent of institutions less than $250 billion reported this as a target for enhancement, versus 82 percent of respondents over $250 billion.

— Risk analysis/monitoring – Greater than 70 percent of respondents less than $250 billion listed these as targets for enhancement, versus less than 50 percent of institutions over $250 billion.

— Vendor risk management – 29 percent of institutions under $250 billion listed this as a target for enhancement, versus 64 percent of respondents over $250 billion.


9Operational risk management excellence survey executive report

Strategy, value, and cultureORM alignment with strategy is critical to achieving sustainable value-add, and to ensuring effective risk identification, assessment, and mitigation. Leveraging a firm’s ORM framework to challenge business models, including new products, mergers, acquisitions, and divestitures is a telling indicator of how well operational risk is considered in firm strategy and execution. On a positive note, over 90 percent of firms at or above $250 billion in assets fully or partially leverage their ORM framework to challenge business models (36 percent and 55 percent, respectively – see Chart 3). This is up 20 percent from survey results four years ago and is an encouraging sign of improvement.

However, results are less encouraging for firms below $250 billion in assets. Consistent with prior results, only 50 percent of these firms fully or partially leverage their ORM frameworks to challenge business models (21 percent and 29 percent, respectively). On a positive note, 21 percent (versus 10 percent four years ago) of smaller firms are fully leveraging their ORM frameworks to challenge business models. These results indicate that there is still much work ahead for operational risk to be incorporated into decision making when launching and implementing strategic change.

Respondent commentsWhen asked if they leverage their ORM framework to challenge models, respondents stated:

— “ORM framework currently leveraged for new products, but not necessarily mergers, acquisitions, and divestitures.”

— “We employ frameworks to evaluate mergers/acquisitions and new, modified, expanded product and services to ensure alignment with Enterprise Risk Appetite, including Operational Risk.”

Fully Beginning Do not leveragePartially

Do you leverage your ORM framework to challenge business model options and returns, including new products, mergers, acquisitions, and divestitures?

Chart 3

21%

29%

36%

55%

9%

36%

14%




Respondent commentsWhen asked what benefits they have derived from their ORM framework, respondents noted:

— “We have a fully developed ORM framework, but have identified opportunities to address optimization, efficiency, and focus on client centricity. In doing so, we expect to realize additional benefits in the following areas: strategic objectives, cybersecurity program, enhanced risk language, efficiency, improved customer satisfaction, new initiative/new product review, and optimized business processes.”

— “Enhanced communication between three lines of defense.”

What benefits have you derived from your ORM framework? (select all that apply)Chart 4



Other

None of the above

Improved customer satisfaction

Strategic objectives/return

Decreased conduct risk

Improved stress testing results

Efficiency

Enhanced reputation

Enhanced cybersecurity

Enhanced new initiative/new product review

Loss avoidance/reduced events and issues

Regulatory standing

Enhanced risk language

Enhanced business processes

Risk mitigation 69%

69%

54%

69%

54%

46%

38%

38%

31%

15%

15%

15%

8%

23%


Other

Improved customer satisfaction

Strategic objectives/return

Enhanced reputation

Efficiency

Decreased conduct risk

Loss avoidance/reduced events and issues

Enhanced risk language

Improved stress testing results

Enhanced cybersecurity

Enhanced new initiative/new product review

Enhanced business processes

Risk mitigation

Regulatory standing 91%

82%

64%

64%

64%

36%

27%

64%

55%

55%

55%

45%

9%

9%

0%

Key benefitsWhen asked to describe the benefits they derived from their ORM frameworks, risk mitigation was noted as a top response by firms above and below $250 billion in assets (82 percent and 69 percent, respectively). However, consistent with four years ago, regulatory standing was still the top benefit recognized by firms at or over $250 billion in assets (91 percent). Other top responses for larger firms included enhanced business processes, new products, cybersecurity, and stress testing. For firms below $250 billion, other top benefits included enhanced business processes and risk language. Consistent with four years ago, it is interesting to note that achieving strategic objectives/return and improved customer satisfaction were not cited as top benefits. It is hopeful that these benefits will increase over time as the industry continues to focus ORM on business strategy and value (see Chart 4).



Risk cultureThe topic of risk culture was added as a section to the survey due to its importance and impact on the industry. When asked what areas of culture firms focus on, institutions at and above $250 billion and those below $250 billion agreed tone at the top/governance was their number-one area of focus (91 percent and 69 percent, respectively). Code of conduct and instilling accountability were also noted as top areas of focus. For larger firms, monitoring high-risk employees (surveillance) was another important area, and 30 percent or more of all firms agreed that on-boarding/training and tone at the middle were areas of focus (see Chart 5).

Respondent commentsWhen asked what aspects of culture their organization is currently focused on, respondents stated:

— “Risk management as part of day-to-day business, incentive comp, change management, conduct risk.”

— “Culture is a to-do item and given its enterprise nature, it is a bit more difficult to address if not broadly agreed/implemented.”

— “Our organization has not identified gaps within culture. While there are no concerns, we are continuing to refine certain aspects such as monitoring high-risk employees for potential misconduct, onboarding and training, performance management, assessing candidates at hire for cultural fit, and instilling accountability.”

Which of the following aspects of culture is your organization currently focused on? (select all that apply)

Chart 5


None of the above

Other

Event-driven communication

Culture assessments/audits

Performance management/disciplinary standards

Assessing candidatesat hire for cultural fit

Tone at the middle

Onboarding/training

Monitoring high-risk employeesfor potential misconduct (surveillance)

Culture metrics

Instilling accountability

Code of conduct

Tone at the top/governance


Other

None of the above

Assessing candidatesat hire for cultural fit

Monitoring high-risk employeesfor potential misconduct (surveillance)

Performance management/disciplinary standards

Culture metrics

Event-driven communication

Culture assessments/audits

Tone at the middle

Onboarding/training

Code of conduct

Instilling accountability

Tone at the top/governance 69%

54%

46%

38%

31%

31%

23%

8%

23%

31%

8%

8%

0%

91%

73%

55%

55%

55%

45%

36%

36%

18%

27%

18%

9%

0%



Risk appetite and governanceEffectively defining operational risk appetite (i.e., the aggregate level and type of risk the board and management are willing to assume to achieve the bank’s strategic objectives and business plan, consistent with applicable capital, liquidity, and other regulatory requirements) and then monitoring and managing that appetite remains a key element for ORM excellence. Survey results indicate that firms are working to define and manage their operational risk appetite, but additional work is needed to fully deploy both qualitative and quantitative measures of operational risk appetite across the enterprise. Consistent with results from the 2014 survey, the vast majority of institutions reported that they define operational risk appetite at the enterprise level.

For banks over $250 billion, 73 percent defined and cascaded operational risk appetite at the business line level, and 64 percent at the legal entity level, both significant increases from 2014 results. This contrasts steeply with banks under $250 billion, for which 25 percent have defined and cascaded operational risk appetite to the business lines, and only 17 percent at the legal entity level. For both groups, results dropped significantly after that, with operational risk appetite definitions still in the beginning stages at the location, process, and product levels.



Less than $250 billion

$250 billion or more

Non-AMA

AMA

Fully Beginning to Not yetPartially

Does the second LOD (risk management) consistently escalate issues that are outside the firm’s risk appetite/thresholds?

Chart 6

82%

18%

54%31%

57%

43%

60%

20%

2014 2018

10%

10%

15%

With respect to operational risk appetite monitoring and management, 82 percent of respondents at or over $250 billion and 57 percent of those below $250 billion indicated that the second LOD is fully escalating issues that exceed their firm’s operational risk appetite. While results for the smaller institutions stayed roughly the same from 2014, this marks an increase of 28 percentage points for the larger institutions. Forty-three percent of respondents under $250 billion indicated that the second LOD is only beginning to escalate these issues (see Chart 6).

“Less than $250 billion” and “$250 billion or more” were used as proxies for “Non-AMA” and “AMA,” respectively, to compare results over time



On the other hand, 64 percent of institutions at or above $250 billion and only 29 percent of those below $250 billion indicated that the first LOD is consistently escalating issues that are outside of the firm’s risk appetite/thresholds (see Chart 7). This is clearly an area that needs attention and improvement by firms of all sizes if they are going to effectively manage risk.

Notably, all responding institutions at or above $250 billion reported that ORM roles, responsibilities, policies, and procedures are clearly defined and understood by both the first and second LODs. But, 21 percent of respondents below $250 billion reported that these are defined and understood only by the second LOD.

May not equal 100 percent due to rounding


Does the first LOD (business line units) consistently escalate issues that are outside the firm’s risk appetite/thresholds?

Chart 7

29%

29%

29%

14%

64%

36%




With respect to communication between the first and second LODs on current and emerging risks, and on changes to the internal and external control environment, there is significant disparity between our larger respondents and smaller institutions. For example, 91 percent of respondents over $250 billion reported that communication between the first and second LOD on current and emerging risks was effective, and 100 percent rated communication on changes to the internal and external environments as effective. However, only 50 percent of smaller institutions rated the effectiveness of communication between the first and second LOD as effective (see Chart 8).

How effective is communication between the first and second LODs on current/emerging risks and on changes to the internal and external environment?Chart 8

$250 billion or moreAMA

Non-AMA

Communication on current/emerging risks

Communication on changes to the internal and external

environment

Communication on current/emerging risks

Communication on changes to the internal and external

environment

Effective Limited WeakImproving

2014 2018

10%

60%

23%

69%

8%

30%


14%

100%91%

9%

14%

36% 36%

50% 50%



ORM key risk indicatorsLinking key risk indicators (KRIs) to risk appetite and using them for early warning notification are two ways institutions have been enhancing their risk monitoring, and thus the overall maturity of their ORM programs.

With respect to triggers for early warning notification and management, large and small institutions responded similarly across the board. For example, just under half of both groups indicated that their ORM KRIs partially include early warning triggers, and roughly a quarter answered that they are “beginning to” (see Chart 9).

Still, an average of only 23 percent of respondents indicated that their ORM KRIs fully include triggers for early warning notification and management, pointing to a clear area of improvement for the industry as firms look to change their posture from reactive to proactive. Interestingly, there was a sharp decline since 2014 in the percentage of firms at or above $250 billion who reported that their ORM KRIs fully included these triggers (60 percent in 2014 versus 27 percent in 2018).

Respondent commentsWhen asked if their ORM KRIs included triggers for early warning notification and management, one respondent noted:

— “We have a robust KRI program that contains two thresholds: the first threshold is more conservative than the second, allowing for early management warning and attention. While the KRI program is fully deployed across the company, we continue to identify opportunities to ensure our KRIs measure the ‘right’ risks and provide leading indicators of changes to risk.”


Do your ORM key risk indicators (KRIs) include triggers for early warning notification and management?

Chart 9

21%

43%

21%

14%

45%

27%27%





End-to-End process risk assessmentThe ability to effectively identify, assess, measure, and manage risk across E2E processes is vital for operational risk excellence and superior customer experience. As a result, KPMG and RMA enhanced the focus on E2E assessments in the 2018 survey. For firms at or above $250 billion, only 9 percent stated they conducted E2E process assessments across all lines of business/divisions, while 45 percent of respondents stated they had conducted some E2E process assessments and 27 percent were just starting (see Chart 10). For firms under $250 billion, none had fully deployed process risk assessments and 21 percent were just starting efforts, while another 36 percent were in the planning stage.

Planning to start

Fully across all lines of business/divisions

Just starting

Haven’t considered starting Other

Across some lines of business/divisions

Have you conducted E2E process risk assessments?Chart 10

36%

21%

36%

7%

45%

18%

27%

9%





Respondent commentsWhen asked which business units collaborate with other areas in performing E2E risk assessments, respondents also listed:

— Credit Risk

— Operational Risk

— Model

— Third Party

— Business Continuity

— Data Management

— First LOD Risk Management

— Product Managers

— Sales Teams

Which of the following business units collaborate with other areas in performing your E2E risk assessments? (select all that apply)

Chart 11

$250 billion or moreLess than $250 billion


Firms at or above $250 billion also had a higher level of cross-functional involvement in their E2E assessments. For example, 80+ percent stated Operations, Technology, and Compliance participated in E2E assessments, and 40+ percent stated Finance and HR participated (see Chart 11). In contrast, firms under $250 billion had half the level of cross-functional participation as larger firms. Larger firms also had a much higher instance of applying root cause analysis to issues and of including metrics to monitor successful closure of gaps than smaller institutions.

Other risk management areas

Other first-line areas

HR

Finance

None of the above—it is done independently

Compliance/Legal

Technology

Operations 46%

46%

38%

38%

23%

15%

8%

15%

Other first-line areas

None of the above—it is done independently

Other risk management areas

HR

Finance

Technology

Operations

Compliance/Legal 90%

80%

80%

50%

40%

20%

0%

10%



Risk and control convergenceFinancial services organizations continue to be under heavy pressure to complete numerous time-demanding risk assessments to meet a variety of regulatory requirements. Often assessments are developed in departmental siloes with distinct policies and procedures, governance, methodologies, risk and control definitions, rating scales, and tools/systems. The burden on first and second LOD teams is enormous. The plethora of approaches, taxonomies, and risk and control definitions and ratings has made aggregation and analysis a real challenge for business and risk teams and executive management. The result has been a growing effort across the industry to converge assessments, standardize data and terms, simplify approaches and tools, and drive greater efficiencies and enhanced risk management.

Survey results indicate that nearly all firms have plans to converge assessments across multiple areas in ORM, if they have not already started. As expected, most progress in this area has been driven at institutions at or above $250 billion. However, the progress has been largely limited to a few convergence areas including risk/control rating criteria and risk/control libraries (an average of 42 percent and 31 percent of respondents, respectively, have fully converged these areas). Convergence efforts are largely underway in the areas of tools and technology; timing and assessment process, governance; and reporting (see Chart 12).

At what stage of risk assessment convergence is your organization for each of the following areas?

Chart 12


Other

Reporting

Assessment granularity

Challenge/validation

Sign-off/attestation

Timing & assessment process,governance

Tools & technology

Control testing/assurance

Risk and control library

Risk and control rating criteria 36%

36%

82%

73%

55%

55%

82%

27%

64%

9%

9%

9%

9%

9%

9%

9% 9%

9%

9%

18%

18%

18%

18%

9%

9%

27%

27% 27%

64%

64%


Other

Reporting

Assessment granularity

Challenge/validation

Sign-off/attestation

Timing & assessment process,governance

Tools & technology

Control testing/assurance

Risk and control library

Risk and control rating criteria 36%

36%

36%

36%

46%

43%

43%

43%

43%

23%

29%

29%

29%

29%

21%

14%

14%

14%

15%

36%

36% 21%

21%

21%21%

7%

14%

14%14%

14%

14%

7%

7%

7%

7%

8% 8%

7%

7%

7%

7%7%

7%

No plan to converge Started but incomplete Fully converged N/APlan to converge




It is interesting to note that many institutions either have not yet started convergence efforts for, or do not yet have plans to converge, their areas of control testing/assurance (average of 44 percent), sign-off/attestation (average of 38 percent), challenge/validation (average of 43 percent), and assessment granularity (average of 43 percent). These responses indicate that while many institutions have scratched the surface on convergence, there is tremendous unrealized value.

Operational efficiency and process optimization were listed as the primary drivers of convergence efforts in institutions above and below $250 billion (93 percent and 91 percent, respectively).

When asked who is driving the convergence agenda in their organization, respondents below $250 billion listed the chief risk officer most often (69 percent), followed by the operational risk and enterprise risk officers (38 percent each). However, institutions above $250 billion listed the operational risk officer most often (82 percent), followed by the chief risk officer (73 percent), and the enterprise risk officer (36 percent) (see Chart 13).

Consistent with the message that convergence efforts have progressed further in larger institutions, it appears that these institutions often have simultaneous support for convergence initiatives from multiple executives. A smaller number of respondents listed business line leaders as drivers for their firm’s convergence agenda (15 percent under $250 billion and 27 percent at or above $250 billion). Without question, as firms strive for greater efficiency and more effective and proactive risk management, risk convergence efforts will likely expand and remain a top operational risk objective.

Who is driving the convergence agenda in your organization? (select all that apply)Chart 13


There are no convergence effortscurrently underway

Other

The board

Regulators

Internal audit

Business line leaders (1st line)

Compliance risk officer

Executive management

Enterprise risk officer

Operational risk officer

Chief risk officer 69%

38%

38%

31%

15%

15%

8%

8%

8%

0%

0%


There are no convergence effortscurrently underway

Other

The board

Regulators

Internal audit

Business line leaders (1st line)

Executive management

Compliance risk officer

Enterprise risk officer

Chief risk officer

Operational risk officer 82%

73%

36%

27%

36%

27%

9%

9%

0%

0%

0%




Control assurance and testingDemands from management and the board for robust control environments continue to escalate and are reinforced by regulators, shareholders, and other stakeholders. KPMG and RMA added this section on control assurance and testing to highlight key developments in the industry. Important results include a finding consistent with the three lines of defense (third LOD) model in that 80 percent of firms at or above $250 billion stated business lines (first LOD) conduct control testing. Eighty percent also stated that Compliance conducts control testing, and 50 percent stated Operational Risk conducts control testing (see Chart 14).

In contrast, only 64 percent of firms under $250 billion stated that business lines conduct control testing, and only 29 percent stated Operational Risk conducted testing. As firms mature and align with the 3rd LOD framework, it is imperative that the businesses own control testing and the second LOD challenges that testing and performs limited sample testing of its own.

Respondent commentsWhen asked which functions are currently performing control testing across their organization, respondents stated:

— “ORM typically relies on first LOD testing but does complete limited testing in targeted areas.”

— “Technology includes a first LOD risk office, which executes a risk-based assessment approach for all technologies. This includes risk-based testing of controls that are general and application risk category specific.”

— “Testing utility tests compliance and operational controls and sits within the second LOD.”

Which functions are currently performing control testing across your organization? (select all that apply)

Chart 14



None of the above

Other

Technology

Operational Risk

Finance

Business line units (1st line)

Internal Audit

Compliance 79%

71%

64%

43%

29%

21%

0%

0%


None of the above

Other

Operational Risk

Technology

Finance

Business line units (1st line)

Compliance

Internal Audit 90%

80%

70%

60%

50%

80%

0%

0%



As noted in the previous section on risk convergence, maintaining effective control libraries assists firms to understand, aggregate, and address control issues. In terms of the number of unique controls, 82 percent of firms at or above $250 billion stated they had more than 3,000 unique controls. In contrast, 71 percent of firms under $250 billion had 3,000 or fewer unique controls.

Of those unique controls, 30 percent of larger firms stated 25 percent or more of their unique controls were consistently defined across businesses versus 23 percent for smaller firms. Even more telling, 20 percent of larger firms and 15 percent of smaller ones stated that 0 percent to at best 5 percent of unique controls were consistently defined across businesses, which leaves enormous room ahead for enhancing risk management efficiency and effectiveness (see Chart 15).

There is clearly a lot of work ahead for firms to streamline, group, and aggregate controls for more effective reporting, prioritization, and resource and business planning.

11–15%

0% 6–10%

16–20% 21–25% Greater than 25%

1–5%

Approximately how many controls are standard (e.g., consistently defined across lines of business/divisions)?

Chart 15

15%

15%23%

23%

23%

10%

10%

20%

30%

30%





In terms of volume, 73 percent of larger firms anticipate control testing volume will increase over the next 12–18 months versus 57 percent for smaller firms. With regard to staffing, 18 percent of larger firms noted 1,000+ FTEs performing control testing, and 45 percent noted 1–50 FTEs. Twenty-three percent of smaller firms noted a high of 201–500 first LOD control testing FTEs, while about 38 percent of smaller firms had no first LOD control testing FTEs. FTE counts were less for second LOD control testing functions (see Chart 16). Half of all respondents stated they were not adequately staffed, indicating an important need to augment staff and/or develop new approaches to automate control testing.

Respondent commentsWhen asked how many FTEs are currently performing control testing in the second LOD, respondents clarified:

— “We have one dedicated second LOD testing function within Compliance responsible for centralized testing of compliance controls. In addition, we have between 51 and 100 second LOD FTEs that perform self-testing of RCSA controls (inclusive of credit, compliance, market, model, and operational risk controls).”

— “Control testing performed in Compliance, but not in Operational Risk.”

— “2nd LOD control testing done by Compliance, Model Risk, BCP, etc. – none by ORM.”

51–100

0 (Control testing is not performed in the second LOD)

11–50

More than 100

1–10

Approximately how many FTEs are currently performing control testing within the second LOD?

Chart 16

21%

43%29%

7%

30%

30%

40%




Data, analysis, and reporting ORM data, analysis, and reportingThe ability to completely and accurately aggregate, analyze, and report ORM exposures remains an essential capability of ORM excellence. Data-related issues are increasingly important to institutions of all sizes as the regulatory community continues to stress the importance of sound risk data governance, aggregation, integration, and reporting. The Survey reveals that the industry is continuing to make strides with respect to data quality, with marked improvement from 2014 results. For example, 100 percent of larger respondents and 85 percent of smaller respondents stated that their ORM data is fully, or partially, supported by effective governance, standards, and owners (up from 85 percent and 60 percent in 2014—see Chart 17).


Is your operational risk data supported by clear governance, standards, and owners?Chart 17

21%14%

64%

40%

10%

20%

45%

55%54%31%


Less than $250 billionNon-AMA

$250 billion or moreAMA

15%

30%

2014 2018



Further, 82 percent of respondents at or above $250 billion and 57 percent of those under $250 billion state they validate, or partially validate, the accuracy and completeness of their ORM data through quality assurance (QA) processes (unchanged from responses in 2014). One respondent stated that, while their institution does have a function to test data, it does not test the accuracy of reporting that comes out of the GRC tool. Another respondent noted that their second LOD performs review and challenge at various points in the process, followed by substantial QA work by Enterprise Risk Management on the higher risk anomalies.

Firms at or above $250 billion and those below $250 billion responded similarly when asked if they have established an ORM dashboard to alert executive management and the board of changing risk conditions and to support decision making. For example, only 27 percent of the larger respondents and 21 percent of the smaller respondents have fully established dashboards (see Chart 18) to dynamically report risk exposures and their impacts on business strategy and performance.


Have you established an operational risk dashboard to alert executive management and the board of changing risk conditions and to support decision making?Chart 18



2018

21%9%14%

14%

50%64%

27%

Respondent commentsRespondents revealed the following about their establishment of an ORM dashboard:

— “Dashboards are currently under development for all components of our framework, including risk assessments, new products, issues, events, indicators, and losses.”

— “Although not in the form of a dashboard, reporting to senior management and the risk committee of the board is in place.”

— “While we have fully embedded an executive management and board-level operational risk dashboard into our governance reporting, we continue to identify opportunities for evolution to capture changing conditions and emerging risks.”

— “This is a continued focus in the next 12–18 months.”



This represents a surprising decline from results for larger institutions four years ago (down from 80 percent in 2014). It is difficult to determine exactly what drove this more cautious self-evaluation, but it may reflect recent regulatory criticism on the quality of firms’ ORM data aggregation and reporting. Several respondents noted that improvements in this area are currently underway.

When asked if their ORM dashboard is supported by robust and integrated data, metrics, monitoring, and tools, about 36 percent of both groups reported “Not yet” or “Beginning to.” Interestingly, while 29 percent of smaller institutions reported that their ORM dashboards were “fully” supported, none of the larger institutions responded this way. The majority (64 percent) of larger institutions’ ORM dashboards were reported as “partially” supported. One institution noted that while it has implemented an eGRC program, their ORM dashboard has not yet been created.




Innovation and digital transformationAs firms across the industry continue to evolve and strengthen their ORM frameworks in line with business needs and regulatory expectations, many are seeking ways to innovate and stay ahead of a changing regulatory environment. By investing in automation and data analytics solutions, they are reducing costs and painting a more complete picture of their organizations’ current and emerging risks.

As noted in Chart 19 below, small and large firms responded that they are hoping to achieve similar results from their risk management digital transformation efforts in the next 12–24 months:

Transformation objective comparisonSmall and large institutions listed similar objectives for their digital transformation in the near future:

— New insights into ORM – 91 percent of larger institutions and 85 percent of smaller institutions

— Enhanced reporting – 91 percent of larger institutions and 77 percent of smaller institutions

— Faster processes through automation – 91 percent of larger institutions and 62 percent of smaller institutions

What results do you hope to achieve from risk management digital transformation in the near future (12–24 months)? (select all that apply)

Chart 19


Risk management digital transformationnot expected in the near future

Other

Increased revenue

Reduced FTE count

Faster processes through automation

Enhanced reporting

New insights into ORMthrough data and analytics

85%

77%

62%

31%

31%

0%

0%


Risk management digital transformationnot expected in the near future

Other

Increased revenue

Reduced FTE count

Faster processes through automation

Enhanced reporting

New insights into ORMthrough data and analytics

91%

91%

91%

18%

9%

0%

0%




These results reflect that institutions are convinced of the value of digital transformation, yet they may not be making the necessary financial allocations to drive real change. For example, 20 percent of firms at or above $250 billion and 27 percent of those under $250 billion are not dedicating any portion of their annual risk budget to these initiatives (see Chart 20).

0% 6–10% 11–15% Greater than 15%1–5%

How much of your annual risk budget is dedicated to risk management digital transformation?

Chart 20

27%9%

9%

55%

20%10%

10%

60%


The data indicates that most firms are dedicating between 1 percent and 10 percent of their risk budgets to digital transformation.



As it relates to their current progress implementing technologies to support innovation and digital transformation, larger and smaller institutions responded similarly. For example, 70 percent of respondents at or above $250 billion and 79 percent of those below $250 billion have at least started implementing a centralized GRC platform (see Chart 21). Others have noted plans to rationalize their multiple tools/platforms in the near future.

Larger institutions appear to be further along in implementing advanced data and analytics systems (73 percent “started but incomplete” versus 38 percent for smaller institutions) and automated regulatory and compliance reporting (64 percent versus 38 percent). While many firms are exploring process automation, particularly in the first LOD businesses and support areas, 25 percent of smaller respondents indicated they have no plans to implement process automation for risk management activities.

At what stage is your organization in implementing the following technologies?Chart 21


Other

Process automation

Automated regulatory andcompliance reporting

Advanced data andanalytics systems

Centralized GRC platform 10%

27%

27%

45% 55%

100%

64%9%

73%

20% 50% 20%


Other

Process automation

Automated regulatory andcompliance reporting

Advanced data andanalytics systems

Centralized GRC platform 21% 50%

54%

15%

25%

38%

33% 42%

38%

38% 8%

8%

29%

No plans to implement Started but incomplete Fully implemented N/APlan to implement




The road aheadORM plays an essential role in the strategic success of all financial institutions, and the KPMG/RMA Operational Risk Management Excellence Survey results reveal that important strides continue to be made by institutions both above and below $250 billion. ORM is improving its contribution to business/risk decision making and strategic planning. It is helping to strengthen firms’ risk culture and developing enhanced risk appetite measures at the enterprise and line levels. It is helping firms move toward greater convergence on risk and control definitions, rating scales, assessment approaches, and reporting. It is fortifying its role to provide effective challenge and exploring innovative ways to drive greater efficiencies, automation, and enhanced analytics.

Going forward, banks and other financial institutions need to further enhance their risk management capabilities to identify and respond with ever greater speed to a growing stream of challenges and threats from multiple fronts, including rapidly spiking volatilities that challenge trading algorithms and systems, conduct failures and cultural breakdowns at the leadership and line levels, and more coordinated and pernicious cyberattacks and third-party events. Without question, those firms that develop more agile, responsive, and proactive risk management capabilities will find they are better equipped to address threats as they arise, better support their clients and customers, deliver higher returns to their shareholders, and provide a safer and sounder environment for the communities they serve. Leading firms will likely develop these capabilities in practical ways that drive efficiencies in risk processes, enhance risk analytics, and support convergence among nonfinancial risk disciplines. In the years to come, ORM excellence is expected to become a true differentiator between firms that thrive and those that do not--it will likely become an imperative for success.

KPMG and RMA appreciate financial institutions’ continued support of this survey and look forward to the further evolution of this important risk management discipline.



Brian J. HartPrincipal and National Lead,Enterprise Risk GovernanceKPMG LLPT: 917-287-4512 E: [email protected]

Phillip BrayPrincipal, Enterprise Risk Governance KPMG LLPT: 704-516-1441 E: [email protected]

David L. StoneDirector, Enterprise Risk GovernanceKPMG LLPT: 703-380-7247 E: [email protected]

Edward J DeMarco, Jr.Chief Administrative Officer and General Counsel, The Risk Management AssociationT: 215-446-4052 E: [email protected]

Sylwia CzajkowskaAssociate Director, Operational Risk, The Risk Management AssociationT: 215-446-4071 E: [email protected]

Daniel CaseyManager, Enterprise Risk Governance KPMG LLPT: 770-296-8626 E: [email protected]

Karsten HolmquistSenior Associate, Enterprise Risk GovernanceKPMG LLPT: 678-477-5547 E: [email protected]

— Amy Matsuo, Principal, KPMG LLP

— Cameron Burke, Managing Director, KPMG LLP

— Christine Chan, Director, KPMG LLP

— Nicole Stryker, Director, KPMG LLP

— Jon Holland, Director, KPMG LLP

— Jonathan Mercado, Senior Associate, KPMG LLP

Contact us:

Special thanks to:

Contributions by:

kpmg.com | rmahq.org



Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

kpmg.com/socialmedia

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.


Operational Risk Management Excellence Survey (executive ... · 2018 kpmg.com Operational Risk...

Documents

Transcript of Operational Risk Management Excellence Survey (executive ... · 2018 kpmg.com Operational Risk...