Who’s ready for op risk?

Most op risk executives that responded to a survey conducted in the past few months by North Carolina-based software company SAS in association with Risk and Risk’s sister publication, Operational Risk, said they have not started to put in place op risk management essentials, despite the fact that almost half intend to implement Basel II’s advanced measurement approach to operational risk.

Nearly a third of the 442 respondents have yet to begi n to put in place internal loss databases, internal reporting tools or key risk indicators. The survey found that 68% of respondents are choosing to build at least one op risk system internally, suggesting there may be a lack of attractive products in the market.

The survey asked respondents to estimate their op risk losses; 56% lost between $10,000 and $100,000 at least once a month. Moreover, 55% believe op risk losses cost between $100,000 and $500,000 once a quarter or more frequently. These figures, while notable, are far smaller than the op risk losses suffered by very large banks. The Basel Committee’s 2002 Quantitative Impact Study for Operational Risk showed that out of the 30 large institutions that took part in the survey, the average loss per bank due to operational risk loss events was E43 million a year.

The SAS survey also found that most companies have had a co-ordinated set of op risk policies and procedures in place for a relatively short time. For example, 27% of respondents have had an op risk programme for less than 12 months, while 19% have no programme at all. It also found that two thirds of respondents plan to spend less than $1 million to improve op risk management and measurement this year. However, op risk spending is increasing at a rapid rate – 29% of respondents said this year’s budget is an increase of more than 100% over last year’s, while 12% said their budget would rise between 50% and 100%.

Another op risk survey, completed in January by New York-based Nera Economic Consulting on behalf of its parent company, professional services group Marsh & McLennan, found that 80% of the banks in its study had more than five people employed at the corporate level in the centralised operational risk management function. Most banks, however, said the resources available were well above 15 people, and Nera said several banks cited more than 100 full-time employees with ‘vital operational risk duties’. The SAS survey showed much lower numbers: 34% of the respondents work for firms with a central op risk department of three to five people, while 26% have just one or two people. The differences in the results can be attributed to the different pools of respondents – Nera’s survey focused on large international banks in the US, Canada, Europe, Japan and South Africa.

“ Eighteen months ago, a lot of the banks had a very small group trying to set up the operational risk function,” says Bradley Ziff, a senior Nera consultant in New York. “By the time we talked to the larger banks in phase two, most of those had really staffed up their operational risk function at the centralised level.”

Nera found that all the banks that took part in the study had an internal audit function to help implement operational risk management policies. It also found that typical op risk reporting lines include individual business unit managers reporting into a central corporate risk function, which in turn reports into a sub-group of the senior risk committee charged with bringing particular concerns to the senior risk management steering committee.

Nera reports that virtually all the banks in its survey used a self-assessment process to identify operational risk. Those that did not are in the process of developing them. The self-assessments use internal and external loss data to make frequency and severity estimates. These are organised along business lines, while some banks also organise them by risk type, such as systems security.

“ Half of the banks seemed to be developing a loss distribution approach that was for the most part based on internal loss data and some external loss data, then applying actuarial-type models to that. The other half were developing a loss-distribution approach that was based mainly on the expert judgements of the people within the bank,” says Robert Mackay, a senior vice president at Nera in New York.

A typical self-assessment process, according to Nera, involves a ‘risk owner’ identifying and assessing operational risks within their business unit using scenario analysis and template questionnaires. A risk map is then produced for each operational risk category which includes loss severity and frequency, and an assessment of risk controls that are in place. Nera found that 52% of surveyed banks have all business units contributing to their operational loss database.

Nera also reports that as banks have become more confident in their assessment of op risk at the business unit level, senior managers have become more willing to penalise units seen to be under-performing. “Some of the banks are trying to build into their systems, either through scorecards or through explicit penalties or bonuses, a mechanism whereby if you don’t have good reporting or you overstate what you’ve done, you can somehow be taxed for it. And if you are doing well, you benefit,” says Mackay.

Joseph Sabatini, New York-based managing director and head of the corporate operational risk team at JP Morgan Chase, says one of the keys to op risk management is to provide economic incentives to each business unit. “If risk is high because the business unit is less well controlled than another, then they should be paying a higher capital charge than someone who’s invested and is disciplined enough to maintain a very high quality control environment.” Sabatini says this even comes down to awarding the manager of a business unit with good operational risk management a better bonus at the end of the year.

Sabitini adds that JP Morgan Chase performed over 2900 self assessments during the last business year. He says operational risk is as much an art as a science, and that there is still much work to be done on the analytical side. Nera says tremendous progress is being made, but adds there is still much to do.

John Ferry