Operational risk managers told to do less to succeed

Operational risk teams should be wary of intervening too quickly when things go wrong, said Christian Hunt, global head of compliance and operational risk control at UBS Asset Management, speaking at the OpRisk Europe conference in London today (June 15).

Op risk managers should act as "fire marshals, not firefighters", Hunt said.

If the second line of defence got involved too often, it would interfere with its duty to challenge and report, and may build a habit of dependence among business managers, who should take responsibility for risk decisions themselves, he said.

"Too often the second line of defence spots something wrong and jumps right in," Hunt said. "That takes away some of the responsibility [from the business], and you can lose some of that challenge function. It is not your role to put out the fires – your job is to step back and think about what is happening. The way to do that is to make sure that you report separately on the incident and the response as a risk function."

He used the example of marketing material. Regulators put emphasis on the proper control of marketing to avoid the risk of mis-selling and unfair treatment of customers, Hunt said. But at some institutions, the response was for the second line to effectively take control of marketing, he said: "The risk here is that you get the message that, for example, marketing is too complicated for the business to understand – so they shouldn't worry about it."

However, he acknowledged that this approach could cause problems of its own: "It is difficult to demonstrate that you are providing value when you are not involved, because people will wonder what you are doing just standing there. So you have to come back with a story about what you are doing. And you need to have a risk appetite story – you are not there to stop all loss events or compliance breaches."

Other delegates pointed out further disadvantages. For example, taking a less active role may make second-line functions less attractive to potential employees, who might prefer the more ‘hands-on' approach of working in the business.

But Hunt also argued for op risk managers to take a greater role in strategic decision-making: "Strategic risk is a form of operational risk. If you get your strategy wrong, you are likely to crystallise operational risk. It is not good enough for the business to come up with a strategy in a vacuum and then come to operational risk to clear up the mess later. [Operational risk] needs to have a seat at the table."

Agents of change

Hunt's emphasis on the importance of op risk to strategic decision-making echoes similar comments by Gwendolyn Collins, an officer at the US Federal Reserve Board, who said op risk managers should be "change agents" during a speech at OpRisk North America in March.

Another key function of operational risk was education, UBS's Hunt said. As regulators shifted increasingly towards a principles-based approach from a rules-based one, financial companies needed to become more comfortable with risk-based approaches to compliance. And that was an area where the second line could help.

"The ability of compliance departments to determine what is OK is getting challenged," he said. "You need a risk-based approach to compliance, which is quite confusing for compliance people who like to give certainty. Business needs to act as a partner and set its own appetite."

One example of this was corporate entertainment. UK regulators had warned against "excessive" spending, he noted, but had not given a fixed cash limit. That left firms uncertain as to where the boundaries lie: sandwich lunches were probably acceptable, but Super Bowl boxes were not. The middle ground left room for companies to decide "how racy they want to be and how much risk they want to accept".