Hidden dangers

ARE operational risk managers losing interest in reputational risk? Two years ago, after Enron and WorldCom, after 'Spitzer risk' had damaged brands and balance sheets, it seemed that 'reputational risk' was all that operational risk managers could talk about. Many said that preventing significant reputational risk damage to their firms was the primary justification for investment in an op risk infrastructure.

Now, not so. Although operational risk managers may still pay lip service to the idea of measuring and managing reputational risk, many more say they are struggling with more fundamental operational risk issues, such as finding statistically consistent ways to measure 'actual' loss data, identifying the core risks that a business might be subject to, and finding ways to manage business process risks. Reputational risk is seen as being too 'fuzzy', difficult to identify and quantify – and if it can't be quantified, then it can't be used in a business case for investment in op risk frameworks.

The Bank for International Settlement (BIS) pointedly left out reputational risk when it came up with its definition of operational risk. "The BIS carefully defines op risk and then specifically excludes reputational risk without specifying what it is. They are smart people and I take it they found the definitional issue to be operationally intractable," says Ingo Walter, professor of finance at Stern Business School, New York University.

So what are operational risk managers looking at, statistically, when they log a loss event?

"A loss impact is the actual net loss booked in the general ledger, since this is easily observable both in internal loss event data and in publicly available data sources. It does not include stock price or market value drop, nor does it include indirect costs," says Ashish Dev, executive vice-president at KeyCorp.

This doesn't mean that regulators aren't concerned about the impact of reputational risk – the US Federal Reserve's Susan Schmidt Bies and the UK Financial Services Authority's (FSA) senior executives have repeatedly expressed concern about the damage that reputational risk can do to individual firms and the overall financial system in speeches and publications.

But some operational risk executives – focused on keeping their jobs and improving their budget allocation – are finding it difficult to use reputational risk as part of their argument. In their opinion, the issue of operational risk is something that marketing and corporate communications executives have to sort out.

Indeed, the consensus among risk managers seems to be that a loss event, in its strictest sense, is restricted only to the costs incurred by the business as a direct result of the event in question, such as the monetary amount stolen as the result of an internal fraud. Any other losses that the company experiences as a result of this initial incident are generally thought of as beyond the remit of the risk manager.

"The key issue is where risk managers draw the line. Some undoubtedly believe that a loss event begins and ends with the immediate financial loss in the P&L [profit and loss] and that their job is to find out where the controls went wrong and remedy the problem to ensure the situation does not arise again," claims Christian Pedersen, director of financial risk management at consultants Mercer Oliver Wyman. "Thinking like this can mean people miss the other significant fallout, both financial and non-financial from a loss event – loss of business, drop in share price, loss of staff – and these things may end up exceeding the actual cost of the event itself over time."

Charles Taylor, director of operational risk at the Risk Management Association, echoes these sentiments. "The simplest and most common method of measuring a loss event is to look in the general ledger, since this will give you a precise and accurate measure of how big an event is, but this used in isolation may not be enough to give you an accurate picture," he says. "How useful is the general ledger if there has been a trading fraud taking place over the course of several years and you are unable to identify it?"

Quentin Thom, head of risk at consulting firm Molten says: "If the media gets involved and the story gets a lot of publicity, if regulators decide to start taking a keener interest in what you're doing and if your customers are driven away as a result of the loss, these are surely all factors in a loss event too, even if quantifying the damage done and attaching a figure to it is hard to do."

So where does an operational risk manager draw the line? Although many argue that the general ledger isn't enough, just how does an operational risk manager move beyond that?

The bonds trading scandal that rocked Citigroup last year serves as a prime example of just how two-dimensional it is to focus on a loss event in isolation. On August 2, 2004 the banking group sent the Eurobond market into a panic after selling in 18 seconds the number of bonds it would normally sell in a day. This was done using an electronic trading system that the traders nicknamed 'Dr Evil'.

To make matters worse, after the traders failed to receive confirmation of the sale from the market they then sold even more bonds. Predictably the market was left shell-shocked by the abruptly dumped bonds, and prices began to plummet. It was at this point that Citigroup realised its error and bought back some of the bonds it had just sold, making a tidy profit of £9.96 million.

Ironically, although this event actually ended up making money for Citigroup, the indirect losses ultimately hit the company hard. Aside from repaying the £9.96 million to the FSA, in addition to a £4 million fine for having failed to exercise proper controls over its trading team, Citigroup soon found itself frozen out by European governments when it came to issuing further bonds.

A report by Bloomberg in July noted that Citigroup has arranged just 2.3% of the E155 billion in debt sold by governments since the Dr Evil incident – just one-fifth of 10.3% market share in 2003, when it led the market. It has also plummeted to fourteenth place in the league tables of European privatisation advisory work, down from third place.

Clearly the indirect costs in this instance dwarf those of the event itself, and illustrate the flaws of using general ledger information as a guide to assessing how much damage an institution has sustained. If this is the case, then why aren't risk managers investigating the wider implications of loss events? Partly, it's because in most cases the losses are much more difficult to observe than in this instance.

"You have to ask yourself what benefit there is in looking at associated losses for a risk manager. Basel II tells us to look at the materiality of an event and not to factor in losses in share value or the effects of a loss event on the future growth of the business," says Thom.

If a risk manager is in the business of identifying risks and mitigating them, how will looking at the reputational damage of a loss event better equip him to do his job? Arguably it won't, and this is without even considering the complexities of quantifying the cost of reputational damage. How, for example would one go about calculating how many government bonds Citigroup has lost since the Dr Evil affair? Is there even a way of putting a figure on it? For example, Citigroup may have dropped in the league tables anyway, but for other reasons. Or conversely, without Dr Evil it might have risen higher. How would a firm put a number on this?

Some academic work has been done in the area of reputational risk measurement. For example, the Federal Reserve Bank of Boston published a paper in late 2005 entitled Measuring Reputational Risk: The Market Reaction to Operational Loss Announcements. The authors claim that: "The announced dollar amounts likely understate the effect of operational losses on the financial sector. In a recent survey of financial services institutions, more respondents cited reputational risk than any other risk class as the greatest potential threat to their firm's market value."

The report goes on to note that in over 115 operational losses at financial firms between 1974 and 2004, loss events had "an immediate and significant impact on a firm's market value".

Another paper, published in September 2005, confirms this view. The Market Value Impact of Operational Loss Events for U.S. Banks and Insurers authored by J. David Cummins of the Wharton School, Christopher Lewis of the Hartford Insurance Group and Ran Wei, also from Wharton, said that in short, regulatory risk hurts.

"Overall, the results strongly support the regulatory view that operational risk poses a significant threat to the market value of both banks and insurers, providing a rationale for firms to manage operational risks," the authors concluded. "The stock market reaction to operational loss announcements also supports the view that market discipline can serve as a powerful tool for regulators in policing the management of operational risk. Finally, this analysis demonstrates that investors 'price' operational risk into their views on the future profitability of a firm, supporting the contention that the management of operational risk is a core competency for financial institutions."

More academic work on reputational risk is underway, but even those working on the projects have caveats about the results that will be produced. "We are currently working on calibrating reputational risk, in a proof-of-concept study using reputation-sensitive events," says NYU's Walter. "I agree that conventional definitions of reputational risk are messy and that the risk is idiosyncratic to individual firms so that an identical event may affect Firm A differently from Firm B."

But what impact will such work on stock prices have on the day-to-day lives of op risk managers, faced with the annual battle for their slice of the budget? Dev argues that op risk managers should include reputational risk in their business case, but in a different way. "Financial institutions need to signal their effectiveness in operational risk management and control."

Such signalling, which can be done in part by adopting Basel II's advanced measurement approach, can "minimise potential market value erosion when an operational event ends up happening unfortunately – ie, as a result of randomness, even when operational risk management and effectiveness of controls in the institution are of a high quality", Dev added.

Perhaps it is time for a wholesale rethink on the issue of reputational risk. Hazy and indistinct by its nature, attempting to establish a prescriptive framework for calculating reputational damage may be inappropriate. Indeed, attempting to work out an exact formula may be a case of shutting the barn door after the horse has bolted. According to some, measuring the loss arguably will not yield any practical data on how to stop the operational loss that triggered the reputational damage from happening again.

Without a clear financial benefit from spending time and resources coming up with a figure, it becomes easier to understand why risk managers aren't suffering sleepless nights over the issue. The most pragmatic solution at this point is to stop the operational loss happening in the first place, thereby staving off the reputational repercussions – which is pretty much what firms say they are already focused on.

The issue of whether capital adequacy requirements should be amended to take account of reputational losses also remains unresolved. It is inconceivable at this point that a regulator will emerge to insist that capital reserves factor in the threat. Nor does it seem possible that a method for calculating such a figure will be formulated in the near future.

"Unlike other risk domains where regulation sometimes substitutes for market discipline, reputational risk is not subject to regulation and indeed may not be possible to regulate, so that total reliance has to be placed on market discipline," says Walter.

"Citigroup's ongoing Herculean efforts to lift the reputational millstone off its share price is a good example of how market discipline can work through governance responses to managerial action," he adds.

Nonetheless, the thorny issue remains that the current data-recording methodologies are providing an incomplete picture of the severity of loss events, because reputational risk is not being included. This should be a cause for a concern in itself, given that risk management hinges on reliable and accurate data. Yet with no other, better means of assessing just how big an impact reputational damage has, the current regime looks set to continue, at least for the immediate future. OR&C