Changing times mean a tougher job for op risk managers

Even before the results of the UK's referendum on its membership of the European Union became apparent in the early hours of June 24, the global financial services industry had been going through a period of momentous change.

The financial crisis and ensuing regulatory response has caused many of the world's largest banks to embark on organisational change programmes. Faced with declining revenues, they have sought to focus on core areas, including retail banking and corporate lending, while winding down non-core activities such as riskier trading businesses.

While some of the pain is behind the industry, more is yet to come. In Europe, for instance, banks are bracing themselves for Mifid II, a package of financial markets legislation, which is set to be implemented by January 2018. In the UK, the country's largest banks face rules aimed at ring-fencing their retail businesses from their investment banking arms by January 2019.

All the while, traditional financial institutions continue to face a wave of disruption from high-tech insurgents, such as peer-to-peer lenders, digital payments firms and providers of automated investment advice.

The upheaval is only likely to be exacerbated by Brexit. If the UK does withdraw from the EU, a lack of access to the single market might impair the ability of banks, asset managers and clearing houses to serve European clients. Companies such as HSBC and JP Morgan have warned it could cause them to relocate a significant chunk of their operations and workforce outside of the country.

As far as operational risk is concerned, these kinds of changes are generally considered to be bad news.

"Change significantly heightens [operational risk exposure]," says Enda Collins, operational risk portfolio manager at GE Capital in Dublin. "If management are just going straight into the change project and not involving risk in their due diligence processes, then the chances are something bad will come up in the future."

Amid industry tumult, op risk practitioners say organisational change can distract the attention of senior management, and consume time and effort that are needed elsewhere. Cost-cutting exercises, such as hiring freezes or layoffs, may weaken risk controls and lead to problems caused by disgruntled or dismissed staff. Changes to business processes – including automation, offshoring and outsourcing – can introduce additional vendor and country risks.

If management are just going straight into the change project and not involving risk in their due diligence processes, then the chances are something bad will come up in the future
Enda Collins, GE Capital

Even if the change is a positive one, such as the acquisition of a new business, there can often be unwanted implications for operational risk.

In a 2013 hearing before a UK parliamentary committee, HSBC chief executive Stuart Gulliver blamed the bank's 2002 takeover of Mexican bank Grupo Financiero Bital for a subsequent $1.9 billion fine for lax anti-money laundering controls. The Mexican bank "had inadequate anti-money laundering systems", said Gulliver. "We, ourselves, were too slow to put in place anti-money laundering systems that would be up to the standards we would all expect."

In 2014, Bank of America was forced to pay $16.65 billion to US authorities for misdeeds related to mortgage lending and mortgage-backed securities around the time of the financial crisis. Much of the misconduct that featured as evidence in the case took place not at Bank of America, but at its Countrywide Financial and Merrill Lynch subsidiaries, which the bank acquired in 2008.

Such examples highlight the importance of op risk functions being fully involved in organisational changes.

"Change can be complex," notes John Shipman, London-based global head of operational risk at HSBC Global Banking and Markets. "The biggest challenge for operational risk is making sure we are engaging with the big areas of change and the business understands the complexities at hand."

It is an area that supervisors are watching closely. Speaking in an interview with Risk.net in June last year, Beth Dugan, head of operational risk at the US Office of the Comptroller of the Currency (OCC), said she saw dealing with change as an important priority for op risk managers. The OCC was looking "very closely at the broad concept of change management", she said, and what that meant for operations, people, processes and systems.

Change can be complex. The biggest challenge for operational risk is making sure we are engaging with the big areas of change
John Shipman, HSBC Global Banking and Markets

"If an institution is making a significant, critical change in a system or an application, we would look at those processes," she said. "It could mean the institution getting into a new product, or adding a new service… What is needed around those things is to ensure that as they introduce it, they don't jeopardise the institution. It could also be a merger and an acquisition; that's a big change."

Left leg in, right leg out

Typically, practitioners say the operational risk function tends to be more involved in some forms of organisational change than others. When a bank launches a new product, for example, project teams would usually have to detail potential risks and countermeasures that should be taken before any approval is granted. That submission would usually be reviewed by the op risk function, say practitioners.

But op risk's level of involvement in other decisions, such as mergers, divestments, reductions in headcount and regulatory changes, can vary significantly.

"My experience has been that the right level of operational risk expertise hasn't actually always been in the room to discuss strategic matters," admits one operational risk manager at a major bank.

Although chief risk officers are more commonly present during such discussions, they might not always be in a position to provide input on operational risk issues.

"I would say chief risk officers mainly think about acquisitions from a market and/or credit risk perspective, because that is usually what background they come from," says the operational risk manager. "But to actually get to the nitty gritty – to identify if the acquisition has more lax procedures around process and execution, on-boarding, know-your-customer requirements, and the full spectrum of operational risks at play – those sorts of things don't always get thought about at that level."

Practitioners say it is in the interest of the wider business for operational risk professionals to be engaged early on in any organisational changes. That will allow them to highlight and address any risks deemed unacceptable well ahead of the alterations taking place.

"There may be some risks the business wants to take," says GE Capital's Collins. "So it's important to be able to say, ‘OK, if this is the risk inherent in this project and the level of residual risk that will remain, is everybody aware of it? Is it within our risk appetite? And what can we monitor to make sure we're not breaching that?'"

In this situation, the task for op risk managers is to carefully review the organisation's current risk profile and how this may change as the proposed transition moves forward. This includes the risks associated with any intermediate stages. Likely risks must be weighed against the firm's overall risk appetite, allowing risk managers to focus on mitigating those deemed to be unacceptable.

The art is not to make a list of everything that can go wrong – just pick out those things that will really cause significant damage to the organisation. Identify your real critical issues and how prepared the organisation is to deal with that
Diemer Salome, Rabobank

"I'm in the middle of a huge IT project right now," says Diemer Salome, head of non-financial risk management at Rabobank in the Netherlands. "As part of that we need to consider, if the system doesn't work on day one, do we have a back-up system ready? How long can we work without a system? The art is not to make a list of everything that can go wrong – just pick out those things that will really cause significant damage to the organisation. Identify your real critical issues and how prepared the organisation is to deal with that."

The op risk function also needs to review any changes to the firm's wider control environment and ensure robust risk controls are maintained at all times. And, because the firm's actual risk profile may vary as change unfolds, op risk managers need to continuously monitor it and quickly react to any unexpected consequences.

Operational risk and regulation

One area where op risk managers should take a greater role is in responding to new regulation, say practitioners. In the present climate, most banks have dedicated regulatory change teams that keep tabs on new rules and their likely impact, says HSBC's Shipman. It makes sense for op risk managers to have a regular dialogue with these teams to make sure incoming regulations are properly adhered to, that proper controls are in place and regulatory expectations are maintained.

"Many of these regulations have a global impact," says Shipman. "It's tricky, because you're introducing new processes, new teams, and new roles and responsibilities."

He takes the example of the Volcker rule – part of the US Dodd-Frank Act that bans proprietary trading by banks: "There is a lot of discussion when you introduce something like Volcker, not only about what needs to be done practically, but also who owns it."

In this case, Shipman says the op risk function should help the firm to develop a fuller understanding of all the implications of the Volcker rule and find a way of embedding it across each of the different areas of the bank.

Restructurings and job losses are another timely example of an area where op risk managers can get more involved. Usually, it is human resources or legal departments that bear responsibility for making redundancies. But Rabobank's Salome says op risk functions should be constantly tracking and discussing the changes with management teams to ensure any risks are handled properly. That may include, for instance, the possibility of confidential data being stolen or access controls being breached.

"One of the potential effects of banks slimming down is that disgruntled employees take proprietary data with them, so the question needs to be asked: have we sufficiently protected ourselves against this?" says Salome. "You're only useful if you sit at the table where decisions are made. That degree of involvement is much more powerful than being given an account of things that went wrong and carrying out lessons learned afterwards."

At some banks, op risk managers are already involved in these discussions to some degree. Amid a proposed reorganisation, one op risk manager says their colleagues were asked to look at the potential impact of certain staff being removed from the organisational structure, where those responsibilities might fall and whether the workload would be too much for the remaining employees. The op risk function also analysed the risk and control environment and how it might be affected, the risk manager adds.

Mergers and acquisitions have the potential to reshape an organisation's op risk exposure, so practitioners say it's crucial for op risk functions to take part in the process, ideally from the outset of any proposed deal. Op risk managers should be involved in due diligence during the initial stages of a proposed takeover – something that will allow them to review and benchmark the target firm's risk management framework, both in terms of its design and effectiveness.

In practice, this is no simple task. The scale of the transformation required as part of an acquisition process is vast, says Maksim Kondratenko, head of the risk department at Moscow-based VTB Group. He was part of the team that completed the integration of Bank of Moscow in May, after VTB first acquired a majority stake in the lender in 2011.

From a risk management point of view, the starting point was risk appetite, he says. "In terms of risk management, whether operational risk or credit risk, our first discussions looked at the differences in risk appetite across the different businesses."

[Op risk managers] definitely need to be in the driving seat and represent their projects by making recommendations that can be useful
Maksim Kondratenko, VTB Group

One thing Kondratenko took away from the experience was that if op risk managers were to make a tangible difference, they needed to have gravitas and the ability to make practical recommendations – for instance, about whether the firm's policies needed to be modified to suit another jurisdiction, or whether employees should be retrained or replaced.

"They definitely need to be in the driving seat and represent their projects by making recommendations that can be useful," he says.

‘Change agents'

This highlights an important point. Practitioners say that mitigating the risk of organisational changes doesn't only mean making sure op risk functions have a role, but also that they bring the skills, tenacity and strategic vision needed to make a positive difference.

As a bare minimum, HSBC's Shipman says op risk managers must have credible business expertise; otherwise, they stand little chance of getting a seat at the table when organisation-wide decisions are being made.

But there is increasing recognition that they need to go further than this. VTB's Kondratenko says op risk functions should have a broader strategic outlook and the ability to collaborate with experts from other areas of the firm.

Sam Lee, London-based head of operational risk for Europe, the Middle East and Africa at Sumitomo Mitsui Banking Corporation (SMBC), agrees.

"It's no good having operational risk involved if they don't pull their weight," Lee says. Today's op risk practitioner needs to be able to educate, challenge where necessary, and offer the business greater strategic insight than that provided by traditional op risk tools, he adds.

"They've now got to be able to join the dots to find out what all of that information says about the operational risk profile. They need to understand all of those processes, identify the outputs, analyse them, conclude, and then sell them together with the proposition of why the business needs to care about the operational risk framework," he says.

It's no good having operational risk involved if they don't pull their weight
Sam Lee, Sumitomo Mitsui Banking Corporation

In practice, GE Capital's Collins says op risk managers should have the business acumen to make recommendations or requirements that allow identified risks to be managed properly.

He recalls an example involving the launch of a new product when, although he was brought into the project at a late stage, he insisted additional resources were provided to the operations team to handle the extra sales volumes anticipated.

"When the product was launched, operations were resourced to manage the business-as-usual risk, as opposed to a costly problem developing over time," he explains. "If the op risk manager is of sufficient standing and has a reputation in the business of supporting the organisations' objectives, then that should actually happen quite regularly."

This kind of assertive engagement from op risk managers might not always be welcomed by businesspeople seeking to make rapid changes, but it could help to avoid embarrassing and costly failures later on.