Man Group's Howitt mixes op risk experience with back-to-basics approach

Jonathan Howitt relishes a challenge. As one of the few operational risk managers who can profess to have been involved in the origin of his discipline, during his career Howitt has built two operational risk management departments up from scratch – at Dresdner Kleinwort and Man Group.

At Dresdner, Howitt was responsible for operational risk management in the investment bank division. Between 1999 and 2004, he set up a business-aligned op risk department and developed a bespoke loss data and risk indicator collection system. “Dresdner was open to a holistic approach to operational risk management,” says Howitt. “It wasn’t too siloed and we had a central mandate from the group risk head in Germany to implement the programme across all the investment bank departments and disciplines, in London and around the world.”

At the beginning of his time at Dresdner, Howitt was heavily involved with a number of industry and regulatory working groups that provided much input into the Basel Committee’s final definition and guidelines for implementing operational risk.

“The regulatory side was all wrapped up with Basel II and there was a sweet spot there where the UK Financial Services Authority (FSA) had quite a strong influence on rule-setting at Basel.” Howitt was a member of the FSA op risk working group and of the International Swaps and Derivatives Association’s industry lobby group for Basel II.

“It was fun because we were thinking with a blank sheet of paper, and about what banks and other financial firms would be able to deliver on this, and what’s going to work,” says Howitt. “Areas such as reputation and business risk were excluded from the initial definition because they couldn’t be quantified all that easily. Operational risk had to be more concrete as nobody wanted to pay capital for something that couldn’t be measured, so initially it was a slightly more narrow definition than it was in practice.”

Today, Howitt believes that initial definition is changing and the financial crisis has shown business risk and reputational risk are better understood and might be more measurable.
“For instance, the Basel Committee is now talking about the need to consider business and reputational risk where firms are providing implicit support for their franchise,” he says. “While I am comfortable with op risk as currently defined by Basel, I think it is fair to say op risk and franchise protection are intrinsically linked. Hence the reputational and business risk impacts of op risk events realistically do need a lot more work. To some extent this is being addressed in stress-test scenarios, and I welcome that.”

Keen to work at a buy-side firm, Howitt joined Man Group in early 2004. A sound op risk programme at a buy-side firm is part and parcel of managing reputation risk, says Howitt. “At Man Group, we measure reputation risk through the business risk model. As a fund management firm, we are franchise-orientated, we are concerned with looking after the long-term value of the business. We have products with a 20- year track record. That’s a long-term revenue stream. If something goes wrong, you will feel the fallout for a long time. There is the immediate operational risk cost of an event but there is also the future cost in the business risk model of all the reputational issues. So we are in fact measuring reputation risk, although there are a lot of assumptions in there. Ten years ago the industry probably wasn’t ready for that.”

Ten years ago, the focus from regulators and banks was very much on measuring the direct impacts of operational risk, which meant collecting loss data. “In the early days of operational risk management, most firms hadn’t yet mapped out the risks in each business process and so there was quite an emphasis on qualitative, self-assessment approaches to managing op risk. But some of these were really just beefed up audit activities,” says Howitt. “At Dresdner, we leaned more towards data collection because it was more objective and you could have a much more disciplined discussion with people about op risk if you had data to back it up.”

Howitt collected losses and risk indicators from throughout the organisation and built a commercial system to collect the loss data. “This approach also created accountability across all departments with the risk function – once you had the risk information, there was a productive dialogue with each area,” he says.

“We did qualitative self-assessment work as well but we were balanced more towards the data side. The other piece was putting in place the beginnings of governance structures and establishing an op risk committee, chaired by the chief operating officer,” he explains. “Dresdner wasn’t the largest financial institution, but it was diligent in risk management and I think it was ahead on op risk at this time.

“The spirit and sponsorship were solid and op risk got good traction with the support areas as you would expect. In the front office, the equities and futures businesses already had a discipline of error reporting so we were able to build on that. Some of the debt areas, as well as less process-orientated areas such as corporate finance, were a little harder to penetrate. Nevertheless, after a few years it was well embedded in all areas of the firm.”

At Man Group, Howitt has followed similar principles and found the culture receptive to op risk management. “Man was a greenfield site for op risk management when I joined. It is sophisticated in risk management and prides itself in being so, and at that time it understood that to scale up its business it needed to lay deep foundations in its risk architecture and governance. With a well-embedded risk framework, the firm would be able to build a much more solid business on top,” says Howitt. “Being a smaller and more focused firm, I could get my hands around all areas of operational risk. With the open business culture at Man, risk is always treated as an important consideration in whatever we do.”

Man also has a data-orientated approach to operational risk management, and has a robust reporting and risk governance framework. As the firm is listed, and has some limited trading book activities as well as portfolios of investments in, and loans to, its funds, it has to meet the full requirements of Basel II.

“We decided from a management perspective that it was more appropriate for our firm to follow a standardised approach for op risk, but at the same time we implemented a fairly sophisticated economic capital model,” he says. “We didn’t see the value in going for an advanced approach because we were more focused around the management of op risk. Our economic capital model – in place now for almost six years – also effectively formed the basis of our internal capital adequacy assessment process.”

“All the qualitative and business practice standards we follow are the same as required by the advanced mesaurement approach (AMA) anyway,” he says. “We didn’t want to lose focus on managing op risk by spending too much time on the models alone. Risk didn’t want to be cocooned in an ivory-tower department that was always dealing with regulators; it was better to focus on effective risk governance and make the risk platform work for us, and then the regulatory side would be easier, as compliance would be a natural outcome.”

Howitt believes it might be a false comfort for institutions to rely on AMA models without carrying out effective op risk implementation. “I think the AMA has also become something of a game of national champions,” he says. “We didn’t want to feel we were some kind of grand standard-bearer for the industry and for the regulator. We had to have an implementation that worked for us first.”

Moreover, despite the fact Man was running a data programme, it didn’t have enough internal loss data to populate an AMA model. “We felt we didn’t have a lot of loss data. We might have external loss databases that told you lots of horrible things that could go wrong but, fortunately from a business perspective, we didn’t have enough of our own losses to have an internal dataset that was sufficient for statistically rigorous modelling. We didn’t see any great merit in the AMA for us but can understand why a large national flagship financial institution might have felt a regulatory obligation to take an advanced approach.”

The lack of data is a constant problem for operational risk and the fact firms can never really be certain about the size of the next loss means modelling is fraught with problems.  “We felt that, because of the lack of data in op risk, you couldn’t really be certain about the size of the next loss and we didn’t want to be fooled by the modelling,” says Howitt. “Modelling is a useful tool, you can learn a lot from it, but not all models are right. Op risk in a sense is the more honest risk because we don’t really know how big the next loss can be – we have a gut feeling – and this is why we are comfortable with an economic model using scenarios based on expert judgement, but obviously supported by data where we have it.”

Embedding an op risk management culture is the ultimate aim for any op risk manager. Establishing a framework is the easy part, winning support from the front office is much more difficult. The financial crisis demonstrated the value of having an embedded risk management function, as Howitt explains: “For Man Group and other firms that had well-embedded risk management, the op risk staff were very hands-on and very much in the heat of the battle. They were not sitting there just doing analysis on the computer and modelling, which is of limited use when tomorrow one of your major counterparties might go bust. We were getting involved at ground level with where money was deposited and being sent, with some of the valuation and liquidity challenges in the portfolios, as well as engaging closely in the rebalancing and de-gearing of certain funds. We had to be on top of daily business information to contribute to the decision-making meetings in the heat of the crisis.

“For well-embedded op risk practices, the crisis was a valuable engagement and presented an opportunity to practise the theory. Because we already had comprehensive risk reporting on tap at Man, we were able to co-ordinate different strands and help get decisions made as things evolved. Of course we all learned lessons during the crisis, but fundamentally what we experienced was a validation that what we were doing worked. Those firms that didn’t have a well-embedded op risk programme would have seen op risk sidelined and ignored as the crisis was happening around them.”

Although Howitt welcomes some of the regulatory changes occurring post-crisis, he believes the increased political and regulatory scrutiny will change the face of the financial market and not always for the better.

“There is going to be a long tail of increased scrutiny in terms of regulation, which is to be expected, but there are positive aspects to that,” he says. “It is going to clean up the worst elements in the industry and it will also help to get the op risk, business practice and governance message out there. There are some negative sides, however. Unfortunately a lot of regulation is often liability driven. To pull out of the crisis, banks need to have the courage and confidence to start lending again and to invest in new products and markets but the problem is that the increased burden of regulation is going to foster the attitude of ‘if there is a risk, don’t do it’.”
Howitt is also concerned some regulations are deliberately protectionist, such as the EU Alternative Investment Funds Managers Directive, which targets hedge funds. “The hedge fund sector was not the cause of the crisis and I am concerned that stifling innovation has a large long-term cost.”

Howitt also points out that the cost of operational risk is going up, in the form of fines and the reputational risk fallout. “From an op risk perspective, it is clear to me that if you have a regulatory problem the cost of it, both in terms of the fine and the reputational repercussions, might not have been so big four or five years ago,” he says. “A fine that might have been $1 million three or four years ago may have a starting price of $20 million today. In terms of people counting the cost of reputational and operational risk, the price has gone up dramatically, and I’m not sure that has been fully factored into everybody’s op risk models yet. But we are very aware of that.”

One good example of regulatory fine inflation is the FSA’s recent £17.5 million fine on Goldman Sachs for reporting failures. “The cost of regulatory failure, breach or miscommunication or any kind of abuse or poor business practice has gone up in multiples – both the direct cost of fines but also the reputational cost,” says Howitt. “I am not sure many firms have included that in their scenarios and models yet. Certain types of firms in the past might have thought that a regulatory fine was simply a cost of doing business. This was never our position and in that context I welcome the firm line regulators are taking on compliance matters. Longer term, it will benefit the wider industry.”