Clients: Fusion Risk Management and Salesforce (Lightning Platform).

First Published on TabbForum, March 28, 2019

With the heightened expectations of regulators and the application of advanced technologies such as artificial intelligence, operational risk management has become a futuristic and exciting space in which to work. Here’s how you can evolve from a reactive program of monitoring events and establishing codes of conduct to a proactive one of prediction and prevention.

Operational risk management has become a futuristic and exciting space in which to work because of the heightened expectations of regulators. In this blog post, Paul Lashmet from North Castle Integration lays it out for you.

Evolve from a Reactive to a Proactive Operational Risk Program, One List at a Time

What if you went to your son’s elementary school career day, told the class that you’re an Operational Risk Manager, and his classmates’ jaws dropped?

The operational risk management landscape has evolved from a reactive program of monitoring events and establishing codes of conduct to a proactive one of prediction and prevention. If the medium by which you do your work has advanced with the heightened expectations of regulators, then your job is futuristic, exciting, and something that the kids could get into.

To illustrate that point, here are two potential elementary school career day introductions:

“Hi. I’m Bobby’s mom and I am an Operational Risk Manager. I manage lists of bad things. We write descriptions about these things and make plans for how to turn them into good things. We have meetings to compare our lists. We have lots of meetings.”

vs.

“Hi. I’m Bobby’s mom and I am an Operational Risk Manager. I use artificial intelligence to help me identify bad things that people can’t find on their own and also to help me figure out the best way to fix a problem. Sometimes it can tell me what might happen in the future. We have a dedicated hotline to triage a problem and I often work with special government agents. Situational awareness is a very important part of my job but unfortunately, I can’t give you too many details because a lot of what I do is secret.” 

I like the second one, personally. You can either spend your time reacting to issues hidden within lists or be proactive in allaying likely problems through a modern-day operational risk management platform. This post describes how you can evolve from a reactive to a proactive operational risk program, one list at a time.

Regulators Demand a Proactive Approach to Risk Management

Regulators are making operational risk management a lot more exciting because they are now demanding that firms take a proactive and holistic approach to getting ahead of issues, either before they become major problems or by coming clean when a wrong-doing has occurred.

Four recent announcements illustrate this trend.

1. The US Securities and Exchange Commission is encouraging self-reporting. This press release sends a message about the benefits of self-reporting and taking proactive steps to remediate issues.

2. The US Financial Industry Regulatory Authority (FINRA) fined a brokerage firm $500,000 not just for bad trade practices, but because the firm did not show it was responsive to the issue and failed to take any action to remediate the problem.

3. The US Commodity Futures Trading Commission (CFTC) issued an advisory which, for the first time, provides guidance to the business community on incentives for self-reporting violations of the Commodity Exchange Act (CEA) that involve foreign corrupt practices.

4. The US Department of Justice (DOJ) recently updated training policies that focus on how prosecutors should evaluate the effectiveness of corporate compliance programs that prevent and detect misconduct and mitigate their impact should they ensue.

To self-report, you need to know what is going on internally before it becomes a known issue externally. You also need to effectively collaborate across teams to triage the situation, come to terms with it, and determine whether the issue rises to the level of the attention of an external regulatory body. Oh, and you need an audit trail of the entire identification, mitigation, and decision-making process.

Evolve from a Reactive to a Proactive Operational Risk Management Program

Operational risk management starts with tracking issues from around the organization, evaluating risk, prioritizing next steps, acting on them, and reporting on the whole process.

But what starts out as a process of lists needs to evolve into a modern operational risk management platform that enables machine learning and dynamic dialogue across the enterprise to spot issues before they happen.

Below we will describe how you can get from a reactive process to a proactive process, building on a term called rapid application development. I use the Salesforce Lightning Platform to demonstrate this concept. But before you think that this is a technical, agile programming tutorial, let’s be clear that this is about low code development.

In doing the work that they do, project managers and analysts have the clearest picture of what is going on at an institutional level. It is critical that their intellectual capital is not lost in the processes and that they can charge ahead without the bottleneck of prioritizing technology resources to program software on their behalf.

Start with What Works and Build from There

What does a standard operational risk management platform look like? Often, it is just spreadsheets. We’ve all been there. It’s just how it’s done. Spreadsheets are lists that are reported on via charts, graphs, and pivot tables.

Before you embark on a six-month project to evaluate a big bang approach to automating your procedures, identify what works first and then build from there.

Usually, what works is tied to a few good people, the two or three really good project managers who have created a set of sophisticated spreadsheets as their tool of choice. It is wonderful and good work because they have a consistent process in place that keeps the reporting current and distributed to key stakeholders on a regular basis.

There are two problems, however. First, spreadsheets are a manual process. While our program managers can handle two or three business entities, managing 10, 20, 50, and so on is not sustainable. The second problem is that we have key-person risk. What happens when one of the project managers leaves the organization? Her intellectual capital leaves with her and someone new comes in to create yet another set of spreadsheets.

I am suggesting that you start by transforming the best spreadsheets your organization has into a sustainable application and build up from there, systematizing a robust and defensible process little by little, while realizing immediate benefits.

A platform is a series of programmable objects (lists of facts) that relate to each other and, as a whole, provides the data you need for reporting and predictive models.

The image below starts to illustrate how to build a modern platform from a workbook of spreadsheets. The tabs at the bottom of the workbook become objects and the relationships between them (think: VLOOKUP) become a schema. The columns are the fields that go into each object and each field can have validation rules placed against them. The rows become the records in the database.

The person who created this is the person who understands the business process. Their time is spent creating the solution and getting ahead of the problem. They are not writing requirements for a programming team to build it.

Same Functionality +

At this point you have a platform that provides the same functionality you had earlier: lists that are reported on via charts, graphs, and pivot tables.

However, now your teams can enhance it by adding workflow capabilities like approval processes, user interaction screen flows, and auto-generating tasks that can be assigned to other teams.

As for reporting, now you are in a place where you can start creating page layouts that can be customized for each reviewer, so that they are seeing only what they need or are allowed to see. Because you can distribute this via a web browser, no more copying and pasting to PowerPoint.

You can evolve to the next level of collaboration by adding chat functionality. Now teams can communicate directly about specific issues and act faster to mitigate the risk. Next, integrate artificial intelligence (AI) to help your team find relevant facts and themes in your datasets and then generate recommendations, answers, or explanations. AI can be used to alert you of a risk and rate the threat. This is an example of the proactive mechanisms that regulators are looking for.

If you did miss a major problem, at least you can tell the regulators why and how it will not be repeated. For example, you can audit the history of the actions that were taken and track the time spent on each task. This gives you the quantitative information you need to improve processes.

All of the original functionality has been captured; but with additional iterations of enhancements, you’ve now built a fully robust and defensible process that can be applied across the entire organization.

Guardians of the Corporate Reputation

The Basel II Committee defined operational risk as: “The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.” Listed in that definition is a broad base of liabilities, ranging from a missed memorandum, to corrupt behavior, to a tornado touching down on top of your data center. There is a lot to be cognizant of.

I close with the elementary school career day introduction #2 from above but map the cool stuff to the capabilities we have described.

“Hi. I’m Bobby’s mom and I am an Operational Risk Manager. I use artificial intelligence [Salesforce Einstein] to help me identify bad things that people can’t find on their own [discovery stories] and also to help me figure out the best way to fix a problem [recommendation engine]. Sometimes it can tell me what might happen in the future [predictive analytics]. We have a dedicated hotline [chatter] to triage a problem [collaboration and workflows] and I often work with special government agents [better relationship with regulators]. Situational awareness [this is what the platform provides] is a very important part of my job but unfortunately, I can’t give you too many details because a lot of what I do is secret [the platform gives you much more information that falls under NDA].” 

With the right tools, being an Operational Risk Manager is exciting because you have the means to be part of an elite team of heroes, the Guardians of the Corporate Reputation.

For more information:

• If you would like a demo or to participate in a use case based executive workshop that walks you through this story, please contact paul_lashmet@ncintegration.com.

• Follow these links for more information about Salesforce Lightning Platform and Einstein.