Professional Documents
Culture Documents
risk management
Evolving data architectures
January 2019
The future of operational risk management | Evolving data architectures
1
Deloitte, The future of operational risk in financial services, available at – https://www2.deloitte.com/us/en/pages/risk/articles/basel-final-rules-
takeaways-highlights-us-banks.html.
Note: While we use the term operational risk in this point of view, we recognize that some institutions have started to use the term Non-Financial Risk to include areas
beyond the traditional Basel Committee definition (e.g., to include such risks as brand and reputation risk). Our definition of operational risk has always been such a broad
definition, though we continue to use the terminology of operational risk.
2
The future of operational risk management | Evolving data architectures
3
The future of operational risk management | Evolving data architectures
4
The future of operational risk management | Evolving data architectures
5
The future of operational risk management | Evolving data architectures
6
The future of operational risk management | Evolving data architectures
7
The future of operational risk management | Evolving data architectures
The figure on the right is an illustrative from multiple-sources systems. descriptions and loss information,
data architecture that highlights legacy scenario analysis, issue management, and,
One key consideration in the case of
Basel II components, those required for occasionally, risk-oriented metrics.
operational risk analytics, however, is
Standardized Management Approach
to refrain from creating oversized data There is, however, other equally valuable
(SMA), and a broader set of data sources
pools in which the risk sensitivity of the information that could inform operational
required for predictive analysis. Broadly, this
data has not been established. This data risk managers but currently not collected—
architecture includes:
risk sensitivity analysis is critical, because or if it is collected, it certainly isn’t
(i) D
ata sources, which includes the systems it will allow relationships to be generally aggregated to provide a broader tapestry
interfaces, messaging, and data flows for pre-established in the dynamic operational of the risk exposures the organization is
bringing together currently disparate data; risk model to improve risk detection and exposed to. This information could include
associated decision making. This is where compliance metrics, front office supervisory
(ii) Quantification calcul ators—the models
the experience, judgment, and “smarts” data, HR information, and transactional
that combine internal and external loss
of an operational risk manager can be data. The legacy data model tends to be
data to produce loss estimates (e.g., for
the difference between boiling the ocean less intuitive and predictive in effectively
current capital quantification and/or
and collecting too much information, informing the organization as to measures,
CCAR operational stress capital);
or progressing on this journey in a trends, and overarching risk profile.
(iii) C
ore predictive analytics, to identify thoughtful, cost-effective manner that
Organizations now have the opportunity
patterns, correlations, and causation that demonstrates quick wins and builds on
to expand the traditional operational risk
are otherwise hard to spot; and that momentum. Stated differently, this
data model. As organizations undergo
(iv) R
eporting capabilities—the mechanism new operational risk data model should
digital transformations, the availability and
for communicating current and potential be developed with defined rule sets that
range of data becomes easier to access and
operational risk exposures both to senior fuel deeper behavioral analysis, trend
more readily available for consideration
management and the business line units identification, and predictive analysis.
and potential inclusion in the newly defined
that manage operational risk on a daily Each organization will need to develop a
operational risk data model. Moving toward
basis, and integrate their feedback into unique set of characteristics and a bespoke
a broader and more dynamic data model
traditional operational risk management implementation plan for a dynamic
can open the door to more effective use
processes. operational risk data model in line with its
of predictive risk analytics and allow data
system and application architectures.
While the structure is conceptually science techniques to assist organizations
simple, there are several operational in understanding risk drivers, themes, and
The data awakens
challenges to implementing this behaviors. The defining effect of these
Operational risk data collected by dynamic operational risk models can permit
future state. Many organizations have
organizations typically includes Risk greater predictability and probability for
faced some of these challenges while
and Control Self-Assessment (RCSA) organizations to determine their current
implementing significant regulatory
results, internal operational risk incident level of risk.
programs that involve aggregation of data
8
The future of operational risk management | Evolving data architectures
Front
GRC RCSA Loss KRI’s Scenario Compliance HR Transaction External Office
data Analysis Systems Data Supervisory
Data
Legacy operational risk management platform including Process efficiency through robotic process automation,
1 traditional Basel infrastructure for operational 5 natural language processing and business process
risk quantification management and decisioning tools to automate collection,
cleaning, and transformation of applicable operational
risk data
Data lake
Forwarding
leading
Reporting Layer
4 Leverage of information
across lines of defense Predictive risk
to promote efficacy
and action, over
assessment
protocol
and procedure
9
The future of operational risk management | Evolving data architectures
10
The future of operational risk management | Evolving data architectures
Contact us:
Monica O’Reilly Nitish Idnani
US Regulatory & Operations Risk Leader US Operational Risk Leader
Deloitte & Touche LLP Deloitte & Touche LLP
+1 415 783 5780 +1 212 436 2894
monoreilly@deloitte.com nidnani@deloitte.com
11
About Deloitte
As used in this document, “Deloitte” means Deloitte Tax LLP, a subsidiary of
Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of
our legal structure. Certain services may not be available to attest clients under
the rules and regulations of public accounting.
This publication contains general information only and Deloitte is not, by means
of this presentation, rendering accounting, business, financial, investment, legal,
tax, or other professional advice or services. This publication is not a substitute
for such professional advice or services, nor should it be used as a basis for any
decision or action that may affect your business. Before making any decision or
taking any action that may affect your business, you should consult a qualified
professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies
on this publication.