Operational risk management is a strategic factor in the financial sector. Operational Risk is defined as the likelihood that financial activities will experience value fluctuations due to unforeseen factors that arise during the regular operations of a bank.
Generally, operational risks include:
- all risks related to legal and bureaucratic obligations that could hinder the successful completion of a financial transaction;
- the possibility of encountering fraud (either internal or external to the bank) or irregularities in transaction execution (clients, products, & business practices);
- the physical loss of assets underlying the financial activity under assessment.
Permanent controls are a fundamental component of the operational risk management system within banks. They help to:
- ensure the security and efficiency of operational processes;
- protect the bank’s assets;
- enhance regulatory compliance.
Thus, permanent controls must be integrated into operational processes, playing a key role in identifying, monitoring, and mitigating risks.
In this article, after describing the main controls in place to manage operational risks in banks, we will outline key innovation trends and provide a series of use cases, with a particular focus on applications of Artificial Intelligence. Furthermore, we will delve into methodologies for evaluating the best control design options in terms of sustainability and value, as well as the organizational and operational models of the permanent controls function.
Types and examples of banking operational processes with permanent controls to manage operational risks
There are several types of permanent controls, including:
- Preventive Controls: aimed at preventing the occurrence of risky events;
- Concurrent Controls: performed during the activity to monitor process adequacy;
- Subsequent Controls: verify the outcome of the activity and the effectiveness of previous controls.
The effectiveness of permanent controls depends on several factors, including:
- Adequacy of control design and implementation;
- Segregation of duties and responsibilities;
- Staff training;
- Continuous supervision and monitoring.
Examples of banking operational processes with permanent controls to manage operational risks are provided in the table below.
Type of Operation
Examples of Permanent Controls to Support Operational Risks
| Operation Type | Examples of Permanent Controls to Support Operational Risks |
| Opening Current Accounts | Verification of customer identity (KYC) and anti-money laundering (AML) – Control of account opening requirements – Evaluation of customer’s credit risk |
| Granting Loans | Evaluation of customer’s creditworthiness – Analysis of default risk – Definition of repayment plan and collateral |
| Payment Management | Control of authorizations and spending limits – Verification of payment data accuracy – Prevention of fraud and illegal transactions |
| Investments | Evaluation of customer’s risk profile – Suitability of the product for the investor – Monitoring of investment performance |
| Treasury Operations | Management of currency risk – Control of counterparty risks – Monitoring exposure limits |
| Access Controls | Strong and multi-factor authentication for system and information access – Access privilege management based on the principle of least privilege – Monitoring and control of abnormal access |
| IT Incident Management | Well-defined and tested incident response plan – Investigation and analysis of incidents to identify causes and potential solutions – Implementation of corrective measures to prevent recurrence of similar incidents |
Operational risk management: innovation trends in operational risk controls
The table below highlights the main innovation trends:
| Area | Benefits |
| Artificial Intelligence (AI) |
Data analysis: AI helps analyze large volumes of data to identify anomalies and potential operational risks. – Automation: AI can automate repetitive and manual tasks, freeing up time for more strategic activities. – Chatbots: Chatbots can be used to answer customer inquiries and provide support in case of issues. |
| Cloud Computing |
Better data access: Cloud offers easier and faster data access for risk control teams. – Scalability: Cloud allows resources to scale according to needs, making it ideal for growing banks. – Security: Cloud providers offer a high level of security for sensitive data. |
| Robotic Process Automation (RPA) |
Process automation: RPA can automate repetitive tasks such as data entry or transaction verification. – Improved efficiency: RPA can enhance the efficiency of risk control processes. – Cost reduction: RPA can reduce costs associated with manual processes. |
| Blockchain |
Better traceability: Blockchain improves transaction traceability and reduces fraud risk. – Increased security: Blockchain provides a high level of security for data. – Smart contracts: Smart contracts can automate contract execution, reducing the risk of errors and fraud. |
| Cybersecurity |
Cyber threats: Cyber threats are on the rise, and banks must invest in cybersecurity to protect themselves. – Penetration testing: Banks must regularly conduct penetration tests to identify vulnerabilities in their systems. – Incident response plans: Banks must have incident response plans to manage cyber threats. |
Methodologies for evaluating the best control design option in terms of sustainability and value
In operational risk management, methodologies to evaluate the best option for designing permanent operational risk controls in terms of sustainability and value can be divided into two main categories:
- Cost-Benefit Analysis (CBA): This approach compares the costs of implementing and maintaining the control with the expected benefits in terms of reducing operational risk and improving business performance.
- Multi-Criteria Analysis (MCA): MCA considers a set of evaluation criteria such as sustainability, value, effectiveness, complexity, and adaptability of the control. In the “sustainability” criterion, it’s essential to account for environmental aspects, requiring an assessment of the environmental impact of using AI technologies for executing controls. While AI technologies may be regarded as standard information systems during application, training models demand substantial computing resources, which impacts energy consumption.
Additionally, MCA may incorporate specific methodologies, including:
- Loss Event Frequency (LEF): Estimates the frequency of loss events associated with a specific operational risk.
- Loss Event Magnitude (LEM): Assesses the financial impact of a potential loss event.
- Scenario Analysis: Examines the impact of various operational risk scenarios on control design.
- Monte Carlo Simulation: Simulates the impact of different uncertain variables on control design.
The choice of the most appropriate methodology
The choice of the most appropriate methodology depends on various factors, such as the nature of the operational risk, the complexity of the control, and the resources available. For instance, consider the permanent control of operational risk related to human error in data entry, which can lead to various types of losses, such as:
- Payment delays;
- Incorrect transactions;
- Fraud.
In managing operational risk, the bank could consider different control options, such as:
- Implementing a training program to increase staff awareness of operational risks and proper data entry procedures;
- Implementing software that automatically checks the accuracy of entered data, or a dual-control procedure for sensitive transactions.
In this case, the bank might use Multi-Criteria Analysis (MCA) to simultaneously evaluate:
- The costs and benefits of each control option: Costs would include development and implementation, as well as maintenance and training expenses. Benefits would encompass reduced risk of operational losses and improved operational efficiency.
- The sustainability of different control options: For example, staff training could have a positive environmental impact by reducing the need for printed materials.
- The overall value of each control option, considering both tangible benefits (such as reduced risk of losses) and intangible benefits (such as enhancing the bank’s reputation).
Organizational and operational models of the permanent controls function in operational risk management
In operational risk management, the organizational and operational models of a bank’s permanent controls function can vary depending on several factors, including the bank’s size and complexity, organizational structure, risk profiles, and regulatory requirements.
Common models include:
- Centralized Model: Here, the permanent controls function is centralized in a single organizational unit responsible for the entire bank. This model promotes greater consistency and standardization in control processes, although it may be less flexible and adaptable to the specific needs of different business areas.
- Decentralized Model: In this model, the permanent controls function is distributed across various organizational units, each responsible for a specific business area. This allows for greater flexibility and adaptability to the unique needs of each business area, though it can be more challenging to coordinate and monitor.
- Hybrid Model: This model combines centralized and decentralized approaches, aiming to balance consistency with flexibility.
With the advent of cloud computing, a hybrid model is often recommended. Centralized data systems can handle controls related to digital data analysis, while distributed users across branches maintain flexibility. This model helps meet primary objectives of the permanent controls function, such as:
- Protecting assets;
- Ensuring regulatory compliance;
- Improving operational efficiency;
- Preserving reputation.
Implementation of a project for the development of an AI solution in operational controls
For operational risk management, the development of a project aimed at creating an Artificial Intelligence solution is based on applying a set of practices focused on developing and maintaining machine learning models in production reliably and efficiently. This is known as MLOps (Machine Learning Operations).
MLOps refers to a set of practices, tools, and processes that enable collaboration between data science and operations teams to automate and streamline the deployment, monitoring, and maintenance of machine learning models. By incorporating MLOps, organizations can ensure that AI solutions are effectively integrated into operational control frameworks, offering reliable and scalable support for managing operational risks.
Machine learning models, possibly combined with symbolic approaches, are tested and developed in isolated experimental systems.
At this stage, the professionals involved are mainly Data Scientists and Machine Learning Engineers, who interact with the customer’s functional area during the Business Understanding and Validation phases, and with the IT area during the Data Understanding phase.
The release of data acquisition processes and model application into production involves collaboration between Data Scientists and Machine Learning Engineers, as well as software engineers and developers who manage the IT infrastructure.
Similar to DevOps approaches, MLOps aims to increase automation and improve the quality of production models, while also focusing on business and regulatory requirements. To achieve this, mechanisms such as automatic re-training of machine learning models or continuous training of neural networks can be implemented.
Project sizing for developing an AI solution in operational controls
To estimate the duration and cost of a project for developing an AI solution for operational risk management, three main categories must be considered:
- Professional services for data integration and AI model training;
- Use of the technological platform and its integration into the client’s IT infrastructure;
- Maintenance of the solution, both for the AI models and for the end-user solution.
Author: Francesco Cupello
