Amid all the noise surrounding various regulations, 2006 has been a waiting game for many banks, a trend that will continue over the next 12 months. David Carruthers director of the IBIS division of Financial Objects, explains.
Banks have succeeded by assessing and managing risk for many years. What is new, however, is that Basel II explicitly factors operational risk into the calculation of total capital requirements. And it does so with a very important twist: The more effective a bank’s operational risk management effort is, the less money it needs to set aside in reserve. That's a powerful, bottom-line incentive to correctly handle operational risk management, although this strengthening of risk management does not come without cost.
However, despite the noise around operational risk partly brought on by Basel II, the reality for 2007 is somewhat different. This reflects a critical issue with operational risk management. Unlike other risk groups, (such as credit risk, which are clearly defined) operational risk, by its very nature, is much broader in scope. Addressing operational risk is therefore a more complicated task.
There is plenty of discussion around what operational risk management is, and rightly so. Although Basel II provides its own definition, it nevertheless encompasses a variety of risks and factors that banks have to identify and measure before even thinking about how they can manage them.
One of the problems is that it can include so many aspects – regulatory risk, security risk, information security (IT) risk – all with their own experienced managers. Basel II has caused much of the confusion by hyping operational risk almost to the point of it being disproportionate to its undoubted importance.
Centralised risk management could go the way of Quality Assurance
Most Basel II programmes are being run by the central risk function within banks, but operational risk encompasses varied aspects of operations, making it incredibly difficult to be implemented by a centralised team, as many banks have attempted to do.
These central functions tend to focus on modelling and analytics, while operational risk is mainly about measuring the effectiveness of controls and processes. Marrying the two is difficult, compounded by the divide between the modellers who have their eyes firmly fixed on Basel II and those people on the ground trying to implement policies that will control the day to day operational risks.
While that in itself isn’t a problem, the evolution of the operational risk function has some worrying parallels to the old Quality Assurance (QA) teams many banks had. A central team attempting to impose processes removed from day to day operations is unlikely to work effectively.
You cannot absolve the responsibility either of the process owner, the people who have the clearer idea of the processes and how they should work. In some organisations you can see how operational risk is in danger of going down the same route as QA with a centralised team telling the process owner how to manage their risks.
Banks need to use the existing control functions to devolve operational risk management. In our experience, the least successful programmes have involved a central group imposing its own agenda on business units; they cannot expect to be experts in all areas of a bank’s business and know how to run each and every one of them.
Operational risk teams should therefore be a co-ordinating and facilitating function and not be involved in the day-to-day running of departments. It is the process owners themselves who know the risks and how to manage them. For example, a head of payments knows exactly what the payment risks are, where their risk lies and how they are managed. That knowledge needs to be used and then passed onto a coordinating team.
It should be the operational risk team’s job to ensure they are monitoring, measuring and reporting on operational risk across the organisation. They can then take data and feed it back into a central framework, rather than telling the business experts what to do. And as a wide range of recent legislation shows, the importance of good risk management will only increase, so having those at the ‘coal face’ defining the risks is good business sense.
Waiting for the fog to clear in 2007
Despite the impending Basel II deadlines, it is clear how many banks are still in a fact-finding mode, trying to nail down where operational risks lie, how they change and evolve, and what impact that might have on future business. In other words, things are not quite as cut and dried as some coverage has made out.
Operational risk management is still in its adolescence and undergoing a constant learning flux. Although there is no single methodology or bible which banks can use to learn how to manage operational risk effectively, a company wishing to implement a solution to support risk management should ensure that it supports the structure and processes within the bank and has the flexibility to be embedded in those processes. It is also imperative that the supplier has extensive domain expertise within the financial services sector to inform the implementation.
In 12 months time, many banks will not be much further down the line. Basel II programmes are moving inexorably forward and banks are still collecting vast data sets without being entirely sure whether it will meet regulatory requirements. However, when the deadline arrives the industry won’t suddenly be living in an operational risk management nirvana. It is an ongoing process of defining and then refining processes.
Spreadsheets are still popular with many banks because of the uncertainty surrounding just what data regulators want and where the end game is. In the meantime, banks will continue to use the tools they are comfortable with and have served them well for years.
There is no magic bullet that will meet the needs of each corporation out of the box. This is reflected in the vendor offerings that come from diverse backgrounds such as document management and capital management, but are all labelled as ‘operational risk’ solutions. It also explains why no single vendor is dominating this space because an operational risk management solution that fits all organisations simply doesn’t exist.
Each company must address operational risk separately based on the legacy of its current business architecture, operations architecture, and the underlying supporting technologies. It will then select the most appropriate technology to its needs. However, before that happens banks need to see a clear business case for investing vast sums in new systems. And right now, that case is, in some instances, lacking.
However, there is a gradual shift occurring. The banks and vendors with experience of operating in this area are starting to incorporate their knowledge and experience of what’s worked and what hasn’t into a ‘second wave’ of offerings. These offer some levels of standardisation, where appropriate, and better reflect where the market is heading.
Operational risk must deliver business value to survive
Operational risk systems cost banks significant amounts of money so they need to see clear benefits, reduced overheads and improved risk controls. The jury is still out on operational risk and whether it will become an established and rigorous discipline.
The operational risk function needs to demonstrate real business value. To do this is has to go beyond data collection, capital allocation for Basel II and scenario modelling to improving the efficiency and effectiveness of controls and processes.
When a commitment to operational risk is embraced at a senior level and implemented effectively, the results can dramatically impact a business. In the case of ABN AMRO who, in 2003, experienced 45.5% reduction in the value of loss events and more than doubled its economic capital relief bonus, results were achieved via a truly integrated risk solution, involving extensive communication with operational and key managers.
Risk management is not a data collection exercise, and is not a job for a central control team: risk management is everyone’s responsibility. The pivotal role of the central risk group is to coordinate all parts of the risk management programme ensuring that all types of risk are identified and that the controls in place are sufficient to minimise the impact of such risks throughout the business.
