Operational risk management is taking hold

Financial institutions globally are evolving a more common view of the purpose, function and value contribution of operational risk management (ORM), as evidenced by the third annual global op risk survey conducted by Operational Risk magazine and Protiviti. Since this survey’s initiation in 2003, ORM programmes have continued to mature, with focus on the identification, measurement and communication of operational risk exposures becoming the widely held standards.

The new Basel Accord and related domestic regulations continue to be the most significant stimulus for the development of operational risk programmes globally, with 90% of respondents citing Basel II as a significant factor, and more than half the respondents naming it as the primary factor affecting the development of their programmes. Even in the US, where only the largest banking organisations are required to comply with the Accord, 85% of banks with less than $10 billion in assets identified the Accord as the most influential factor. This also suggests operational risk management will become pervasive across institutions of all sizes.

In light of the recent delay by US regulators in announcing proposed rules, some may be concerned that support for ORM programmes may weaken. However, performance-based motivations have gained in significance since the first survey in 2003. More than 60% of the respondents to this year’s survey identified internal best practices benchmarking exercises, concern over levels of operating losses, and industry initiatives addressing operational risk as critical factors in the formation and growth of their ORM programmes.

While regulation might have been the impetus behind creating initial demand and awareness, value creation and improved results appear to be the drivers of the next wave of evolution and adoption. A majority of respondents cite improved business and performance management and reductions in operating losses as key programme benefits (see figure 1). Interestingly, more than one in four respondents acknowledged "optimised allocation of economic capital" and "reduction of regulatory capital" as having little or no impact on the success of their ORM programmes.

In 2005, more than 92% of respondents have a formal ORM programme in place, up from 81% in 2003. Nearly 60% of ORM programmes have a distributed ORM framework, led by a chief operational risk officer or central governance structure supplemented by dedicated (35% of respondents) or part-time (24%) risk professionals at the business unit level. And the scope of ORM is branching out. While early ORM initiatives were often handled by audit and/or compliance departments, we now see indications that ORM departments at larger financial firms (more than $100 billion in assets) are picking up selected compliance responsibilities, such as Sarbanes-Oxley compliance.

A common set of responsibilities has also emerged, with 70% of respondents identifying three primary functions within the ORM programme:

• Creation and management of operational risk policies and procedures.

• Administration of operational loss database.

• Administration of the risk control self-assessment programme.

Functional responsibilities such as oversight of business continuity (41%), internal fraud (31%) and information security (22%) were also identified within the mandate of some ORM programmes, but did not represent a systematic trend among respondents (see figure 2).

The average size of dedicated ORM teams is also expanding. Nearly 30% of respondents report team sizes of 11 or more members versus 18% last year, with expectations for continued hiring by more than half of all respondents in the next 12 months. The most common backgrounds of ORM team members include audit and general banking, cited by more than 50% of respondents, with other source groups being operations (37%) and finance/controllers (27%).

As in past surveys, a majority of respondents believe these expanding programmes can be funded with less than $1 million expenditure. However, more than 60% of the respondents projected that costs related to ORM will rise over the next 12 months, with less than 7% anticipating any decrease in funding. Top categories for future expenditure are support for increased reporting (60%), increased staff (52%) and training expenditures (50%).

The impact of ORM programmes is being realised in many ways. More than 90% noted that ORM information is widely used to support risk assessment, while more than half of all respondents used such information in the approval of new products and initiatives. ORM programmes are promoting the development of an ORM culture through increased reporting to senior management (75%), the board of directors (69%) and business units (55%) - all at levels higher than in past surveys. And the use of ORM tools is steadily increasing over prior years, as more than 70% of respondents identified current or planned implementation of self-assessment tools, internal loss databases, external operational loss databases, statistical modelling for economic capital measurement and internal reporting tools. Key risk indicators were most commonly identified as part of future tool development.

Despite these trends, it is disconcerting to see that organisations are not yet linking the value of ORM programmes more closely to critical performance indicators. Less than 20% cited the use of ORM information in annual budgeting or product profitability, indicating that the information has yet to make its way into the risk/reward analysis of many financial firms. Likewise, such programmes as linking compensation to ORM performance, and the use of the code of conduct to recognise employee responsibility for ORM exposures were identified by less than 20% of the respondents as critical to promoting cultural awareness. Not surprisingly, the key obstacle to successful implementation of ORM most commonly cited was a lack of overall awareness and knowledge of operational risk issues among general staff. For the first time, this obstacle outweighed concerns raised in past surveys for measurement and data issues.

The recent delay by US regulators in issuing proposed Basel II rules has many speculating as to the eventual timing of implementation. With parallel testing quickly approaching for many jurisdictions, it is interesting to note that 27% of respondents are only in the initial stages of implementation, while 19% have not started implementation. Only 19% stated that Basel implementation was at or near completion. Fewer respondents appear to be using the advanced measurement approach to calculate economic capital (40% versus 44% in 2004), while a greater number of respondents are selecting the standardised approaches (45% versus 33% in 2004). And more than half of those respondents adopting Basel have not started implementing the disclosure requirements specified under Pillar 3.

Based on these most recent survey results, ORM is clearly taking hold as a standard risk practice of financial firms. Additional progress is needed, however, in linking ORM performance to the performance of the firm, before the full value of these programmes can be fully realised. l

Angela Isaac, director and practice leader, Basel II services

Protiviti, Inc

Tel: 1 312 476 6489

Email: angela.isaac@protiviti.com