“Senior management should ensure the comprehensive identification and assessment of the operational risk inherent in all material products, activities, processes and systems to make sure the inherent risks and incentives are well understood,” according to the Basel Committee on Banking Supervision.

This injunction formed one of 12 key principles in the Revisions to the Principles for the Sound Management of Operational Risk, unveiled by the committee, in March 2021.

For senior management to be able to fulfil this obligation, both the language of risk control and the data upon which risk controls depend should be clearly standardized. Without such uniformity, internal risk control teams and regulators will only see the risks that reside in any institution as if through a glass darkly.

At the moment, unity of taxonomy and data among financial institutions is well-nigh impossible to find across the entire organization. The familiar obstacles of idiosyncrasy and silos by instrument, asset class, and region present themselves. As identified in “The American Banker“, data an emerging operational risk area based in banks in 2022.

The three lines of defence model is now a familiar and entrenched structure within all tier one financial institutions – but everyone does it slightly or even radically differently. There is no unity of structure, and there can be no unity of structure until everyone uses the terminology in the same way and the type of data incorporated into the controls is standardized.

It is not that banks don’t realize the importance of risk language that everyone understands and the cleanliness of consistent data, it’s just that they’re not very good at delivering it across their whole organization.

One of the major stumbling blocks to date has been the lack of peer analysis and industry benchmarking. Banks have spent the last five to ten years looking inward and trying desperately to abide by regulatory guidelines. There has been little effort to establish industry-wide standards or even accepted definitions of words and phrases in common usage.

Yet peer analysis and risk diagnostics to understand your comparative strength vs. Peers on an ongoing basis is recommended by the regulators. In the examples of tools helpful in delivering Principle Six, quoted above, the BIS notes that comparisons of the outcomes of different risk measurement tools within the same bank and also comparisons of metrics in use within the industry “can be performed to enhance understanding of the bank’s operational risk profile.”

In CP21/7, the new source book entitled MIFIDPRU, the FCA says clearly firms are entitled to use peer analysis and when doing so “the firm should take into account any material differences between the firm’s business and the business carried on by its peer, and to the extent that it is aware of them, any material differences in their respective systems and controls.”

The banking industry is not one of the most collaborative in the world. Indeed, in the last half century or so it has been largely marked by merciless competition. However, this might be a time when one bank might learn from another while helping teach a third. 

No-one suggests standardization and integrity of language and data within the risk environment is easy to accomplish. But until it is accomplished, senior managers at financial institutions will continue to talk at cross purposes not only to their colleagues but also to regulators.

About Acin

Acin has a comprehensive, pre-built risk and control quick start library of inventories constructed through industry consultation and mapped to regulatory guidance, to provide immediate value and accelerate impact. Easily and proactively demonstrate to the regulator, auditors, investors, shareholders, and boards that you are managing climate risk – ahead of regulatory deadlines.