Nigel Drury, Global Banking and Markets, head of operational risk at RBS discusses why operational risk management is more important now than ever before
Why has operational risk returned to the limelight? I
Nigel Drury is head of operational risk for global banking and markets at RBS having recently moved from ABN AMRO. In his previous role, Nigel was responsible for operational risk for global markets, private clients and the European businesses from 2007. Nigel joined ABN AMRO in 1999 and until moving to operational risk was a senior vice president responsible for global credit risk reporting and control across the banking and trading products businesses. Before joining ABN AMRO in 1999, Nigel worked at J.P. Morgan in London, Hong Kong and then Tokyo with responsibility for trading credit risk management. He has a BSc from Monash University, Melbourne, Australia.
the markit magazine – Winter 2009
n recent times, the financial services industry has witnessed a heightened operational risk profile due to enormous changes within many organisations. This is further intensified by volatile markets, such that when small errors occur, the consequences can be major. While banks may structure themselves differently, they are all threatened by the same variants of operational risk which range from internal and external fraud to dealer errors, operations failures, staff errors or omissions and legal compensation claims. The Basel Committee defines operational risk as: “The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events”. Operational risk is a term that has a variety of interpretations often due to the way banks adopt varying approaches to the management of operational risk while ensuring that the minimum elements in the Basel Committee’s definition above are catered for. Banks across the industry adopt different processes and approaches in the definition of the operational risk framework and they often arrange their operational risk function in very different
ways. However the best practices tend to lean toward a three lines of defence model where the business lines, risk management and the internal audit function all have distinct roles to play.
The three lines of defence model The business lines and support functions – The first line of defence are the business lines themselves which includes the support functions. Fundamental to the model is the responsibility of the business in owning and managing their operational risk for the areas they are responsible for. This can range from front office trading and sales to operations, finance, technology and human resources. Even the risk management functions have first line responsibilities to ensure they are managing the operational risk which is inherent in the processes they manage, such as calculating and reporting market or credit risk numbers. All organisations need to execute their own activities to ensure that their processes and controls are adequately designed and operating effectively. Having detailed the business processes they are responsible for and having identified the risks and the activities which control those risks, regular testing is required to ensure they are operating as designed and are performing effectively. Risk management – The second line of defence in the model is operational risk management. The size and scale of the operational risk function tends to differ across various organisations depending on how embedded the risk control program is in the business lines and the exact tasks the risk organisation are mandated to undertake. Generally, the risk management function is responsible for ensuring that the risk framework is fit for purpose, implemented and adopted by the first line of defence. They are generally responsible for risk reporting and, to a varying degree, operational risk incident investigations and risk assessments may be undertaken by the risk functio