Prioritizing Operational Risk

By Jack Milligan

The need to elicit employee buy-in is critical.

Sometimes the biggest risks are right under your nose. Banks spend considerable time and resources controlling their credit and market risks — and for good reason, because these exposures can result in huge losses. But operational risk — which includes everything from slip-and-fall accidents to the spectacular 1995 collapse of Barings Bank because of a rogue trader — has only recently begun to attract the same level of management attention.

Largely because of regulatory pressure, an increasing number of U.S. banks have been restructuring their enterprise risk management programs to include operational risk. Proposed new risk-based capital guidelines — recently published by the Basel Committee on Banking Supervision (generally referred to as "Basel II") also have focused much attention on the issue.

When those rules eventually take effect here in three or four years, the largest U.S. banks will be required to set aside capital specifically in anticipation of operational losses, just as they do now for market and credit losses.

"We've always managed operational risk implicitly," says Mike Hubenstock, the director of enterprise risk management at McLean, Va.-based Capital One Financial Corp. It is, after all, why banks have vaults, teller cages and countless other security measures. "But now we're trying to make it an explicit program."

One challenge in managing operational risk is that it seems to have countless iterations, such as physical damage due to fires or floods, employee fraud and even bank robberies. Market and credit risks, by contrast, are more contained and therefore more easily identified. "With operational risk, even the most anonymous guy in the back office can sink the ship," says Kevin Bailey, deputy comptroller for capital and regulatory policy at the Office of the Comptroller of the Currency in Washington, D.C.

To manage operational risk in an explicit fashion, an increasing number of institutions are creating formalized programs that parallel their credit and market risk management efforts. Important aspects of these new initiatives include periodic self-assessments by business units and governance structures that keep senior management and the board of directors well informed. Internal audit programs designed to test internal controls in every business unit have also assumed a heightened profile.

The grassroots nature of operational risk is, in fact, its most defining characteristic, which has forced banks to enlist broad-based employee support to a degree one doesn't see in the management of credit and market risk. Employee buy-in is critical — down to that anonymous guy in the back office — because the essential truth about operational risk is that everyone has some control over it.

"At the end of the day, it comes down to employing good people and having a good culture," says Andrew Wilson, who heads up the U.S. risk and regulatory practice at the New York-based consulting firm Accenture.

Looking for Trouble

The Basel II agreement will establish a new methodology by which the world's largest banks determine how much risk-based capital they must hold. Although it will apply to only the 10 or so U.S. largest banks, an as-yet-undetermined number of banks below that cutoff point will be given the opportunity to opt in to the new requirements. Kim Olson, a managing director in the credit rating group at Fitch Ratings in New York, says that some institutions might opt in because compliance with Basel II's weighty demands would be an imprimatur of sophistication.

"Some of that is a perceptional issue," she says. "How do they want to be perceived?" Of course, Basel II is a risk capital allocation scheme that involves much more than just operational risk, and banks that originate large amounts of mortgage and credit card loans that are ultimately securitized would probably have to hold less capital against those risks under Basel II than with the current rules.

To support their capital allocations for operational risk, these institutions will have to collect data on operational losses, since their individual allocations will to some large degree be determined by their individual loss history. Most U.S. banks, however, will not be required to comply with the Basel II requirements. "We will not — repeat, not — impose an operational risk capital charge against banks operating under the current capital adequacy guidelines," says the OCC's Bailey. "That is not in the cards."

Basel II defines operational risk as the risk of monetary loss resulting from inadequate or failed internal processes, people and systems, or external events. This definition is limited to direct losses from events like employee fraud or the destruction of bank property. Indirect losses — say, for example, a systems failure that results in a bank crediting the wrong interest rate to a customer's account — are not included in the Basel II definition, although financial services companies like Capital One consider these to be operational risks as well.

"Originally the definition of operational risk was everything outside of credit and market risk," says Yousef Valine, head of operational risk management at Charlotte-based Wachovia Corp. And while that's essentially still the case, some clarity has begun to emerge. For example, Wachovia has broken down operational risk into 12 functional risk areas and organized its effort around these so-called FRAs: Loss management, business process, real estate, compliance, technology, vendors, fiduciary, legal, human capital, financial, business continuity planning and implementation management.

In other words, when Wachovia talks generically about managing "operational risk," these areas are where it goes looking for trouble. Most other banks have adopted similar risk categories.

This is more than just a semantic exercise. Before banks can control a risk factor, they must first identify it. Even though banks have been dealing with operational risks forever, they only started managing it proactively in recent years. One reason for the heightened interest: as banking evolved through such landmark events as full interstate banking and the Gramm-Leach-Bliley deregulation law, its operational risk profile expanded dramatically as well. "We and most other banks are more complex than we used to be," says Ken Weinstein, senior vice president of operational risk management at Bridgeport, Conn.-based People's Mutual Holdings, the parent company for $11.7-billion-asset-People's Bank.

The federal regulatory bank agencies have likewise become more attuned to operational risk issues during the examination process. Bailey says the OCC's examiners look to see whether an institution has processes in place to identify and monitor its operational risks. "How is the bank managing risk from a holistic perspective?"

At the Federal Reserve Bank of New York, regulatory expectations "depend on the size of the organization and the nature of the activity," says vice president for supervision Arthur Angulo. "Our expectations for a small community bank would be different than for, say, the Bank of New York or J.P. Morgan Chase." In addition to the establishment of a formal operational risk management function, the New York Fed wants to see the use of self-assessments by business units, as well as an independent and a fully engaged internal auditing department. "A good internal audit function can save companies a lot of grief down the road," Angulo says.

Self-Assessing

Most operational risk management programs use business unit self-assessments as a diagnostic tool to identify specific risks, and also to determine whether all the necessary controls and monitoring processes are in place. Or as Capital One's Hubenstock puts it, "What are the bright risks in the organization, and are we doing something to manage them?"

Capital One, which is one of the largest credit card issuers in the country and a big user of technology in the credit decision process, requires its business units to perform self-assessments at least once a year. But Hubenstock wants to move to a much shorter timing cycle where units would do an assessment "upgrade" following any significant change to their business processes. "We're trying to get them to occur in real time," he explains.

People's Bank, whose core business is plain-vanilla branch banking, established a formal operational risk management program in early 2003. It then ran a pilot self-assessment that fall, followed by a bank-wide self-assessment in January of this year. Weinstein plans to do the latter at least once every two years, although the frequency may be increased for those business units with a higher level of operational risk. Weinstein did not identify those business units that might get a shorter self-assessment schedule, although People's has diversified into a number of financial services businesses, including retail brokerage and equipment leasing.

Another common feature of operational risk management programs is a management and governance structure that ultimately feeds ground-level information all the way up to the board of directors. The involvement of both executive-level management and the board is important because that means that all major decisions affecting the company are being made with some consideration of operational risk.

Wachovia, for example, has created an organizational framework that divides its principal activities — including wealth management, retail banking, human resources and the like — into ten "business units." Every unit has a senior executive serving as the resident "expert" for one of those 12 FRAs mentioned earlier, and each unit also is supported by an operational risk manager who reports directly to Valine. Think of it as a matrix, where Wachovia's 10 business units and 12 FRAs overlap to produce 120 squares, or work areas, where the day-to-day work of operational risk management gets done.

An executive-level senior risk committee chaired by Wachovia chairman and chief executive officer G. Kennedy "Ken" Thompson, along with the credit and finance committee of the board of directors, provides oversight. Valine also makes a formal report to a lower level operational risk committee, appraising it of his progress in rolling out his program, and alerting it to any emerging risks within the organization.

Internal auditing also plays an important role in the effective management of operational risk. Simply put, audit's job is to test the internal controls that each business unit must have in place to manage risk. The two-year-old Sarbanes-Oxley Act required that all public companies strengthen their internal controls for financial reporting. This has probably helped the industry's preparedness, since most banks consider reporting to be an operational risk.

A strong internal auditing culture turns out to be a crucial ally in any operational risk management program. "I think there's a lot overlap there," says Weinstein at People's Bank. "Internal control and internal auditing are dependent on the same culture as operational risk management."

Pam West, the operations risk executive at Charlotte-based Bank of America Corp., puts it this way: "Operational risk is a breakdown in controls. Where you lose money is where you don't have good controls. Audit helps us find out where we don't have good controls."

Organizational Buy-In

Organizational frameworks, governance, auditing — these are all necessary elements of operational risk management. But no institution can build an effective program without the commitment of its entire organization. "With operational risk, you could have people from tellers up to the CEO creating issues with their behavior," Valine says.

Operational risk management programs generally are highly decentralized, with much of the action taking place in the business units themselves. On a day-to-day basis, line personnel, rather than executives like Hubenstock and Weinstein, are the real risk managers. "All the risks are owned by business managers, so they're responsible for managing them," Hubenstock says.

Capital One's Hubenstock, unlike his counterparts in credit and market risk management, doesn't have subject level experts on his staff. The very ubiquitousness of operational risk makes that a practical impossibility. "I don't have anyone who is an expert in fraud, human resource management, business continuity or any other example of operational risk," he says.

Because employee commitment is so important, Wachovia's Valine has placed considerable emphasis on education. He has developed an operational risk management-training program for new employees, and created certification programs for certain "risk buckets" like business continuity planning and vendor management. The goal, of course, is to make everyone think like a risk manager. "Every employee in the company influences our operational risk profile," he says. "This is probably the most important aspect of operational risk."

The importance of education can be seen in a recent survey by Risk Waters Group and SAS, a Germany-based provider of business intelligence software. The poll of more than 250 financial institutions and regulators identified poor overall awareness by staff as the second most pressing problem facing financial institutions dealing with operational risk management issues. The first was managing data quality, specifically the difficulty of collating sufficient volumes of historical data and ensuring reliable data.

With operational risk managed at the grass roots level, the role of the operational risk manager might be best defined as supervisory, educational and consultative. Unlike their peers in credit risk management, who may have the power to block a loan until necessary changes are made if it doesn't conform to the institution's guidelines, most operational risk managers do not exercise direct authority. For example, Weinstein serves on a number of bank committees, and is currently working on a project to collect and aggregate operational risk loss data.

Weinstein can also be directed by the People's Bank board of directors to look into a specific operational risk issue within the company and report back. But he doesn't come into work every day, roll up his sleeves and start managing operational risk throughout the organization. Indeed, his department has just two people — himself and another staff member who focuses primarily on the self-assessment process. This is fewer than his budget calls for, but Weinstein says he's building his program carefully.

At Capital One, Hubenstock says his job boils down to this: develop tools and methodologies for business units to manage their own operational risk; collect on operational risk losses in case the bank ultimately chooses to opt in to the Basel II capital requirements; and report the institution's operational risk profile up to senior management. At a higher level, Hubenstock says his group is "responsible for building a level of awareness and transparency around operational risk."

And that may be the single most important aspect of any operational risk manager's job — getting people to focus differently on a potential problem that has been under their nose for years. "The biggest challenge is getting people in the business units to take this stuff seriously," Hubenstock says.

Mr. Milligan is a freelance writer based in Charlottesville, Va.

Copyright © 2004 by Banking Strategies, published by BAI.

back to top