Operational Risk Management Excellence Survey (executive report)

Size: px

Start display at page:

Download "Operational Risk Management Excellence Survey (executive report)"

Elmer Barber
5 years ago
Views:

1 Operational Risk Management Excellence Survey (executive report) Financial institutions progress and challenges as they strive for Operational Risk Management Excellence 2018 kpmg.com

2 The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS

Contents Introduction 2 Executive summary 3 Survey methodology and background 5 Background information and ORM organization 6 Strategy, value, and culture 10 Risk appetite and governance 14

3 Contents Introduction 2 Executive summary 3 Survey methodology and background 5 Background information and ORM organization 6 Strategy, value, and culture 10 Risk appetite and governance 14 End-to-end process risk assessment 20 Risk and control convergence 22 Control assurance and testing 24 Data, analysis, and reporting 28 Innovation and digital transformation 32 The road ahead 36 Operational Risk Management 1

Introduction Operational risk continues to be a heightened area of focus for financial institutions as the industry wrestles with challenges arising from cyber threats, third-party concerns, trading,

4 Introduction Operational risk continues to be a heightened area of focus for financial institutions as the industry wrestles with challenges arising from cyber threats, third-party concerns, trading, conduct and culture issues, stress testing requirements, and technological innovations driving greater opportunities for process automation and digitization. While regulators recently reduced some requirements for smaller institutions, they maintain a keen focus on ensuring firms develop and maintain effective risk management structures to enable them to identify, assess, monitor, and manage risk with ever-increasing speed and accuracy. These events, combined with management s efforts to derive greater risk intelligence through data mining and analytics to improve strategic planning, business performance, and customer experience, contribute to an increased focus on operational risk. Against this backdrop, and at the request of financial institutions, KPMG LLP (KPMG) and The Risk Management Association (RMA) teamed to update and redeploy the Operational Risk Management Excellence Survey (the Survey ) completed across North America, Europe, and Asia in 2014 by over 85 leading financial institutions, including 20+ global systemically important banks (GSIBs). The objective of the survey continues to be to give participants insights into leading industry operational risk management (ORM) practices in support of enhanced business value and heightened regulatory expectations, to help firms gauge positioning against evolving industry practices, optimize their ORM frameworks, and enhance risk management. While most sections of the survey remained the same to allow for a comparison of results over time, several updates were made to address current industry and regulatory trends. Changes to this year s survey include an enhanced focus on end-to-end (E2E) process risk assessments and additional sections for risk and control convergence, control assurance and testing, and innovation and digital transformation. The following pages highlight key Survey results and next steps in the evolution of the ORM disclipine.* *The full set of questions, quantitative responses, and qualitative inputs is only available to Survey participants. 2 Operational risk management excellence survey executive report

5 Executive summary The results of the Survey reveal that financial institutions of all sizes continue to make important strides with respect to the following areas: Increased use of the ORM framework to challenge business models Heightened attention toward strengthening risk culture Broadened deployment of operational risk appetite at the enterprise, line of business, and legal entity levels Further standardization of risk and control taxonomies, rating scale, and linkage between processes, risks, and controls Greater effective challenge of first line of defense (first LOD) risk activities Broadened efforts to converge risk and control assessments, driven by executives across the first and second LODs Enhanced ORM data supported by clear governance, standards, and owners Continued adoption of innovative technologies to drive process excellence and analytics in ORM. There is, however, significant work to be done by financial institutions as they strive toward operational risk excellence, including: Further positioning the ORM framework so that it is fully aligned with firm strategy and seen as an enabler of strategic change, business performance, and customer experience Elevating first and second LOD involvement and results in strengthening risk culture Enhancing first LOD communication and escalation of issues outside of established risk appetite Improving communication between the first and second LODs on emerging risks and changes to the internal and external environment Deploying E2E process risk assessments across business lines and divisions to develop a more complete picture of risk, dependencies, hand-offs, and redundant controls Expanding convergence efforts beyond risk taxonomies and rating scales to drive increased efficiencies and more effective analysis and management of risk Enhancing control testing to create more dynamic and efficient monitoring, escalation and management of exposure Establishing robust operational risk dashboards supported by integrated data and tools to deliver consistently meaningful reporting to business lines, risk teams, executive management, and the board. The goal to achieve enhanced risk management while driving greater process efficiency, automation, and digitization, in the midst of a changing regulatory environment, will require greater strategic planning and dexterity in execution. The promise is that ORM excellence will deliver a competitive advantage and increased return on investment to firms able to achieve it. Operational Risk Management 3

6 4 Operational risk management excellence survey executive report

7 Survey methodology and background The 64-question Web-based survey, which was developed in collaboration with leading institutions, focused on the following key areas of operational risk excellence and heightened expectations for risk management: Strategy, value, and culture, including queries about the benefits and objectives derived from the institutions enterprise ORM framework, and steps taken to strengthen culture Risk appetite and governance, including queries about the level of operational risk appetite deployment across the firms and alignment of risk appetite with strategy and incentives E2E process risk assessment, including queries about the scope of an institution s E2E assessments, mitigating actions, and incorporation of regulatory exposures Risk and control convergence, including queries about current convergence maturity, areas of focus, internal and external drivers, and the firms convergence agenda Control assurance and testing, including queries about scope, implementation and enhancement efforts, and level of effort across the first and second LOD Data, analysis, and reporting, including queries about an institution s efforts to accurately and completely aggregate, analyze, and report ORM exposures Innovation and digital transformation, including queries about near-term objectives, budget allocation, digital transformation maturity, and primary challenges. The Survey consisted of multiple-choice questions that gauged the evolution of ORM practices and their deployment. Respondents could also elaborate on their responses by providing qualitative inputs. Survey participants were composed of North American financial institutions of all sizes, including global systemically important financial institutions (G-SIFIs), large national banks, and regional banks. Respondents were categorized by asset size, with 44 percent of respondents at or above $250 billion in assets and 56 percent below $250 billion in assets. Survey results provided insights into evolving industry practices and areas where large institutions and smaller institutions diverge. Forty-six percent of all respondents were commercial banks. The remaining respondents included investment banks, brokerages, investment management firms, fintechs, and other institutions. Operational Risk Management 5

8 Background information and ORM organization As noted in Chart 1 below, respondents above and below $250 billion reported that the following processes and functions were directly under ORM management: Chart 1 What processes and functions are directly under the corporate ORM department (second LOD)? (select all that apply) ORM policies 10 ORM policies 10 ORM risk appetite 93% ORM risk appetite 10 ORM framework 93% ORM framework 10 ORM risk analysis 93% ORM risk analysis 91% ORM risk aggregation/risk profile 86% ORM risk aggregation/risk profile 91% RCSAs 86% RCSAs 91% Key risk indicators (KRIs) 86% Key risk indicators (KRIs) 91% ORM risk monitoring 79% ORM risk monitoring 91% Internal loss events 71% Internal loss events 91% External loss events 71% Scenario analysis/stress testing 91% Scenario analysis/stress testing 57% External loss events 82% ORM capital model 57% ORM capital model 73% Vendor risk management 57% New product review 55% New product review 5 BCP/DR 55% BCP/DR 5 Vendor risk management 45% ORM risk/control testing 43% ORM risk/control testing IT risk management 43% IT risk management Information security/cybersecurity Validation 27% Model governance Information security/cybersecurity 27% Validation 29% Fraud/investigations 27% Reputational risk management 29% Model governance 18% Physical security 29% Reputational risk management 18% Financial controls/sox 29% Fraud/investigations 14% Other 14% Physical security Financial controls/sox Other 18% None of the above None of the above *For the Other category, respondents noted corporate insurance, independent IT oversight, independent reputational risk oversight, and second LOD oversight of sales practices, payments, operations, and fraud. Multiple responses allowed 6 Operational Risk Management

9 Results comparison The responses of participants of all sizes were generally in line. The major differences were: Scenario analysis/stress testing 91 percent of respondents over $250 billion reported it was under ORM management versus 57 percent of respondents under $250 billion. Financial controls/sox 29 percent of institutions less than $250 billion reported it was under ORM management versus no respondents over $250 billion. Change over time 2018 results were generally in line with 2014 results. The major changes over time were: An increase in firms at or above $250 billion and those below $250 billion noting ORM capital model is directly under ORM management (62 percent and 30 percent, respectively, in 2014 versus 73 percent and 57 percent, respectively, in 2018). An increase in vendor risk management under ORM (~25 percent in 2014 versus ~50 percent in 2018). Firms at or above $250 billion and those below $250 billion agreed that information/cybersecurity, risk aggregation, vendor risk management, risk appetite, RCSAs, and risk monitoring are areas of most importance to regulators. Seventy-nine percent of smaller institutions and 64 percent of the larger institutions also counted the ORM framework among the most important areas. Conversely, larger institutions noted model governance as one of the most important areas at a much higher rate than their smaller counterparts. The biggest disparity in responses between the two groups came with respect to scenario analysis/stress testing where, as can be expected given recent changes to regulatory requirements, 73 percent of respondents at or above $250 billion noted this as one of the most important focus areas, compared to only 38 percent of those below $250 billion. Among respondents at or above $250 billion in assets (i.e., large institutions), 64 percent have fewer than 50 risk managers per line of business (LOB)/division embedded within the first LOD (Line 1b), while 18 percent have greater than 500 risk managers (Line 1b) per division. Among respondents below $250 billion in assets, all respondents have fewer than 50 risk managers embedded in the first LOD, and 21 percent reported having no first LOD risk managers. Among large institutions, 73 percent have more than 50 FTEs in their second LOB ORM department, and 82 percent reported having a centralized ORM organizational model. Among the regional and smaller institutions, there was a relatively even spread of responses indicating second LOD ORM departments ranging in FTE count from less than 11 to greater than 50, and 93 percent reported having a centralized ORM organizational model. Operational Risk Management 7

10 Larger and smaller institutions also vary in areas that they aim to enhance over the next two years. As noted in Chart 2 below, respondents identified the following enhancement areas of focus: Chart 2 What ORM areas have you targeted to enhance over the next two years? (select all that apply) RCSAs 86% RCSAs 82% KRIs 86% ORM risk/control testing 82% ORM risk analysis 71% ORM risk aggregation/risk profile 73% ORM risk monitoring 71% Vendor risk management 64% ORM risk aggregation/risk profile 64% ORM risk analysis 45% New product review 64% Information security/cybersecurity 45% ORM risk appetite 57% IT risk management 45% Information security/cybersecurity 57% Scenario analysis/stress testing 45% ORM framework 57% KRIs IT risk management 5 ORM risk monitoring ORM risk/control testing 43% ORM risk appetite Scenario analysis/stress testing 43% New product review Internal loss events 43% ORM framework 27% External loss events ORM policies 27% Vendor risk management 29% Internal loss events 18% ORM policies 29% External loss events Fraud/investigations 29% Fraud/investigations Reputational risk management 29% ORM capital model Validation 14% Reputational risk management BCP/DR 14% Validation Financial controls/sox 14% BCP/DR ORM capital model 7% Model governance Model governance 7% Other Other 7% Financial controls/sox Physical security Physical security None of the above None of the above 18% 18% 18% 9% 9 % 9 % 9% 9 % 0 % Multiple responses allowed 8 Operational Risk Management

Results comparison While the majority of small and large institutions listed RCSAs as an area for enhancement, key differences among institutions include: KRIs 86 percent of respondents under $250

11 Results comparison While the majority of small and large institutions listed RCSAs as an area for enhancement, key differences among institutions include: KRIs 86 percent of respondents under $250 billion reported RCSAs as a target for enhancement, versus only 36 percent of respondents over $250 billion. Risk/control testing 43 percent of institutions less than $250 billion reported this as a target for enhancement, versus 82 percent of respondents over $250 billion. Risk analysis/monitoring Greater than 70 percent of respondents less than $250 billion listed these as targets for enhancement, versus less than 50 percent of institutions over $250 billion. Vendor risk management 29 percent of institutions under $250 billion listed this as a target for enhancement, versus 64 percent of respondents over $250 billion. Operational risk management excellence survey executive report 9

12 Strategy, value, and culture ORM alignment with strategy is critical to achieving sustainable value-add, and to ensuring effective risk identification, assessment, and mitigation. Leveraging a firm s ORM framework to challenge business models, including new products, mergers, acquisitions, and divestitures is a telling indicator of how well operational risk is considered in firm strategy and execution. On a positive note, over 90 percent of firms at or above $250 billion in assets fully or partially leverage their ORM framework to challenge business models (36 percent and 55 percent, respectively see Chart 3). This is up 20 percent from survey results four years ago and is an encouraging sign of improvement. Chart 3 14% Do you leverage your ORM framework to challenge business model options and returns, including new products, mergers, acquisitions, and divestitures? 21% 29% 55% 9% Respondent comments When asked if they leverage their ORM framework to challenge models, respondents stated: ORM framework currently leveraged for new products, but not necessarily mergers, acquisitions, and divestitures. We employ frameworks to evaluate mergers/acquisitions and new, modified, expanded product and services to ensure alignment with Enterprise Risk Appetite, including Operational Risk. Fully Partially Beginning Do not leverage However, results are less encouraging for firms below $250 billion in assets. Consistent with prior results, only 50 percent of these firms fully or partially leverage their ORM frameworks to challenge business models (21 percent and 29 percent, respectively). On a positive note, 21 percent (versus 10 percent four years ago) of smaller firms are fully leveraging their ORM frameworks to challenge business models. These results indicate that there is still much work ahead for operational risk to be incorporated into decision making when launching and implementing strategic change. 10 Operational Risk Management

13 Key benefits When asked to describe the benefits they derived from their ORM frameworks, risk mitigation was noted as a top response by firms above and below $250 billion in assets (82 percent and 69 percent, respectively). However, consistent with four years ago, regulatory standing was still the top benefit recognized by firms at or over $250 billion in assets (91 percent). Other top responses for larger firms included enhanced business processes, new products, cybersecurity, and stress testing. For firms below $250 billion, other top benefits included enhanced business processes and risk language. Consistent with four years ago, it is interesting to note that achieving strategic objectives/return and improved customer satisfaction were not cited as top benefits. It is hopeful that these benefits will increase over time as the industry continues to focus ORM on business strategy and value (see Chart 4). Chart 4 What benefits have you derived from your ORM framework? (select all that apply) Risk mitigation 69% Regulatory standing 91% Enhanced business processes 69% Risk mitigation 82% Enhanced risk language 69% Enhanced business processes 64% Regulatory standing 54% Enhanced new initiative/new product review 64% Loss avoidance/reduced events and issues 54% Enhanced cybersecurity 64% Enhanced new initiative/new product review 46% Improved stress testing results 64% Enhanced cybersecurity 38% Enhanced risk language 55% Enhanced reputation 38% Loss avoidance/reduced events and issues 55% Efficiency 31% Decreased conduct risk 55% Improved stress testing results 23% Efficiency 45% Decreased conduct risk 15% Strategic objectives/return 15% Improved customer satisfaction 15% Enhanced reputation Strategic objectives/return Improved customer satisfaction 27% 9% None of the above Other 8% Other None of the above 9% Multiple responses allowed Respondent comments When asked what benefits they have derived from their ORM framework, respondents noted: We have a fully developed ORM framework, but have identified opportunities to address optimization, efficiency, and focus on client centricity. In doing so, we expect to realize additional benefits in the following areas: strategic objectives, cybersecurity program, enhanced risk language, efficiency, improved customer satisfaction, new initiative/new product review, and optimized business processes. Enhanced communication between three lines of defense. Operational Risk Management 11

14 Risk culture The topic of risk culture was added as a section to the survey due to its importance and impact on the industry. When asked what areas of culture firms focus on, institutions at and above $250 billion and those below $250 billion agreed tone at the top/governance was their number-one area of focus (91 percent and 69 percent, respectively). Code of conduct and instilling accountability were also noted as top areas of focus. For larger firms, monitoring high-risk employees (surveillance) was another important area, and 30 percent or more of all firms agreed that on-boarding/training and tone at the middle were areas of focus (see Chart 5). Chart 5 Which of the following aspects of culture is your organization currently focused on? (select all that apply) Tone at the top/governance 69% Tone at the top/governance 91% Instilling accountability 54% Code of conduct 73% Code of conduct 46% Instilling accountability 55% Onboarding/training Tone at the middle Culture assessments/audits Event-driven communication Culture metrics Performance management/ disciplinary standards Monitoring high-risk employees for potential misconduct (surveillance) Assessing candidates at hire for cultural fit None of the above Other 38% 31% 31% 31% 23% 23% 8% 8% 8% Culture metrics Monitoring high-risk employees for potential misconduct (surveillance) Onboarding/training Tone at the middle Assessing candidates at hire for cultural fit Performance management/ disciplinary standards Culture assessments/audits 18% Event-driven communication 18% Other None of the above 55% 55% 45% 27% 9% Multiple responses allowed Respondent comments When asked what aspects of culture their organization is currently focused on, respondents stated: Risk management as part of day-to-day business, incentive comp, change management, conduct risk. Culture is a to-do item and given its enterprise nature, it is a bit more difficult to address if not broadly agreed/implemented. Our organization has not identified gaps within culture. While there are no concerns, we are continuing to refine certain aspects such as monitoring high-risk employees for potential misconduct, onboarding and training, performance management, assessing candidates at hire for cultural fit, and instilling accountability. 12 Operational Risk Management

15 Operational Risk Management 13

16 Risk appetite and governance Effectively defining operational risk appetite (i.e., the aggregate level and type of risk the board and management are willing to assume to achieve the bank s strategic objectives and business plan, consistent with applicable capital, liquidity, and other regulatory requirements) and then monitoring and managing that appetite remains a key element for ORM excellence. Survey results indicate that firms are working to define and manage their operational risk appetite, but additional work is needed to fully deploy both qualitative and quantitative measures of operational risk appetite across the enterprise. Consistent with results from the 2014 survey, the vast majority of institutions reported that they define operational risk appetite at the enterprise level. For banks over $250 billion, 73 percent defined and cascaded operational risk appetite at the business line level, and 64 percent at the legal entity level, both significant increases from 2014 results. This contrasts steeply with banks under $250 billion, for which 25 percent have defined and cascaded operational risk appetite to the business lines, and only 17 percent at the legal entity level. For both groups, results dropped significantly after that, with operational risk appetite definitions still in the beginning stages at the location, process, and product levels. 14 Operational Risk Management

17 With respect to operational risk appetite monitoring and management, 82 percent of respondents at or over $250 billion and 57 percent of those below $250 billion indicated that the second LOD is fully escalating issues that exceed their firm s operational risk appetite. While results for the smaller institutions stayed roughly the same from 2014, this marks an increase of 28 percentage points for the larger institutions. Forty-three percent of respondents under $250 billion indicated that the second LOD is only beginning to escalate these issues (see Chart 6). Chart 6 Does the second LOD (risk management) consistently escalate issues that are outside the firm s risk appetite/thresholds? Non-AMA % 57% AMA 15% 18% 31% 54% 82% Fully Partially Beginning to Not yet and were used as proxies for Non-AMA and AMA, respectively, to compare results over time Operational Risk Management 15

18 On the other hand, 64 percent of institutions at or above $250 billion and only 29 percent of those below $250 billion indicated that the first LOD is consistently escalating issues that are outside of the firm s risk appetite/thresholds (see Chart 7). This is clearly an area that needs attention and improvement by firms of all sizes if they are going to effectively manage risk. Chart 7 Does the first LOD (business line units) consistently escalate issues that are outside the firm s risk appetite/thresholds? 14% 29% 29% 29% 64% Fully Partially Beginning to Not yet May not equal 100 percent due to rounding Notably, all responding institutions at or above $250 billion reported that ORM roles, responsibilities, policies, and procedures are clearly defined and understood by both the first and second LODs. But, 21 percent of respondents below $250 billion reported that these are defined and understood only by the second LOD. 16 Operational Risk Management

19 With respect to communication between the first and second LODs on current and emerging risks, and on changes to the internal and external control environment, there is significant disparity between our larger respondents and smaller institutions. For example, 91 percent of respondents over $250 billion reported that communication between the first and second LOD on current and emerging risks was effective, and 100 percent rated communication on changes to the internal and external environments as effective. However, only 50 percent of smaller institutions rated the effectiveness of communication between the first and second LOD as effective (see Chart 8). Chart 8 How effective is communication between the first and second LODs on current/emerging risks and on changes to the internal and external environment? Non-AMA 1 14% 14% Communication on current/ emerging risks Communication on changes to the internal and external environment AMA 8% 23% 9% 69% 91% Communication on current/ emerging risks 10 Communication on changes to the internal and external environment Effective Improving Limited Weak Operational Risk Management 17

20 ORM key risk indicators Linking key risk indicators (KRIs) to risk appetite and using them for early warning notification are two ways institutions have been enhancing their risk monitoring, and thus the overall maturity of their ORM programs. With respect to triggers for early warning notification and management, large and small institutions responded similarly across the board. For example, just under half of both groups indicated that their ORM KRIs partially include early warning triggers, and roughly a quarter answered that they are beginning to (see Chart 9). Chart 9 21% 14% Do your ORM key risk indicators (KRIs) include triggers for early warning notification and management? 43% 21% Fully Partially Beginning to Not yet May not equal 100 percent due to rounding 27% 45% 27% Respondent comments When asked if their ORM KRIs included triggers for early warning notification and management, one respondent noted: We have a robust KRI program that contains two thresholds: the first threshold is more conservative than the second, allowing for early management warning and attention. While the KRI program is fully deployed across the company, we continue to identify opportunities to ensure our KRIs measure the right risks and provide leading indicators of changes to risk. Still, an average of only 23 percent of respondents indicated that their ORM KRIs fully include triggers for early warning notification and management, pointing to a clear area of improvement for the industry as firms look to change their posture from reactive to proactive. Interestingly, there was a sharp decline since 2014 in the percentage of firms at or above $250 billion who reported that their ORM KRIs fully included these triggers (60 percent in 2014 versus 27 percent in 2018). 18 Operational risk management excellence survey executive report

21 Operational Risk Management 19

22 End-to-End process risk assessment The ability to effectively identify, assess, measure, and manage risk across E2E processes is vital for operational risk excellence and superior customer experience. As a result, KPMG and RMA enhanced the focus on E2E assessments in the 2018 survey. For firms at or above $250 billion, only 9 percent stated they conducted E2E process assessments across all lines of business/divisions, while 45 percent of respondents stated they had conducted some E2E process assessments and 27 percent were just starting (see Chart 10). For firms under $250 billion, none had fully deployed process risk assessments and 21 percent were just starting efforts, while another 36 percent were in the planning stage. Chart 10 Have you conducted E2E process risk assessments? 7% 18% 9% 27% 45% 21% Fully across all lines of business/divisions Across some lines of business/divisions Just starting Planning to start Haven t considered starting Other May not equal 100 percent due to rounding 20 Operational Risk Management

23 Firms at or above $250 billion also had a higher level of cross-functional involvement in their E2E assessments. For example, 80+ percent stated Operations, Technology, and Compliance participated in E2E assessments, and 40+ percent stated Finance and HR participated (see Chart 11). In contrast, firms under $250 billion had half the level of cross-functional participation as larger firms. Larger firms also had a much higher instance of applying root cause analysis to issues and of including metrics to monitor successful closure of gaps than smaller institutions. Chart 11 Which of the following business units collaborate with other areas in performing your E2E risk assessments? (select all that apply) Operations 46% Compliance/Legal 9 Technology 46% Operations 8 Compliance/Legal None of the above it is done independently Finance Other first-line areas 15% Other risk management areas 23% HR 15% 38% 38% 8% Technology Finance HR Other risk management areas None of the above it is done independently Other first-line areas Multiple responses allowed Respondent comments When asked which business units collaborate with other areas in performing E2E risk assessments, respondents also listed: Credit Risk Operational Risk Model Third Party Business Continuity Data Management First LOD Risk Management Product Managers Sales Teams Operational Risk Management 21

24 Risk and control convergence Financial services organizations continue to be under heavy pressure to complete numerous time-demanding risk assessments to meet a variety of regulatory requirements. Often assessments are developed in departmental siloes with distinct policies and procedures, governance, methodologies, risk and control definitions, rating scales, and tools/systems. The burden on first and second LOD teams is enormous. The plethora of approaches, taxonomies, and risk and control definitions and ratings has made aggregation and analysis a real challenge for business and risk teams and executive management. The result has been a growing effort across the industry to converge assessments, standardize data and terms, simplify approaches and tools, and drive greater efficiencies and enhanced risk management. Survey results indicate that nearly all firms have plans to converge assessments across multiple areas in ORM, if they have not already started. As expected, most progress in this area has been driven at institutions at or above $250 billion. However, the progress has been largely limited to a few convergence areas including risk/control rating criteria and risk/control libraries (an average of 42 percent and 31 percent of respondents, respectively, have fully converged these areas). Convergence efforts are largely underway in the areas of tools and technology; timing and assessment process, governance; and reporting (see Chart 12). Chart 12 At what stage of risk assessment convergence is your organization for each of the following areas? Risk and control rating criteria 21% 7% Risk and control rating criteria 64% Risk and control library 7% 7% 14% Risk and control library 9% 27% 64% Control testing/assurance 8% 46% 23% 15% 8% Control testing/assurance 9% 27% 27% Tools & technology 7% 43% 29% 21% Tools & technology 9% 82% 9% Timing & assessment process, governance 7% 43% 29% 14% 7% Timing & assessment process, governance 9% 73% 18% Sign-off/attestation 14% 21% 14% 14% Sign-off/attestation 9% 9% 55% 18% 9% Challenge/validation 7% 43% 29% 14% 7% Challenge/validation 9% 18% 64% 9% Assessment granularity 21% 21% 7% 14% Assessment granularity 27% 55% 18% Reporting 14% 43% 29% 7%7% Reporting 9% 82% 9% No plan to converge Plan to converge Started but incomplete Fully converged N/A May not equal 100 percent due to rounding 22 Operational Risk Management

25 It is interesting to note that many institutions either have not yet started convergence efforts for, or do not yet have plans to converge, their areas of control testing/assurance (average of 44 percent), sign-off/attestation (average of 38 percent), challenge/validation (average of 43 percent), and assessment granularity (average of 43 percent). These responses indicate that while many institutions have scratched the surface on convergence, there is tremendous unrealized value. Operational efficiency and process optimization were listed as the primary drivers of convergence efforts in institutions above and below $250 billion (93 percent and 91 percent, respectively). When asked who is driving the convergence agenda in their organization, respondents below $250 billion listed the chief risk officer most often (69 percent), followed by the operational risk and enterprise risk officers (38 percent each). However, institutions above $250 billion listed the operational risk officer most often (82 percent), followed by the chief risk officer (73 percent), and the enterprise risk officer (36 percent) (see Chart 13). Chart 13 Who is driving the convergence agenda in your organization? (select all that apply) Chief risk officer 69% Operational risk officer 82% Operational risk officer 38% Chief risk officer 73% Enterprise risk officer 38% Enterprise risk officer Executive management 31% Compliance risk officer Compliance risk officer 15% Executive management 27% Business line leaders (1st line) 15% Business line leaders (1st line) 27% Internal audit 8% Internal audit 9% Regulators 8% Regulators 9% The board 8% The board Other ere are no convergence efforts currently underway Other ere are no convergence efforts currently underway Multiple responses allowed Consistent with the message that convergence efforts have progressed further in larger institutions, it appears that these institutions often have simultaneous support for convergence initiatives from multiple executives. A smaller number of respondents listed business line leaders as drivers for their firm s convergence agenda (15 percent under $250 billion and 27 percent at or above $250 billion). Without question, as firms strive for greater efficiency and more effective and proactive risk management, risk convergence efforts will likely expand and remain a top operational risk objective. Operational Risk Management 23

26 Control assurance and testing Demands from management and the board for robust control environments continue to escalate and are reinforced by regulators, shareholders, and other stakeholders. KPMG and RMA added this section on control assurance and testing to highlight key developments in the industry. Important results include a finding consistent with the three lines of defense (third LOD) model in that 80 percent of firms at or above $250 billion stated business lines (first LOD) conduct control testing. Eighty percent also stated that Compliance conducts control testing, and 50 percent stated Operational Risk conducts control testing (see Chart 14). Chart 14 Which functions are currently performing control testing across your organization? (select all that apply) Compliance 79% Internal Audit 9 Internal Audit 71% Compliance 8 Business line units (1st line) 64% Business line units (1st line) 8 Finance 43% Finance 7 Operational Risk 29% Technology 6 Technology 21% Operational Risk 5 Other Other None of the above None of the above Multiple responses allowed Respondent comments When asked which functions are currently performing control testing across their organization, respondents stated: ORM typically relies on first LOD testing but does complete limited testing in targeted areas. Technology includes a first LOD risk office, which executes a risk-based assessment approach for all technologies. This includes risk-based testing of controls that are general and application risk category specific. Testing utility tests compliance and operational controls and sits within the second LOD. In contrast, only 64 percent of firms under $250 billion stated that business lines conduct control testing, and only 29 percent stated Operational Risk conducted testing. As firms mature and align with the 3rd LOD framework, it is imperative that the businesses own control testing and the second LOD challenges that testing and performs limited sample testing of its own. 24 Operational Risk Management

27 As noted in the previous section on risk convergence, maintaining effective control libraries assists firms to understand, aggregate, and address control issues. In terms of the number of unique controls, 82 percent of firms at or above $250 billion stated they had more than 3,000 unique controls. In contrast, 71 percent of firms under $250 billion had 3,000 or fewer unique controls. Of those unique controls, 30 percent of larger firms stated 25 percent or more of their unique controls were consistently defined across businesses versus 23 percent for smaller firms. Even more telling, 20 percent of larger firms and 15 percent of smaller ones stated that 0 percent to at best 5 percent of unique controls were consistently defined across businesses, which leaves enormous room ahead for enhancing risk management efficiency and effectiveness (see Chart 15). Chart 15 Approximately how many controls are standard (e.g., consistently defined across lines of business/divisions)? 23% 15% % 23% 2 23% 3 1 5% % % Greater than 25% May not equal 100 percent due to rounding There is clearly a lot of work ahead for firms to streamline, group, and aggregate controls for more effective reporting, prioritization, and resource and business planning. Operational Risk Management 25

28 In terms of volume, 73 percent of larger firms anticipate control testing volume will increase over the next months versus 57 percent for smaller firms. With regard to staffing, 18 percent of larger firms noted 1,000+ FTEs performing control testing, and 45 percent noted 1 50 FTEs. Twenty-three percent of smaller firms noted a high of first LOD control testing FTEs, while about 38 percent of smaller firms had no first LOD control testing FTEs. FTE counts were less for second LOD control testing functions (see Chart 16). Half of all respondents stated they were not adequately staffed, indicating an important need to augment staff and/or develop new approaches to automate control testing. Chart 16 43% % 0 (Control testing is not performed in the second LOD) Approximately how many FTEs are currently performing control testing within the second LOD? 21% 29% 1 10 More than Respondent comments When asked how many FTEs are currently performing control testing in the second LOD, respondents clarified: We have one dedicated second LOD testing function within Compliance responsible for centralized testing of compliance controls. In addition, we have between 51 and 100 second LOD FTEs that perform self-testing of RCSA controls (inclusive of credit, compliance, market, model, and operational risk controls). Control testing performed in Compliance, but not in Operational Risk. 2nd LOD control testing done by Compliance, Model Risk, BCP, etc. none by ORM. 26 Operational Risk Management

29 Operational Risk Management 27

30 Data, analysis, and reporting ORM data, analysis, and reporting The ability to completely and accurately aggregate, analyze, and report ORM exposures remains an essential capability of ORM excellence. Data-related issues are increasingly important to institutions of all sizes as the regulatory community continues to stress the importance of sound risk data governance, aggregation, integration, and reporting. The Survey reveals that the industry is continuing to make strides with respect to data quality, with marked improvement from 2014 results. For example, 100 percent of larger respondents and 85 percent of smaller respondents stated that their ORM data is fully, or partially, supported by effective governance, standards, and owners (up from 85 percent and 60 percent in 2014 see Chart 17). Chart 17 Is your operational risk data supported by clear governance, standards, and owners? Non-AMA 1 14% 21% % AMA 15% 45% 31% 54% 55% Fully Partially Beginning to Not yet May not equal 100 percent due to rounding 28 Operational Risk Management

31 Further, 82 percent of respondents at or above $250 billion and 57 percent of those under $250 billion state they validate, or partially validate, the accuracy and completeness of their ORM data through quality assurance (QA) processes (unchanged from responses in 2014). One respondent stated that, while their institution does have a function to test data, it does not test the accuracy of reporting that comes out of the GRC tool. Another respondent noted that their second LOD performs review and challenge at various points in the process, followed by substantial QA work by Enterprise Risk Management on the higher risk anomalies. Firms at or above $250 billion and those below $250 billion responded similarly when asked if they have established an ORM dashboard to alert executive management and the board of changing risk conditions and to support decision making. For example, only 27 percent of the larger respondents and 21 percent of the smaller respondents have fully established dashboards (see Chart 18) to dynamically report risk exposures and their impacts on business strategy and performance. Chart 18 Have you established an operational risk dashboard to alert executive management and the board of changing risk conditions and to support decision making? % 21% 9% 27% 14% 5 64% Fully Partially Beginning to Not yet May not equal 100 percent due to rounding Respondent comments Respondents revealed the following about their establishment of an ORM dashboard: Dashboards are currently under development for all components of our framework, including risk assessments, new products, issues, events, indicators, and losses. Although not in the form of a dashboard, reporting to senior management and the risk committee of the board is in place. While we have fully embedded an executive management and board-level operational risk dashboard into our governance reporting, we continue to identify opportunities for evolution to capture changing conditions and emerging risks. This is a continued focus in the next months. Operational Risk Management 29

32 This represents a surprising decline from results for larger institutions four years ago (down from 80 percent in 2014). It is difficult to determine exactly what drove this more cautious self-evaluation, but it may reflect recent regulatory criticism on the quality of firms ORM data aggregation and reporting. Several respondents noted that improvements in this area are currently underway. When asked if their ORM dashboard is supported by robust and integrated data, metrics, monitoring, and tools, about 36 percent of both groups reported Not yet or Beginning to. Interestingly, while 29 percent of smaller institutions reported that their ORM dashboards were fully supported, none of the larger institutions responded this way. The majority (64 percent) of larger institutions ORM dashboards were reported as partially supported. One institution noted that while it has implemented an egrc program, their ORM dashboard has not yet been created Operational Risk risk Management management Excellence excellence Survey survey executive report report

33 Operational risk management excellence survey executive report 31

34 Innovation and digital transformation As firms across the industry continue to evolve and strengthen their ORM frameworks in line with business needs and regulatory expectations, many are seeking ways to innovate and stay ahead of a changing regulatory environment. By investing in automation and data analytics solutions, they are reducing costs and painting a more complete picture of their organizations current and emerging risks. As noted in Chart 19 below, small and large firms responded that they are hoping to achieve similar results from their risk management digital transformation efforts in the next months: Chart 19 What results do you hope to achieve from risk management digital transformation in the near future (12 24 months)? (select all that apply) New insights into ORM through data and analytics 85% New insights into ORM through data and analytics 91% Enhanced reporting 77% Enhanced reporting 91% Faster processes through automation 62% Faster processes through automation 91% Reduced FTE count 31% Reduced FTE count 18% Increased revenue 31% Increased revenue 9% Other Risk management digital transformation not expected in the near future Other Risk management digital transformation not expected in the near future Multiple responses allowed Transformation objective comparison Small and large institutions listed similar objectives for their digital transformation in the near future: New insights into ORM 91 percent of larger institutions and 85 percent of smaller institutions Enhanced reporting 91 percent of larger institutions and 77 percent of smaller institutions Faster processes through automation 91 percent of larger institutions and 62 percent of smaller institutions 32 Operational Risk Management

35 These results reflect that institutions are convinced of the value of digital transformation, yet they may not be making the necessary financial allocations to drive real change. For example, 20 percent of firms at or above $250 billion and 27 percent of those under $250 billion are not dedicating any portion of their annual risk budget to these initiatives (see Chart 20). Chart 20 How much of your annual risk budget is dedicated to risk management digital transformation? 9% 9% 27% % 6 1 5% % Greater than 15% The data indicates that most firms are dedicating between 1 percent and 10 percent of their risk budgets to digital transformation. Operational Risk Management 33

36 As it relates to their current progress implementing technologies to support innovation and digital transformation, larger and smaller institutions responded similarly. For example, 70 percent of respondents at or above $250 billion and 79 percent of those below $250 billion have at least started implementing a centralized GRC platform (see Chart 21). Others have noted plans to rationalize their multiple tools/platforms in the near future. Chart 21 At what stage is your organization in implementing the following technologies? Centralized GRC platform 21% 5 Advanced data and analytics systems Automated regulatory and 15% compliance reporting Process automation 25% 54% 38% 38% 29% 38% 8% 33% 42% 8% Centralized GRC platform 1 Advanced data and 27% analytics systems Automated regulatory and compliance reporting 9% 27% Process automation % 64% 45% 55% Other No plans to implement Plan to implement Started but incomplete Fully implemented N/A Other 10 May not equal 100 percent due to rounding Larger institutions appear to be further along in implementing advanced data and analytics systems (73 percent started but incomplete versus 38 percent for smaller institutions) and automated regulatory and compliance reporting (64 percent versus 38 percent). While many firms are exploring process automation, particularly in the first LOD businesses and support areas, 25 percent of smaller respondents indicated they have no plans to implement process automation for risk management activities. 34 Operational Risk Management

37 Operational Risk Management 35

The road ahead ORM plays an essential role in the strategic success of all financial institutions, and the KPMG/RMA Operational Risk Management Excellence Survey results reveal that important strides

38 The road ahead ORM plays an essential role in the strategic success of all financial institutions, and the KPMG/RMA Operational Risk Management Excellence Survey results reveal that important strides continue to be made by institutions both above and below $250 billion. ORM is improving its contribution to business/risk decision making and strategic planning. It is helping to strengthen firms risk culture and developing enhanced risk appetite measures at the enterprise and line levels. It is helping firms move toward greater convergence on risk and control definitions, rating scales, assessment approaches, and reporting. It is fortifying its role to provide effective challenge and exploring innovative ways to drive greater efficiencies, automation, and enhanced analytics. Going forward, banks and other financial institutions need to further enhance their risk management capabilities to identify and respond with ever greater speed to a growing stream of challenges and threats from multiple fronts, including rapidly spiking volatilities that challenge trading algorithms and systems, conduct failures and cultural breakdowns at the leadership and line levels, and more coordinated and pernicious cyberattacks and third party events. Without question, those firms that develop more agile, responsive, and proactive risk management capabilities will find they are better equipped to address threats as they arise, better support their clients and customers, deliver higher returns to their shareholders, and provide a safer and sounder environment for the communities they serve. Leading firms will likely develop these capabilities in practical ways that drive efficiencies in risk processes, enhance risk analytics, and support convergence among nonfinancial risk disciplines. In the years to come, ORM excellence is expected to become a true differentiator between firms that thrive and those that do not--it will likely become an imperative for success. KPMG and RMA appreciate financial institutions continued support of this survey and look forward to the further evolution of this important risk management discipline. 36 Operational Risk Management

Contact us: Brian J. Hart Principal and National Lead, Enterprise Risk Governance KPMG LLP T: 917-287-4512 E: bhart@kpmg.

39 Contact us: Brian J. Hart Principal and National Lead, Enterprise Risk Governance KPMG LLP T: E: Phillip Bray Principal, Enterprise Risk Governance KPMG LLP T: E: Edward J DeMarco, Jr. Chief Administrative Officer and General Counsel, The Risk Management Association T: E: edemarco@rmahq.org Sylwia Czajkowska Associate Director, Operational Risk, The Risk Management Association T: E: sczajkowska@rmahq.org David L. Stone Director, Enterprise Risk Governance KPMG LLP T: E: dstone2@kpmg.com Special thanks to: Daniel Casey Manager, Enterprise Risk Governance KPMG LLP T: E: gdcasey@kpmg.com Karsten Holmquist Senior Associate, Enterprise Risk Governance KPMG LLP T: E: kholmquist@kpmg.com Contributions by: Amy Matsuo, Principal, KPMG LLP Cameron Burke, Managing Director, KPMG LLP Christine Chan, Director, KPMG LLP Nicole Stryker, Director, KPMG LLP Jon Holland, Director, KPMG LLP Jonathan Mercado, Senior Associate, KPMG LLP kpmg.com rmahq.org Operational risk management excellence survey executive report 37