Challenge
Given the internal nature of operational risk incidents, most organisations keep their operational risk management practice close to their chest. Because of this, there aren’t many ways for organisations to benchmark their practise in relation to their peers.
Our extensive experience in risk management consulting for the financial industry gave us the ability to compare the level of operational risk management maturity in this large insurance company, to the level of its peers.
The mission required openness and transparency from the CRO and its team, to share with us the risk reporting details, the frameworks methodology and its implementation throughout the organisation.
Understanding the client
As like for any benchmarking exercise, the first step was to deeply understand the client’s practice, their method, strengths and weaknesses. After meeting them to explain our mandate, we spend time examining all the risk documents: the policies and procedures, the reporting structure and its content, the governance arrangements, etc. We had several meetings with the client to really understand how they were deploying operational risk management in their organisation.
Benchmarking methodology and reporting
For the benchmarking exercise, we used a proprietary questionnaire of 70 questions split into 7 components of the risk management framework, with roughly 10 questions each, aimed at evaluating the level of maturity of the risk practice.
We qualified the answers to the questions in a simple scoring system of yes (2), no (0), and partially (1). We evaluated independently – based on our examination of the client’s practice – the answers to each of these questions, and the organisation rated itself as well.
Next, we discussed the answers to each question to highlight any difference and confront viewpoints. After a couple of meetings, we were able to reach a consensus on practically all of the answers.
Reporting
Finally, we delivered to the Board Risk Committee a synthetic reporting highlighting the strengths of the risk management framework as well as some points for improvements. We used these points for improvement to develop recommendations for the team.
This benchmarking exercise turned out to be a great opportunity for a well-performing risk team to showcase their strengths, based on an objective assessment from an external provider. The mission and findings gave comfort to the Board that the risk team trajectory to improve their operational risk management practice was sound and validated by experts.
After the presentation of our results and recommendations to the Risk Committee of the Board, the CRO presented their multi-year business plan to further develop and strengthen risk management in the organisation, explicitly taking into account all our recommendations.
