Mandate expands, but money doesn’t

THE remit of operational risk managers is expanding, while the importance of their responsibilities to firms continues to grow. But, at the same time, op risk mangers are not seeing an increase in the amount of resources they have at their disposal to carry out the various tasks that have been assigned to them, which may leave many of them in an awkward spot if their firm suffers large losses.

This is one of the core conclusions of our third annual global operational risk survey, conducted in March and April of this year, in conjunction with risk consulting firm Protiviti. The results of the survey, which had 292 responses, were drawn from financial institutions around the world. Some 45% were in the EU, while nearly 30% hailed from North America. Annual revenues of 47% of the firms exceeded $1 billion, and nearly 48% had more than 5,000 employees. Some 30.9% hailed from retail banks, while 19.7% were from commercial banks and 25.7% were part of an integrated financial services organisation, at the group level. More than 70% of respondents were directly involved in risk management.

The results of this year’s survey clearly show how the role of op risk manager is expanding. Figure 1 shows how op risk managers are in charge of core activities, such as op risk policy, loss databases, self-assessment programmes and committee projects. But op risk managers are also increasingly taking on other areas that had previously been under the aegis of other departments. Nearly 41% of op risk managers oversee their firm’s business continuity programme, while 37% have oversight of risk mitigation, including insurance. More than 30% are responsible for internal fraud prevention, while 25% have to tackle external fraud and anti-money laundering regulation compliance. Indeed, a whopping 21% claim to have oversight of the compliance department itself.

Some 90% of firms claim they use op risk information for their risk assessment or internal audit business decisions. More than 55% incorporate some op risk information into their new product approval processes, while nearly 45% say the information is handy for strategic planning and some 43% say they look at it during systems implementation.

These results partly reflect firms’ broadening understanding of what op risk is. Beyond the question of measurement of op risk for capital modelling purposes, there is the question of managing and mitigating op risk. And firms are realising that this requires engagement between risk management and the business lines on a host of fronts that they had previously had no involvement with. Regulatory/compliance risk ranked as firms’ top op risk in terms of the impact that it has on their business area this year, while IT systems failure/inadequate management information systems ranked second. Business continuity took third place, while external fraud was fourth. Anti-money laundering compliance concerns rounded out the top five. Op risk managers are suddenly finding themselves charged with not only measuring the amount of risk that their firm is facing, but also understanding those risks and coming up with management strategies.

This broadening of agenda comes at a time when op risk managers are also implementing their core Basel II op risk programmes. Today, 92% of firms have a formal op risk policy in place, and nearly 55% have op risk frameworks that include dedicated op risk mangers at the business unit level either full- or part-time.

But just 25% of op risk managers say their op risk management costs, excluding technology, will increase by 10–24% in 2005. Only 15% expect those costs to rise by more than 25%, in spite of this period being the core implementation time ahead of a January 1, 2008 deadline for the advanced measurement approach. The bulk of this money is expected to be spent on increased reporting, staff and training. But op risk teams are small – 45% of firms have five people or fewer on their op risk team, while nearly 12% claim to have no team at all. And only some will be hiring more – 49% of firms don’t expect to change their level of staffing over the next 12 months. About 20% expect to increase their head count by 1–9%, while 16% plan to boost staff up to 24%, and just 13% say they will hire more than 25%.

Indeed, firms’ total spend on their op risk projects – estimated from 2003 until implementation – is surprisingly small (see figure 2). Nearly 52% of firms expect to spend less than $1 million. Only 8.7% of firms plan to spend $5 million–10 million, while 10.7% say they plan to spend more than $10 million. Such sums are dwarfed by the amount of cash that has been ploughed into both credit and market risk over the past five years.

The same story applies on the technology front. More than 30% of respondents aren’t anticipating a change in their spending in this area over the next 12 months, while just 12% say their technology spending will rise by more than 25%. And yet fewer than 40% of respondents have self-assessment tools, internal loss databases, key risk indicator programmes or internal reporting systems in place. That could be because 90% of firms are planning to rely on internal data to calculate economic capital for op risk (see figure 3). In fact, nearly 19% of respondents confessed that they haven’t yet started their overall Basel II op risk implementation programme. A whopping 27% are only in their initial implementation stages, while 35% say they are midway through completion.

So it’s hardly surprising that respondents cited "overall awareness and knowledge of op risk issues among general staff", "difficulty in collating sufficient volume of historical data", "inadequate management buy-in" and the "cost and time of implementation – the sheer size of the project" as potential obstacles to successful implementation of their op risk management frameworks. More and more op risk managers are citing the difficulty of getting ‘buy in’ – the full backing and proactive support – of both those above and below them.

"I would like to say that my bosses are giving me more responsibilities because they recognise the value of op risk," says one London-based head of op risk. "But it’s just not so. They are handing over things like business continuity and fraud and money laundering to the op risk staff because suddenly this stuff is part of Basel II, and suddenly the regulators are really pushing compliance in these areas. But that doesn’t mean that I’m getting the resources I need to do all this properly."

Another op risk manager, based at a medium-sized bank in the US, says: "There was some resistance to op risk at the business unit level over here, but I’ve had buy in in regulatory-influenced areas like new product approval processes. This is great but when I get the buy in, how do I deliver the info they want? It’s like Basel is my day job and all this other stuff is the night shift." OpRisk