Why has operational risk returned to the limelight?

Download PDF
0 downloads 106 Views 127KB Size Report
Comment
not occur and resulting losses can be eliminated. Where losses do occur they need to be captured in a uniform way and at
/60

R&D

Nigel Drury, Global Banking and Markets, head of operational risk at RBS discusses why operational risk management is more important now than ever before

Why has operational risk returned to the limelight? I

Nigel Drury is head of operational risk for global banking and markets at RBS having recently moved from ABN AMRO. In his previous role, Nigel was responsible for operational risk for global markets, private clients and the European businesses from 2007. Nigel joined ABN AMRO in 1999 and until moving to operational risk was a senior vice president responsible for global credit risk reporting and control across the banking and trading products businesses. Before joining ABN AMRO in 1999, Nigel worked at J.P. Morgan in London, Hong Kong and then Tokyo with responsibility for trading credit risk management. He has a BSc from Monash University, Melbourne, Australia.

the markit magazine – Winter 2009

n recent times, the financial services industry has witnessed a heightened operational risk profile due to enormous changes within many organisations. This is further intensified by volatile markets, such that when small errors occur, the consequences can be major. While banks may structure themselves differently, they are all threatened by the same variants of operational risk which range from internal and external fraud to dealer errors, operations failures, staff errors or omissions and legal compensation claims. The Basel Committee defines operational risk as: “The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events”. Operational risk is a term that has a variety of interpretations often due to the way banks adopt varying approaches to the management of operational risk while ensuring that the minimum elements in the Basel Committee’s definition above are catered for. Banks across the industry adopt different processes and approaches in the definition of the operational risk framework and they often arrange their operational risk function in very different

R&D

ways. However the best practices tend to lean toward a three lines of defence model where the business lines, risk management and the internal audit function all have distinct roles to play.

The three lines of defence model The business lines and support functions – The first line of defence are the business lines themselves which includes the support functions. Fundamental to the model is the responsibility of the business in owning and managing their operational risk for the areas they are responsible for. This can range from front office trading and sales to operations, finance, technology and human resources. Even the risk management functions have first line responsibilities to ensure they are managing the operational risk which is inherent in the processes they manage, such as calculating and reporting market or credit risk numbers. All organisations need to execute their own activities to ensure that their processes and controls are adequately designed and operating effectively. Having detailed the business processes they are responsible for and having identified the risks and the activities which control those risks, regular testing is required to ensure they are operating as designed and are performing effectively. Risk management – The second line of defence in the model is operational risk management. The size and scale of the operational risk function tends to differ across various organisations depending on how embedded the risk control program is in the business lines and the exact tasks the risk organisation are mandated to undertake. Generally, the risk management function is responsible for ensuring that the risk framework is fit for purpose, implemented and adopted by the first line of defence. They are generally responsible for risk reporting and, to a varying degree, operational risk incident investigations and risk assessments may be undertaken by the risk function. The risk assessments may be specific to a business area

assessment or be thematic and broader reviews of the risk landscape. Internal audit – The third line of defence in the model is the internal audit function whose responsibility it is to provide independent assurance over the banks internal control framework including its design, adequacy and operational effectiveness. There are often discussions around the differences between the first, second and third lines of defence and this can be explained by the following. The risk function designs and deploys the operational risk framework and the businesses operate the framework with an appropriate challenge from the risk function. The internal audit function tends to provide an independent view on its design adequacy and operational effectiveness and is therefore often reviewing the first and second line activities when doing so.

Adequacy and effectiveness The three lines of defence model allow a bank to monitor whether its internal risk controls are adequately designed and operating effectively to mitigate risk. It may highlight that a control is totally inadequate but it is working as intended. In this instance, the flaw is that the control is poorly designed. It may raise questions: is this control appropriate? Does it actually decrease the risk? Processes are operated to run a bank to ensure it can work and in doing so things can go wrong, so the risk assessment piece is about considering what one does on a day to day basis, what can go wrong and therefore how can things be prevented from going wrong? These are the controls that need to be established. The controls need to be

/61

tested periodically to ensure they are working properly, and key risk indicators need to be developed to hang off these controls as a detection mechanism where adequacy or effectiveness may be diminished. If something does go wrong an operational event occurs. This may be a small internal failing or a larger external incident. Learning from these failings is an important part of operational risk management to ensure repeat events do not occur and resulting losses can be eliminated. Where losses do occur they need to be captured in a uniform way and at a pre-described threshold.

Loss data capture A good loss capture process is required to ensure losses are identified, assessed, managed and reported as a part of sound organisational governance. In capturing the losses, a clear picture can emerge as to where things are going wrong, what needs to be fixed to prevent a reoccurrence and where investment should be directed. They also provide a key piece of information to determine what level of capital does a bank need to set aside for operational risk losses to protect the organisation and shareholders. Rapidly responding to events is a key requirement for large organisations to ensure that any systemic risk is contained as quickly as possible. An issue in one business in one country may easily be applicable in another business or another country. When organisations operate in a large number of countries quickly assessing whether the same event can occur elsewhere and strengthening the controls where weaknesses are detected is clearly good practice.

“A good loss capture process is required to ensure losses are identified, assessed, managed and reported as a part of sound organisational governance.” Winter 2009 – the markit magazine

/62

R&D

In this respect, the dynamic nature of issuing such an alert means that further loss across the company is more likely to be eliminated.

Rogue trader loss Rogue trader loss has focused the minds of market participants’ on front office processes and internal controls. It ensures that customer sales and trading activities, i.e. people in customer facing and revenue generating roles are well controlled and that these controls are tested and evidenced appropriately, and failings in the tests are resolved. Periodically there has been an event in the market that has made the industry take more notice than normal. Organisations will then test their controls and ensure that the front office controls are working as designed and that the design is still adequate. An obvious example is the £3.6 billion banking fraud less than two years ago that really focussed the industry’s minds. Given the subsequent turmoil in financial institutions, this has seemingly disappeared off the radar reasonably quickly, particularly when compared with the Barings losses of fourteen years ago. However, the reality is that there continues to be significant focus on the front office to ensure controls are working.

Overall, it is about considering the risks that exist in operating the processes within an international financial services organisation. By considering a full range of processes and understanding the risks at both a granular business process level and at aggregate level across the front to back processes, within individual functions or even within whole countries, appropriate resource can be applied to manage and mitigate risk. There are huge variants where a bank can lose money and a growing range of factors that need to be taken into consideration. Events that have increased focus on operational risk in the recent past include higher market volatility and high volumes post Lehman collapse, a stressed banking environment, significant internal and external change, consolidation in the industry and regulatory change and increased scrutiny. If a bank fails to manage such change effectively, operational risk events and operational risk losses would be expected to increase significantly in the future. Furthermore, the risk of further losses may persist if the internal controls are no longer fit for purpose due to a change in operating circumstances.

Assessing business processes

Risk is in the operation of business as usual (BAU) processes but it is also introduced to the organisation through change

To manage both the ongoing risks in the organisation and those risks from a changing organisational landscape, management of operational risk is fundamentally about assessing the banks business processes. It is about both the front and back office taking greater accountability for the businesses they own, identifying, managing and mitigating the risk that exists and looking for those emerging risks which are on the horizon.

At the source of operational risk are the routine processes that a bank undertakes on a daily basis. These must be watched as they evolve over time. Risk in the BAU environment exist in every jobholders activities as they are employed to operate a range of business processes. Clearly failings in different areas will have a varying impact on the organisation. Risk in the BAU environment can include risk of dealer error which should be mitigated

“There are huge variants where a bank can lose money and a growing range of factors that need to be taken into consideration.” the markit magazine – Winter 2009

by middle office trade entry reviews, dealer pricing utilising a range of price feeds and models which contain various data sets which need to be maintained. Additionally, the financial accounting practices across complex organisations, businesses and geographies contain an extensive range of daily, weekly and monthly processes which need to be operated and which are dependent on upstream actions. When introducing new products, processes or systems the change to business processes need to be understood so the risks can be identified and existing controls adopted or new controls developed and deployed. The change can impact the business process sufficiently to cause the previously established controls to become ineffective. All of this emphasises the need for active management of operational risk. Organisations need to be forward looking to ensure new risks are identified while continuing to ensure existing process are adequate in design and operating effectively.

Business continuity and scenario analysis Whether it be at process level or in a broader organisational context, it is important to have strong business continuity including disaster recovery plans in place in instances when wholesale events mean people can’t physically get into buildings or the building cannot function. This may be due to significant physical failure such as fire, flooding in buildings or extreme weather conditions. It may also include massive failures in internal infrastructure or disruption of services such as power. Having preemptive plans in place to deal with the components is essential in ensuring organisations will continue to operate in such circumstances. As a consequence, scenarios are a good forward looking mechanism to consider such high impact, low-probability events. Banks are encouraged to run scenarios that can range from considering rogue trader loss or extreme

R&D

weather conditions to an outbreak of an epidemic such as swine flu. Whatever the event, a key part of managing business continuity is having the ability to communicate effectively to employees about what action they need to take as defined in a pre-determined business continuity plan. Such a plan should clearly dictate what needs to be done and by who.

/63

“A risk assessment framework with triggers applied and loss and event management methodologies in place will provide some understanding of the risk of continuing to operate a business.”

How does the information given so far compare across firms of different sizes and with different structures? The fundamental principles are the same, for example, how would a hedge fund firm with employee numbers of thirty trade their book if they lost access to their dealing systems? How much time could they afford to be out of the market, particularly if the failing is due to external factors and which is disruptive to the general market? To manage such circumstances, entities should also be challenging their brokers or suppliers to understand how they plan to handle that situation and find out in advance what components make up their business continuity plan should this happen.

How does this all come together? So far we have talked about business risks and controls. But how does this pull together into one meaningful story to define how operational risk is managed? To reconcile this it is best to look at a simple interlinked framework

Framework components To understand what risk an organisation is running the following questions need to be asked. • Processes: What are the most significant processes which operate in the bank? • Risks: What are the most significant risks that exist in operating these processes? • Controls: What are the controls that need to be in place to ensure the risks in the processes are mitigated? • Test: How do we test the controls frequently and evidence the results to

demonstrate they are both adequately designed and work effectively? Even though risks are assessed, it is expected that things will go wrong and therefore a strong event management framework and loss capture methodology is critical to mitigate risk post incident occurring. It is also equally important to establish key risk indicators to detect when control tolerances are likely to be breached so mitigation can be strengthened in advance of actual problems arising. The framework above may look simple but when you consider the number of product lines, processes, office locations and countries in which a multinational global bank operates, it is not simple to see how the information across investment banking, retail, asset management and insurance for example can be aggregated at the top level. The risk manager has the difficult job of communicating to the management team in a single report, which should allow them to make the right decisions about where they should invest to mitigate risk and how much capital they need to set aside. A risk assessment framework with triggers applied and loss and event management methodologies in place will provide some understanding of the risk of continuing to operate a business. However, the key fundamental part of effective risk management is to factor these outputs into the decision making. When the risk profile is understood and the capital requirements are known, the management team then has three

choices; expand, opt out or invest in controls to improve the business profile and mitigate the risk.

To conclude: When profitability becomes severely restricted and banks are rebuilding balance sheets there is far less appetite for operational risk losses or tolerance for operational failings and the reputational impacts they may cause. Individuals in firms also feel a significantly heightened personal accountability as they endeavour to do their jobs better. This may be due to concerns about retaining jobs in times of rising unemployment or simply the desire to do a good job in the face of management and public scrutiny and a lack of tolerance across the industry for making mistakes. It is critical that management teams are properly informed about the operational risk profile in their businesses so they can make informed decisions about where to invest in risk mitigation techniques and improved controls. Banks are also under greater scrutiny from the regulators to have adequate capital and there is therefore the need to know that enough capital is set aside to cover events. As organisations understand the risks they run and have better insight to their losses from their bottom line caused by failures in systems and processes, operational risk as an activity has gained added importance in the financial services industry. As a consequence the topic continues to be higher on the senior management agenda. Winter 2009 – the markit magazine