Anyone who is involved in managing operational risk has a challenge in looking for what ultimately are the ‘unknown unknowns’ as well as the ‘known knowns’, the things that have happened before, and which will repeat themselves at regular intervals in the future. As such, part of this challenge is to think outside the box, and to determine what the realistic threats are to the successful achievement of corporate objectives. In addition, there is the need to act as a change manager, and encourage improvements to systems and working practices that will really benefit the business. This is a genuine opportunity for anybody engaged in operational risk management.
Operational risk surrounds all of our activities, every day. Everywhere one looks, one can find operational risk. It is as a direct result of people’s actions, and if something can go wrong, the chances are it will. By accepting that people do make mistakes, we can be better prepared for different outcomes in the future, the trick is to think what might go wrong and anticipate the likelihood of it happening.
To be able to do this – especially in areas like financial products and markets – a degree of knowledge and experience is required. The old saying is you should set an ex-poacher as your gamekeeper if you want to catch a poacher, and while this is not necessarily true in all cases, there can be no doubt that having experience of what can go wrong is valuable. In the same way, organisations can learn from other people’s mistakes, and this is part of what operational risk is about.
Back to Basics – Understanding the Causes
The first requisite is to understand what has actually happened inside one’s own organisation, while appreciating that people often find it difficult to admit mistakes. As a result, it is necessary for the chairman and chief executive to set the right tone, encouraging a culture of openness in capturing the details of what has gone wrong, as they inevitably will do from time to time. Even in the best-ordered business environment, mistakes can be honestly made.
It is only through acknowledging what has gone wrong that we can start to learn about the causes and the risk of errors re-occurring, and if there is a risk of re-occurrence, what can be done to prevent it happening again. Causal analysis is one of the critical parts of a strong operational risk methodology. It is not just collecting details of financial loss, and even the opportunity cost of an incident, but what it was that actually caused it. Only then can an organisation really do something about it.
Causes at a basic level tend to come back to a subset of three things: people, processes and systems. The specifics of these subsets will be particular to each business, and through experience in one’s own organisation, these categories of causes can be fine tuned. When analysing the causes, there are two main activities which tend to be common across the board. The first is the need to consider the improvements necessary to prevent the same thing happening again – for example the tightening of a particular check in the process. The second is to build a business case for paying for those improvements. For example, spending more money on better training of employees, or recruitment of a staff member with more experience. Overall, these expenditures will save a business significant amounts of money (and hassle as errors are not repeated) each year.
Corporate Treasurers – Good for Business?
It is through such a constructive and pragmatic attitude that operational risk managers should be viewed as friends of the business, demonstrating an attitude of working in the best interests of the organisation. In order to be seen as such though, corporate treasurers and operational risk managers must demonstrate a thorough comprehension of the risks in traditionally complex areas such as derivatives and other financial instruments. This would be as opposed to holding a more bureaucratic attitude to loss and risk, which might stem from a fear that because something is complex, it is dangerous.
Even if there is not much loss experience to learn from in one’s own firm, other firms have had some, and these incidents sometimes get heavy publicity. In the banking world, the losses at such institutions as Barings and Société Générale have been well written up. These are expensive examples of what can happen when people do not have the correct controls in place to protect themselves from errors. In your organisation, considering the question: ‘could it happen here?’ can help to identify potential problems, and put the necessary checks and processes in place to avoid mistakes
Confidence Through Tests and Controls
One of the easiest ways to address a potential problem is to test the controls on financial instruments, how much freedom do the people executing these instruments have, and when executed, when do they get recorded? How confident can a business be that every trade will be recorded, or, as has happened many times in dealing rooms around the world, will some trades not make it as far as the back office?
Of course, as an operational risk manager, one does have to consider how far one can go in thinking everyone is a potential ‘rogue trader’. Dealers may all be completely honest and have no intentions to mislead or cheat anybody, but if a situation occurs that means they have to admit to a mistake or to being wrong, panic might set in and that honesty take a back seat. This is where there is a need to be lead from the top in having an open culture and attitude, in order to be able properly assess risk and the causes of errors.
There also needs to be an understanding as to what procedures and controls are in place for dealing in a new financial instrument. Does every financial instrument need to be approved by a risk committee before being executed? This sort of examination is of immense frustration to dealers who can always see the upside of the deal, but who do not think about the downside risks. Much publicity has been given to the losses caused to the buyers of collateralised mortgage debt, for example, but far less to those who recognised that those debt obligations were secured not so much on the property itself, but on the ability of the people to service the debt. In good times of rising property values, that debt might not look so mountainous against the equity in the property, but in an economic downturn with the inevitable and consequential rising unemployment and falling property values, that debt will be a big problem. This phenomenon will have been foreseen by the long-sighted, and would not have been clumped together and treated as just debt secured by property.
Likewise, dealers will always want to place the firm’s surplus liquidity on deposit with whichever organisation is paying the best rate. The fate of several Icelandic banks has proved an expensive lesson to those people who were attracted by the opportunity to earn several percentage points over Libor and did not associate return with risk. If you don’t understand the meaning of the word ‘risk’ in this context, just substitute it with the word ‘regret’.
So, understanding what went wrong to identify the causes of the loss is one part of a good operational risk methodology.
When is Risk a Risk Worth Acting On?
This risk identification process in itself needs to be tied to losses to understand what a risk could mean in loss terms. This might be done at two levels, qualitatively as well as quantitatively – is the risk high, medium or low in qualitative risk measurement terminology. Or better still, to use an even number of options to determine the level of risk. That way, deciding which category of risk applies in each risk case will be more of an informed decision, rather than a compromised one of not being sure and selecting the ‘middle-way’ option.
A quantitative measure of risk is a little more complex and requires more thought. Organisations could try to capture what a firm would expect to lose in a certain time period – for example the next 12 months – against what the firm could lose in a worst case scenario. This is where experience and knowledge are key. The risk of loss on an open position in a financial instrument is a market risk, and therefore should not be counted as an operational risk, but what happens when one of the parties to the deal disputes the terms of the deal. In the past, the amount of the deal, the rate, the settlement date, was it a buy or a sell, were all factors that were once disputed far more than today, thanks to technological improvements in financial markets. Nevertheless, all of the above continue to be operational risk issues.
The benefit of a quantitative measure of risk is that one can establish which should have the most attention paid to them. There is no point wasting energy on something that only happens once every two years for example, and could cost the firm only a small amount of money. The risks, which if they translate into an incident could cost lots of money and / or significant time and effort, are the ones worth pursuing. This way, as an operational risk manager it is possible to earn respect from the business as someone focusing on what is genuinely important for its success and, more specifically, important to them, as a loss will hurt the bottom line for which they are responsible.
Buyer Beware – Know Your Enemy
A good operational risk strategy will therefore take months – if not years – to evolve from definition to practice. To collect and learn from losses, to understand risk and the causes of risk, and to measure them quantitatively in order to establish the most significant and potentially most damaging ones. There are many questions that will need asking too, what are the controls that mitigate risks and how confident can a business be that they will always work? Are there sufficient checks and balances in the system, and what happens when someone is away? How vulnerable is the organisation at that time? Understanding the importance of control testing and scenario analysis are important elements in this strategy. For example, what happens in the event of an IT or communications failure? Business continuity risk is now often considered an operational risk because of its deeply integrated role within organisations. Compliance risk has also increased as the financial world becomes more complex – has the business made plans around documentation and regulations that cover financial contracts? Caveat emptor, perhaps.
Let the buyer beware applies well in the context of operational risk. Whether a firm likes it or not, operational risks apply in every firm. A firm which ignores, or doesn’t pay enough attention to this type of risk will, one day, pay the price. An important objective, and benefit, of a good strategy is not just measurement but improvement. Can the business become more efficient, are controls really worthwhile? The worth of an operational risk manager can be measured on whether they are making a positive difference to the business as a whole. content
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
The implementation date of Europe's revised Markets in Financial Instruments Directive, aka MiFID II, is fast approaching. Yet evidence suggests that awareness about the impact of Brexit on MiFID II is, at best, only patchy and there are some alarming misconceptions.
Banks might feel justified in victim blaming when fraud occurs, but it does little for customer confidence.
Politicians have united in urging the Reserve Bank of Australia to lend its backing to the digital currency by officially recognising it.