Of all the financial buzzwords on Wall Street, "risk" and "operations" are in the forefront these days. With new position limits, rules and regulations rolling out as fast as firms make headlines for noncompliance, regulatory readiness and preparation are
But there are firms in the financial industry that manage to stay afloat and out of the headlines. These organizations have something in common: They are successfully adjusting their risk management frameworks and overall operating models by re-allocating
investments in operational risk from the risk management function (second line of defense) to the front office (first line of defense). In other words, they are increasing the front office's role in mitigating operational risk.
Operational risk management is transitioning from a decade-old centralized model to a decentralized model, fueled by a need for greater proactive measures, risk modeling and forecasting, as well as controls and processes that better align to the business.
Key Business Factors
The impetus behind the shift to a decentralized model boils down to needing a framework that more effectively and efficiently mitigates risk while synchronizing with the business.
As the decentralized model is adopted, there are internal and external business factors that will affect the front-office operational risk management (ORM) program. Here are five areas of the ORM framework that require focus.
- Organizational change: Simply stated, staff attrition opens up knowledge gaps. To circumvent organizational-change-imposed risk, management must have a solid handle on where the domain expertise lies, along with succession plans for key individuals
undergoing organizational change. It is important to note that internal organizational changes are just as important as departures to external companies. Moving departments internally calls for consistent security and controls that should be enforced globally
and should span beyond the front office. This will help mitigate scenarios leading to rogue trading or fraud.
As an example, rogue trading can be fueled through loose supervision around identity and access management for applications across the front, middle and back office. As such, we are seeing firms modernize their identity and access management (IAM) platforms
to be more robust, leveraging the newest available technologies. In many cases, this requires a complete overhaul, and where overhauls may not be plausible, integration of new and old technologies. Even with an IAM overhaul, firms must start at the first step
- defining the framework and governance model - and then leverage the technology to enable change.
- Regulation: Regulatory mandates are like water from a fire hose and will inevitably cause impacts across a business' people, processes, technology and data. With each new mandate, existing controls will need to be assessed for interruption or dilution,
along with byproduct risk potentially introduced as a result of conforming to the new regulatory mandates, such as data risk. The scope of existing systems will broaden, and those areas of the business that access data can span across legal entities or business
lines. Firms will not only need to mitigate regulatory risk from a compliance perspective, they will also have to address the byproducts of risk created by the regulation itself, which will focus on safeguarding internal and customer data.
- Technology: Over the last year, we have seen technology issues affect firms' financial performance and reputations. As a result, new regulations such as the Security and Exchange Commissions's Regulation SCI (Systems Compliance and Integrity) aim
to help establish better practices and controls. These measures are primarily geared towards the execution venues and, depending on business composition, could also involve broker-dealers. Although the majority of brokerages will not be affected, it provides
a view of what could be in store down the road and the fact that adopting best practices proactively can be less costly.
As the risk framework in support of a target operating model for electronic trading is designed, there are various elements to consider, ranging from technology to processes to culture. Policies and procedures also need to be enforced, documented, reviewed
and readily accessible. Technology for the front office changes rapidly. Outdated trading desk policies and procedures will therefore require more frequent management and review.
- Mergers and acquisitions: M&A can often muddy the waters, especially with the consolidation of multiple or overlapping trading desks. Such large-scale events require immediate attention, assessment and review of the front-office unit's controls and
governance frameworks. Ensuring consistency across all areas calls for immediate attention to identify the best ORM framework to streamline business processes and systems. Even a minor operational inconsistency can have a significant impact on profit and loss.
- Outsourcing: Both near-shoring and off-shoring affects the entire business, and while it may not be as prevalent in the front office, it is worth mentioning. With its ever-increasing popularity, it is important to ensure the appropriate controls
are in place around process, information, security and knowledge. Cutting operational staff means a level of knowledge transfer must take place, and a knowledge gap will exist, forcing the middle management layer to grapple with the change. Outsourcing vendors
in many cases will streamline operational processes to increase their margins. Surveying the vendor's "streamlining liberty" is important in overseeing all parts of the business - even if outsourced.
With operational risk management evolving toward a decentralized model, the risk framework will be perpetual and require careful testing and maintenance to ensure its viability and effectiveness. Testing of controls and processes will be enforced by internal
audit (third line of defense) and should be designed to cover people, process, technology and data. These internal and external business factors, if carefully managed, can help bolster a successful operational risk management framework.