In the frame
Seven of the industry's top op risk executives debated framework implementation at a recent roundtable discussion in New York, moderated by Ellen Davis and sponsored by enterprise-wide risk solution firm FRS
Ellen Davis:
How does your organisation roll risk assessments up to the enterprise level to assess operating risk exposures? Is this a scorecard-based approach? Are there triggers for centralised risk managers to react to? Are comparisons done to current and last loss experiences, and who is in the information chain to review these assessments?Patrick O'Neill (BNP Paribas):
We have a good foundation to do that at the enterprise level. Having said that, the roll-out of this approach is a year old so the data is still being collected. But what we have done is that the self-assessment and the scenario analysis – from the Basel perspective – is all based on a set of generic processes. Each individual business selects what they consider to be their key processes, whether they're in retail, securities, corporate investment banking or in fact something from the same list. We identify the risks by choosing from the Basel II event types, so we're event-based not risk-based. We've actually created a third level of event types – level 3 – which is not part of the regulatory specificity so, in fact, across the bank we have everybody selecting from the generic process list and everybody is selecting the same potential events in terms of their exposures. We step away from the generic on the control side, but we consider that the exposure and where it's occurring are sufficient enough to have people potentially identify whether we have an exposure at the enterprise level, whether it's within a business, a division or the bank as a whole.Michael Haubenstock (SunTrust Mortgage):
We have more of a self-assessment process. It's not scorecard-based, it's more an open formula of 'what are the risks in the organisation?' We would use the risk categories as a framework for that and do a bottom-up exercise in each business area, complemented by some top-down views, and it's typically circulated to what you might call risk specialists – human resources, IT, the compliance and legal people. If that's done business line by business line the largest risks – which can be very qualitatively based, but you get consensus on what those exposures are – can be rolled up into a corporate-wide process that ultimately picks the largest risks in the company. The largest are typically ones that have some common element across business lines; they have some common theme such as compliance or data.Edward Shea (FRS):
We see varying degrees of focus on business units and processes in different institutions. We see organisations that have successfully rolled out deeply within the organisation and others who have gone down one division and are doing it almost on a systematic basis. We see some scoring, some not scoring, some scoring only risk and some scoring only controls. It's fascinating, talking to a large number of institutions.ED:
Basel II requires the use of internal and external loss data to calibrate loss distribution estimation processes. What are your major challenges in collecting a consistent database of losses upon which to develop capital measures? Is this data collected centrally or locally through technology-enabled systems?Bob Angorola (Calyon):
We accumulate that data and enter it into our system at the time of occurrence for all the internal information that we have. I believe now we're down to about 12 different categories. For our purposes in reporting to Paris, we actually report legal expenses as a result of litigation. We were a little confused on that at first but we can honestly identify the relationship to that. It kind of skews our numbers off sometimes considering that when you're in the corporate investment side of banking there's always some level of litigation that's going on that's costing you a bit of expense. We collect it locally and in the Americas group I'm running in New York, we get it from all our countries in South America and our branches in North America. We roll that up into an Americas group and report to Paris, our head office. We now accumulate that information in real time and load it into our system. We're also tying each particular loss to an identified risk and control in our risk and control self assessment programme. It gives us a trend analysis that we can look at a little more closely in trying to come up with some sort of idea on how to mitigate that in a better fashion.Eric Holmquist (Advanta):
We will never have enough data to use as a forecast mechanism – we're just not big enough. I'm a cynic on external data. The reality is that we'll never get external data to be properly correlated to a medium-sized institution. We do use loss data for forensic purposes – what happened and how do we make sure it doesn't happen again – and it's very valuable from that perspective, but we don't accumulate it. How does that affect us from a competitive advantage? I don't know. I have mixed feelings on loss data as a crystal ball. I think some aspects are good and some are very poor. I think technology events are very poor indicators of future events because they rarely happen the same way twice. You have to be very careful about how you read the tea leaves in data. Ours is merely around process improvement.Debborah Knowles (Greater Bay Bancorp):
Eric and I are in similar situations. We do not collect loss data for Basel II. We do not see the benefit to our organisation of doing so. Having said that, I know what my operational losses are and they are not material. We don't approximate the organisations in terms of size and complexity and line of business that have a requirement to collect loss data – the top 20 banks in the country plus the offshore/foreign offices. Much like you, I look at what could go wrong within our business process, how we execute on strategy and probably a good bit of my focus as it relates to operational loss issues are involving technology. In terms of loss data collection, most regional/community banking companies don't have the scale within their operation to benefit. This is especially true if their focus is not retail banking. While we do have retail relationships, we are primarily a commercial lender. As a result, the Basel II loss categories become less meaningful.ED:
Is it possible to reduce operational losses to a baseline irreducible pattern of loss events due to the failure of people, processes and external events, or is op risk more complicated and random than the management of processes and controls would suggest?DK:
One of the important contributions we make as risk managers is trying to normalise what can 'go bump in the night,' trying to normalise what's happening within the organisation and having a process where we can anticipate the magnitude of what could happen to us. But every once in a while, dumb things you never thought could happen, will happen. In spite of how good we can be at normalising and predicting risk occurrence, we occasionally get surprised. A good example of that is a notification requirement of our vendors when they expose customer non-public private information (NPI) as defined by Gramm-Leach Bliley Act (GLBA). The surprise is that many of our vendors inform us of other service provider relationships that we were previously unaware of during the notification process. So not only has our customer data been compromised, but also it was done by a relationship we weren't aware existed. In response, we have become much more savvy to the questions that need to be asked through our vendor management process. We implement programmes to try to understand those risks, but at the end of the day we all occasionally get surprised. We use these experiences to better predict and respond to future events.ED:
Have you implemented means by which risk drivers can be used in risk assessment methodologies to develop scenarios for operating losses based on certain well-defined external factors? Have you begun to model key risk indicators in your assessment and risk capital estimation procedures, and are you comfortable with your institution's progress in defining and using scenario analysis for op risk management?BA:
You have to be able to compartmentalise scenario analysis to some degree. Some areas are conducive to it, a lot of areas are not. You have a really good opportunity to utilise scenario analysis when it comes to business continuity. We meet our emergency management response team on a quarterly basis and do tabletop exercises, where we go through exactly the points of bird flu, 9/11 recreations and all the other component pieces like that. Some business areas are not necessarily conducive to scenario analysis and that's where we have to draw the line in some cases, at least in our situation. With regard to the KRIs, we're in the start phase right now. We're really trying to do our identification process and we've come up with a fairly good analysis to start with. I think sometimes we have a tendency to overcomplicate op risk concepts. Keep the KRIs simple. That's another thing to keep in mind when you're going through your KRI analysis and your identification of the important component pieces of that.ED:
What's been the biggest challenge in rolling out your op risk management programme vis-à-vis traditional risk management disciplines?Jaidev Iyer (Citigroup):
We are in a situation where the op risk function is probably the most important risk function. In fact, some of our market and credit risk colleagues complain that senior management has no time anymore because they are mature disciplines and the discussion in the market risk and credit risk space is quickly down to the transaction level. Our chief risk officer was recently quoted as saying every manager in the company is a risk manager and every risk manager is an op risk manager. You can understand, with the accidents and experience we have gone through ... there is nothing like a good accident to promote the cause of risk management. To us, the real challenge in op risk is what do we mean when we say we 'manage' op risk. I talked earlier about being able to learn from the evolution of credit and market risk, but what's equally as interesting is that we finally know in what significant ways op risk is different from credit and market risk. It's not just different because it's asymmetric; it's different primarily because it's not organisation-neutral, unlike market and credit risk, which are neutral to your organisation. Unlike market and credit risk, and this is very important, op risk is completely introspective. Unlike the credit space, where ratings move in the market, or the market space, where spot foreign exchange rates or volatilities move in the market, you cannot create, manage, mitigate, monitor and exit the op risk drivers. We are dealing now with an animal for which we don't yet have a common language or terms for dimensioning or communicating... but it's fun.ES:
Do you think because there's a lack of vernacular around op risk, it makes it difficult to treat it as a traditional risk discipline? How do you formulate your appetite for op? Do you make judgemental decisions about how much you're going to take and how much you're not going to take?MH:
I think that's a real challenge. If you look at any risk management text, there's regulatory guidance for op risk that says you should establish a risk appetite. On an historical basis, that's done by the board on down... it's the representation to shareholders – are we going to be aggressive or are we going to be a conservative risk avoider? Unfortunately, that's where the theory ends and practice doesn't start, because it's a theory. It works in credit market risk where you have measures that can be taken readily, and you can actually influence your position. You can say 'I'm not going to do this next yield because it's going to take me over a concentration limit', or 'I'm going to buy a derivative and take down my exposure'. It's not so easy in op risk. There's no guarantee you're going to be within risk appetite because a KRI could increase over your threshold and you can't make your turnover go down.ED:
As understanding and co-operation has evolved in your op risk programmes, have participating business lines found it difficult to implement a 'risk management culture' to sufficiently participate in capturing operating losses and managing self assessments? What's been the greatest challenge in distributing this methodology deeply within the organisation? Compensation and targeting are one method, but are there other things you have been doing?EH:
This is an area where compliance has helped us and hurt us. We're trying to get people beyond the 'check the box' mentality and thinking more in terms of managing risk. We've had some success in some areas. We've tried to make it safe to fail so people can say 'this was a bad way to do it; how are we going to improve it'. People are willing and excited about thinking of ways to improve business, and that's good. However, there is a lot more we can do and there's a long way to go to really get towards a more risk management culture versus just a compliance culture.ED:
The governance layer has generally been supportive in underscoring the importance of these efforts. Do they feel sufficiently informed of the organisation's op risk profile? What would you like them to do in addition? How could senior management or the governance function help push op risk even more and make people more aware of it?JI:
The biggest thing has been the struggle to make sure op risk does not get bedded into a separate silo of its own. The cynics would argue that op risk wants to take over the world. The truth is we are omnipresent; even the administration of credit and market risk policies is all about op risk. How do you bring together in and end-to-end control framework your own place at that table, which has compliance, legal, business, market risk and credit risk and everybody else? How do you get senior management to position you as somebody who is bringing everything together at the level of the organisation where it really matters... this is the bowels of the machinery, not credit risk where, arguably, you could sit in an ivory tower and shoot the policies out that require four signatures for an extension of credit. How do you make sure people see the fact that you bring value at that level? It's challenging.BA:
Two types of events have really helped us in our organisation. One is that the whole compliance initiative within our organisations has added to some degree a level of credibility to the op risk component. Take that to the next level – we sat around the table at one point and I brought up the point you just mentioned, and that was credit risk is isolated to your customer network or your commercial lending group, whatever the case may be. Market risk is restricted to your trading institutions and your trading entities. Op risk hits every single department of the institution, and you can almost see little light bulbs going off on top of people's heads because they start to realise at that point that maybe this is a little bit bigger than they thought. We may not have the same level of capital associated with it as we do in the other risk areas, but it also presents an opportunity to management to hone in on a number of different areas. It's the one area of risk where they can isolate it to each and every department, and that represents a challenge to the management of those areas. In our case, we had a decision at the highest levels of management on our executive committee that defined the RCSA process, the whole self-assessment process and loss event gathering of our organisation. Whether or not those management committee members specifically did the process.... we know they did not, but they were the ones signing off on that. We tried to correlate that back. We don't come under the auspices of SOX because we're not publicly traded in the States, although our regulators have told us that although we don't come under the jurisdiction of the law we have to comply with the spirit. It provided a level of 'SOX compliance' that people had to start to understand because the various departmental and divisional managers where actually signing off that these were their risks, these were their controls, these were there action plans and these are their losses. The level of ownership is critical; once you drive that point home, you find the acceptance – acceptance of the process, not necessarily yet the acceptance of having to do it. OR&COnly users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@risk.net
More on Risk management
Regionals built first-line defences pre-CrowdStrike
In-business risk teams vary in size and reporting lines, but outage fears are a constant
Op risk data: Santander in car crash of motor-finance fail
Also: Macquarie fined for fake metals trade flaws, Metro makes AML misses, and Invesco red-faced over greenwashing. Data by ORX News
Public enemy number one: the threat to information security
Nearly half of domestic and regional banks report risk appetite breaches amid heightened sense of insecurity
Credit risk transfer, with a derivatives twist
Dealers angle to revive market that enables them to offload counterparty exposures, freeing up capital
Op Risk Benchmarking 2024: the banks
As threats grow and regulators bore down, focus shifts to the first line
Fed stress-testing operational readiness of discount window
Experts say consultation on improved ops should be accompanied by focus on willingness to borrow
Millennium risk manager defends leverage in basis trade
“Gross notional measures don’t equate to market risk,” says Scott Rofey
Banks feel regulatory heat on op resilience
Op Risk Benchmarking: supervisors dial up reporting expectations and on-site inspections