Oxial and Grant Thornton discuss operational control and its growing role as a key pillar of risk prevention – part one

Every organisation in the world wants to eliminate, or at least minimise risk. The coronavirus crisis has shown just how impactful risk can be, with many industries affected in ways they could never have imagined.

Who would have thought that for manufacturing firms, the entire supply chain would grind to an almost complete halt? Who could have predicted that a majority of the world’s workers would suddenly have to do their jobs from home?

Financial Services (FS) has been one of the industries affected the most, and recent events have only highlighted the need to rethink the control and supervision of FS. The constraints of confinement and remote working have underlined the difficulties for FS firms to maintain their effective lines of defence against risk.

Oxial CEO Eric Berdeaux recently caught up with Didier Alleaume, partner in Grant Thornton’s Financial Services Hub to discuss operational control in FS risk management. Is operational control in fact the smartest way to approach risk, offering as it does, better protection and reduced costs for FS firms?

The importance of operational control

Eric Berdeaux: Why do you think that the subject of operational control has become so important?

Didier Alleaume: In some ways a focus on operational control as a pillar of risk management may seem slightly incongruous. For many years the industry has promoted the idea of permanent control as the most effective way of managing risk.

But it has become clear to me that the focus must now be on operational control and a trigger for this has been coronavirus. The Covid-19 pandemic has been so impactful to FS. There has been massive organisational upheaval, linked to the virtual closure of places of production and distribution, remote work and the scarcity of employees.

All the while, banks have been acting as supporters for entire national economies, distributing hundreds of billions of dollars, euros, sterling and more in loans to support businesses all over the world. All this is not without consequence for business risk in FS.

There has been a significant increase in the volume and potential impact of risks. These include risks such as cyber-attacks, which have grown in severity and impact, but also in terms of money laundering. The Financial Action Task Force (FATF) has deemed it useful to publish dedicated communication relating to this, and national governments have also commented on this issue. Cases of fraud are for now, still little known or under investigation. But the cost of operational risk is expected to increase significantly and their impact will soon become clear.

While all this was going on, it quickly became clear that the lines of defence in risk management have not always been up to the task. Operational control was subject to major disruption because of the increase in remote working. Not only were risk management teams unable to fully access their own systems, but their collaborators were less available than usual. This impacted task segregation devices, permanent control was affected by remote connections, with difficulty accessing data and documents, and there were problems with the organisation of campaigns that could not be completed or were postponed.

When it comes to audit, we have found that only the missions in progress had, for the most part, been maintained. The rest of the annual program was mostly being carried over to the second half of the year, or even postponed to 2021.

This pandemic is exceptional in many ways, but this period has certainly revealed the inadequacies of permanent control and the need for more effective operational control.

Eric Berdeaux: I couldn’t agree more with this analysis. From speaking with Oxial customers and business prospects, it is something that we have noticed too. It has been an unprecedented period, rich in lessons for the future for the wider world, but also the risk management sector specifically.

Oxial has a particular vision of risk management via our work with customers in FS and other sectors. Of course, we do not live the daily lives of those customers and don’t know precisely what goes on with them on a day-to-day basis, but we do have insight into how they use our tools in production. And with more than 70 active projects running currently, we do have a genuine knowledge of the expectations, objectives and difficulties encountered by our customers.

We have more than 10,000 users of our digital platform, all of which use it to manage risks, controls and daily audits, so we can also observe changes in usage and behaviour in real time. The changes that have taken place during the pandemic have been interesting, to say the least.

We recently prepared a report, based on this monitoring of data via our digital platform, which showed the exacerbation of trends during the Covid-19 crisis. Overall, we have observed an increase in the use of the application for certain customers, mainly for carrying out second-level checks. Risk identification and scoring would appear to have been deprioritised. Likewise, our audit environment has been little used.

This reinforces Grant Thornton’s own research, with the important nuance that some of our clients have benefited from the GRC solution to continue monitoring their activities, even remotely. They are also customers who have implemented systems that integrate fully with their information systems and who have actively sought operational performance in this area.

I believe that this period of Covid-19 will lead our customers and prospects to accelerate the digitalisation of their controls and to integrate more with other flows, both for the second line of defence, traditionally supported by GRC solutions, but also for the first line of defence, operational control. This now takes on particular importance as the only line of defence allowing risk prevention.

Why has operational risk not been sufficiently highlighted in risk management?

Didier Alleaume: Since Basel II in 2004, financial regulation has focused on permanent control, the second level control carried out retrospectively of operations by agents independent of the actual process concerned. This famous Basel II pillar instituted risk mapping, which in my opinion is still poorly exploited in many organisations. Also, the reasonable adequacy of the permanent control system to the risks identified, structured the thinking and projects of many FS institutions and their consultants.

This has meant that risk mapping has created a privileged relationship between risks and permanent controls, relegating operational control, which should be the natural safeguard of risks within processes. It’s a simple element of the risk control system alongside procedures and other employee training plans.

As a young consultant, I was constantly told to build up my clients’ permanent control plan, because the trades were reluctant to carry out controls or did not have the sufficient risk culture to do something reliable and sufficiently documented. Even now, there is a distrust of operational control that is expressed all too often through audit recommendations that favour second-level controls to reassure governance and supervisors in risk management.

It’s important also to ask the question about the responsibility for respecting the rules – is this supervisor or the supervisee? I still encounter too many organisations that identify the mapping of their risks as that of the risk department – the supervisor – and the same applies for controls.

All of this has created an inflation of second-level controls, with ever increasing costs of implementation, and little time for the real added value of this second line of defence. This value is found in the analysis of risk and control data to improve risk management, developing a culture of prevention and providing management indicators to their governance.

This situation, partially created and definitely encouraged by the supervisors, started to pose a problem for FS firms, which found an increasing lack of responsibility in the trades. An important document was the “Guidelines on internal governance under Directive 2013/36 / EU”, published September 26, 2017 by the European Banking Authority (EBA). In it, it was stated:

“It should be recalled that the trades or the units, as a first line of defence, have an important role to play in ensuring solid risk management and compliance within an institution.”

The use of the expression ‘first line of defence’ clearly induces the natural relationship and interactions with other lines of defence. I would also like to reference article 29 which specifies that:

“The trades, as a first line of defence, take risks and are responsible for their operational management in a direct and permanent manner. To this end, business lines should have appropriate processes and controls in place to ensure that risks are identified, analysed, measured, monitored, managed, reported and kept within the limits of the risk appetite.”

The EBA is very clear: risks and controls are primarily the business of the trades. So the evolution of risk management, the growing and inevitable digitalisation of processes and in the light of the findings from the pandemic, it seems essential to me to now focus on operational control. This is the only way to last whatever the circumstances, to integrate naturally into the processes and to capture in real time the various anomalies, errors and frauds.

The second part of the Oxial and Grant Thornton Q&A will publish shortly, and will focus on the role that operational control should play, the expectations of supervisors and how FS organisations can approach operational control.

In the meantime, if you have any questions about risk management and operational control, feel free to contact us here at any time.

Share This!