Operational Risk Perspective: Cannot see the Woods for the Trees!!!

In the parlance of effective implementation of the Operational Risk Management, the central theme is Internal Control. It begins with Internal Control Governance and framework ( be it COSO, Basel and/or RBI requirements) with defining ownership and then continues to live with monitoring and oversight.

Be it the banking parlance or any other industry, there is slew of functions that constantly examines this aspect from varied lens… sometimes the filter is

Control Self-assessment by the first line / unit implementing the control
Second line of risk and compliance functionaries testing the same control from different angle
Third line testing the same control from giving assurance about the effectiveness of the control.

This translates into “Control Fatigue” and not “Identification of Open Risk “or “Control ineffectiveness”

From practice, I believe here are some disadvantages which needs attention in this world of introduction and /or implementation of AI into Banking space… ◦

Fragmented testing based on varied methodology and sampling techniques leading to inconsistent conclusions about the same control ◦
Unproductive resource allocation Same controls such as AMl/KYC checks, loan processing segregation of duties or say post disbursement docket checks being checked by multiple users takes a strain on the system and leads to the wastage of time and effort. The results only provide reactive effort to plug the gap and no holistic group results
Another major area is the vulnerability of missing that high impact error thereby leading to incorrect assurance. Based on the sample, the assurance is that the control is working effectively.
Poor ownership by the first line to effectively test the control and provide the sample. This activity is not their priority and hence based on the DNA of the organisation, the result is often either skewed or incomplete
Human errors of manual testing of controls. Each control is either passed or failed based on human judgement… this may not have much impact on low-risk repetitive control but seeds of high risk get sown if high impact failed control is missed
Last but not the least is the Cost Benefit analysis … Often seen that testing of the low risk and repetitive control, may get expensive.

In today’s world wherein Corporate Governance is making rounds and Board room Agenda s are being revisited, it is critical that we address the concern of Control Fatigue through a more holistic approach based on the Organisational Risk and Compliance Culture.

About Me

A dynamic professional in the finance sector, she balances analytical precision with a deep passion for creative writing. Beyond her corporate role, she finds solace and strength in words, expressing her thoughts on lifestyle, relationships, philosophy, and spirituality. Her writing is heartfelt, reflective, and rooted in everyday experiences, offering readers a gentle lens into life’s deeper meanings.

She wears many hats — a mother, a wife, a daughter — each role enriching her perspective and adding depth to her storytelling. Her words are not bound by genre but guided by authenticity and emotion. Whether exploring inner journeys or capturing fleeting thoughts, her writing serves as both a mirror and a bridge — connecting self to soul, and soul to society.