Operational Risk, Internal Audit and AI trends & skills


Paul Sefton

Reflections on the skills and profile of the Operational Risk professional

Operational Risk discipline has developed and moved a long way since its early years. With a continued regulatory focus and catastrophic industry events, Operational Risk has become a crucial topic of the Senior Management's agenda. 

With the evolution of the discipline, the demands on the profile of the operational risk practitioner have been ever increasing. When trying to fill this important role, it's not uncommon for employers to insist on the combination of extensive experience in operational risk frameworks and tools and knowledge of regulatory requirements, excellent communication and influencing skills, in-depth specialist knowledge - be it business, product, vendor, cyber or another area that requires oversight and challenge. In smaller firms, it falls on one (superman/superwoman) individual to have all the required skills and qualities. 

What skills do operational risk practitioners perceive as most valuable?


What do operational risk professionals believe their likely career progression to be?


Current & Future Skill Set

What is a ‘prominent’ skills debate in the industry? Not surprisingly, technology-related, a lot is written and said these days about various technological developments.

In February 2018, the Basel Committee's 'Implications of fintech developments for banks and bank supervisors*' raised the need for 'bank personnel [to] have the appropriate awareness and capability to manage fintech risks'. 

In July BaFin issued a study, "Big data meets artificial intelligence - Challenges and implications for the supervision and regulation of financial services", dedicating a chapter to skillset considerations.

"There is an increasing demand for employees with mathematical and analytical abilities because of the development of Big Data Artificial Intelligence models requires skills in the areas of data analysis and software development (data scientists)."

Established market participants in the financial services sector are locked in tough competition for talent when seeking new employees with these profiles. 

Indeed technological developments cannot be ignored; important to stay abreast and upgrade knowledge and skills - across the whole spectrum of the three lines of defence, including operational risk.  

Continuous learning through practical steps -

  • Internally within the firm, opportunities for in-depth reviews of new technologies, products and strategies (operational risk is so well positioned to ask questions, it's part of the job mandate to understand, so best to make full use of it!);
  • via external events and seminars, with natural curiosity, exploring industry developments;
    • more in-depth, time permitting, via courses and qualifications, of which there is plenty of different duration and intensity.

​While new skills entering the market are being extensively talked about, there is an equally crucial skill set not in the spotlight, part disappearing, to be revived and invested in - the true understanding of how banking works end-to-end and ability to explain it simply, eg with T - accounts (an old yet effective tool). As more processes are outsourced and completed in siloes, the 'core banking end-to-end' knowledge must be brought into the spotlight, discussed, debated and written about, given the attention it deserves and the rigour of mandating it re-instilled. 

This also applies across the whole spectrum of the three lines of defence, and is key for Operational Risk practitioners, given the breadth of the discipline (which covers, basically, everything, apart from credit and market risk although good to have some knowledge there too!). It’s also an area where operational risk is perfectly positioned to help others connect the dots, via cross-functional new product reviews, Risk and Control Self-Assessments, analysis of operational risk events and their causes and consequences, scenario analysis – all tools if well applied, facilitate end-to-end learning. With this unique ‘central’ position to everything that is happening, Operational risk professionals will have increased confidence in the next survey to aim for the COO or CRO positions. 

We welcome your views and invite you to join the debate on the profile of an operational risk professional. What qualities and skills are of most importance, now and in the future? And what does the ‘ideal’ future operational risk expert look like?

AI & Risk Recruitment

​Having transitioned from corporate governance recruitment to data & technology recruitment, I’m in a unique position where I have seen the challenges that corporate governance faces in recruiting the most up to date skills today, that skills gap appears to be in the area of data science and AI.

Prior to 2008, audit, risk and compliance pretty much hired from amongst themselves only.  Of course, they trained up internally or hired from accountancy firms where at the very least you were guaranteed a bright, qualified accountant with an understanding of controls and, if you hired really well, then risk knowledge and awareness. However, I think it's fair to say those audit roles were filled by auditors, risk roles by risk professionals and compliance roles by compliance specialists. Occasionally, these disciplines, looked towards each other to fill their requirements but rarely into the business.

Then came 2008 and questions were asked; did the 3LoD model fail, did each line know enough to see and understand the risks, could it have been prevented, was the risk appetite just wrong?

Here came a new challenge as there was a clear change in hiring mandates as corporate governance looked to the front line/business to move in and to upskill and train their teams. It was deemed that the controls side could be taught as long as they brought industry expertise. 

Differences between Artificial Intelligence and Corporate Governance

Why is it difficult to recruit Artificial Intelligence and Data Science specialists in corporate governance?

  • Doesn’t relate to their studies - Looking at risk and control is not what data scientists have studied for, sometimes for as long as 10 years if you include a PhD. 
  • Different end result - The end result of a control/risk reduction rather than an actual viable product / algorithm doesn’t appeal as much
  • Report writing - Important for corporate governance, less so with data science / machine learning roles.  Do they even want to do this?
  • Rigid vs flexible - Can audit, risk, compliance offer challenging problems to solve whilst also giving space to research and innovate
  • Competition - Unlike 2008 when we were in a recession and only banks could afford those from the front office, these individuals are being approached by startups, medium-sized firms and tier 1’s, front office, corporate governance and candidates can cross sectors easily, opening up a world of choice to them.

How to find the right skills sets?

So, what can corporate governance do to hire the skills so badly needed in control functions?

  • Give an opportunity to those who want to grow by upskilling the people you already have.
  • Commit to upskilling those who have chosen a less technical route to date
  • Can they see how their career will grow? Sell the story, will they believe it?
  • These are creative individuals, give them space to innovate.
  • Bridge the gap between the tech you have and the tech they want to use
  • Spend money to attract the right people.  When it’s so competitive, use what you have on your side, which is generally stronger salaries.


A special thanks to Elena Pykhova for her invaluable contribution to this blog along with our director Paul Sefton. 

Elena Pykhova is the Director of OpRisk Company Ltd, specializing in strategy, design and implementation of firm-wide operational risk frameworks, policies and tools.  Elena is a professional member and former Director for Education of the Institute of Operational Risk, Chair of the Operational Risk Committee of the Association of Foreign Banks, and a seasoned operational risk trainer, teaching fundamentals of Operational Risk Management at the London Stock Exchange Academy.