Why So Many ERM Programs Miss the Operational Mark: Overcoming Operational Risk Management Obstacles

Modern ERM teams are tasked with identifying and reporting on the top risks that might prevent their organization from achieving its business objectives. Yet, there is growing evidence that these ERM programs are not doing enough to protect their businesses from operational risk events linked to their unique risk profiles. The banking failures in the first quarter of 2023 demonstrated the lack of continuous communication and risk mitigation for what many outsiders saw as clear risks that should have been readily anticipated (see “Regulators Offer Candid Assessment of the Root Causes for SVB and Signature Failures“). These failures reveal why ERM programs that are not integrated into the fabric of business operations are simply ineffective.

In AuditBoard’s Unlocking Operational Risk Management: Empower the Front Line to Effectively Manage Risk, we explore the reasons for the divide between front-line risk ownership and overall risk management efforts. Download the free guide here, and continue reading to learn why existing risk management practices fail to empower the front-line in effectively managing their risks.

Operational Risk Management: Expectations Versus Reality

ORM encompasses the people, processes, and technology that drive business outcomes. An effective ORM program identifies and assesses the process opportunities and risks in the organization. By extension, for an ORM program to be effective, it must answer the following questions about the organization’s processes:

• Is the process itself truly geared toward the intended business outcome?
• What are the risks if the process does not achieve the business outcome?
• Are the controls surrounding that process designed and operating effectively?

In reality, ERM programs often do not live up to their promise of proactively managing enterprise-wide risks.  According to a recent report by the Association of International Certified Professional Accountants (AICPA and CIMA), two out of three CFOs said their business does  not have “complete enterprise risk management processes in place.” The lack of depth in identifying and assessing risks at the enterprise level is why ERM processes are incomplete. For proof, look no further than the prevalence of significant operational risk loss events in recent history.

ORX, which was incorporated in 2002 for the secure and anonymous exchange of operational risk loss data from around the world, maintains an up-to-date analysis of the world’s most recent and largest operational risk loss events. A snapshot of North American losses that ORX reported for Q1 2023 alone have included:

• TD Bank Group – $1.21 billion. TD Bank agreed to a $1.21 billion settlement to resolve claims that it enabled the Allen Stanford Ponzi scheme.
• Canadian Imperial Bank of Commerce – $848 million. CIBC was ordered to pay $848 million in dispute over 2008 loan repayments.
• Coinbase — $100 million. Coinbase agreed to a $100 million settlement with NYDFS over AML failures.
• Wells Fargo & Company — $97.8 million. Wells Fargo was ordered to pay $97.8 million for facilitating transactions that violated US sanctions.

To improve overall risk management practices, understanding the root cause of operational risk events can be a meaningful exercise — and a great place to start.

Why ERM Programs Frequently Miss the Operational Mark

Risk management programs are often incomplete and ineffective at managing operational risks due to a variety of factors: ranging from insufficient resources to mismatched priorities among executive leadership and the front line. A common challenge is the disconnect between the ERM team — typically a small, highly centralized group of isolated risk professionals — and the front-line business managers responsible for executing day-to-day business processes. We explore several reasons for this disconnect below:

• Communication Breakdowns: Oftentimes, risk programs lack proper mechanisms for business managers and process owners to proactively communicate their process-level risks up the chain of command. Instead, the front line typically responds reactively to assurance responsibilities assigned to them by risk groups. A lack of bilateral operational risk reporting can lead to assurance blind spots and gaps. Moreover, while boards determine the organization’s risk appetite, this message often does not reach the front lines — those actually responsible for managing those risks — ultimately causing further disconnect between ERM and the business.
• Poor Context: ERM teams typically spend most of their time reporting on the business’s strategic risks to the board. As a result, what ERM teams report to the board is based on an assumption of the organization’s risk profile, and does not sufficiently account for the execution-level view of operational risks involving people, processes, and technology. Consequently, the board is often led to make poorly informed risk decisions that have a direct impact on the strategic success of the business.
• Collaboration Limitations: Collaboration between the front-line and risk management groups is frequently lacking. In addition to weak reporting mechanisms for the front-line to report their process-level risks, poor metrics and escalation procedures also hinder proactive collaboration between risk professionals and the business managers they support. Moreover, teams with shared risk management missions are often disconnected from each other; it is not uncommon for an organization to have audit, risk, IT, and compliance groups all working separately and simultaneously on managing the same risks and controls. Without effective collaboration among these groups, the front line is prone to receiving mixed messages from different risk teams — leading to confusion and disjointed, inefficient risk management efforts.
• Resource Limitations: ERM teams are often short-staffed and do not have enough resources to engage with different business units on a consistent basis. Moreover, risk data across the organization is often stored in independent and siloed databases across risk groups. This creates communication and knowledge gaps, preventing the front line from understanding how their controls and processes contribute to business outcomes. Finally, risk teams often manage their risk and controls manually. Frequently, the front line will not have access to relevant risk information and therefore relies on corporate functions to remind them of their control responsibilities. Such resource limitations can lead to inefficiencies and gaps in assurance.

The most damaging consequence of these shortcomings is a front line that is disconnected from the organization’s risk management efforts and unable to escalate risk insights up the chain of command. Ask yourself: are the front-line business managers and process owners in your organization truly owning and managing the risks in their processes, or are their risks and controls disconnected from your business’s risk profile and ERM efforts? The answer should help you clarify the weaknesses in your risk management program so you can begin to challenge them. To learn best practices for empowering the front-line to effectively manage operational risks, download the full guide, Unlocking Operational Risk Management: Empower the Front Line to Effectively Manage Risk, here.