As defined in the Basel II text, operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. Mark Opausky, at BPS, describes a scenario that highlights the dangers operational risk can pose, in his article Risk Management From Your Desktop. In this example, a hedging strategy sold by a financial institution relies on certain raw material market prices. When these prices move in an unanticipated way, the hedge faces serious losses, while the financial institution can lose that most elusive of commodities – reputation. Opausky then shows how these setbacks can themselves then create more problems. A coherent and transparent operational risk management policy can help prevent smaller issues becoming major problems.
Understanding the Risk
The risks facing your business come in a number of forms. In her article Implementing ERM Across the Banking Industry Carol Beaumier, at Protiviti, splits these risks into three groups:
- Environment risk.
- Process risk.
- Information for decision-making risk.
Environment risk refers to the uncertainties affecting the viability of the business model, process risk covers uncertainties affecting the execution of the business model, while information risk includes uncertainties affecting the relevance and reliability of the information supporting management decisions to protect and enhance enterprise value. With the number of different risk areas financial companies face, it is vital that there is a consistent interpretation of risk procedures across the organisation.
Taking an Integrated Approach
Corporates and financial institutions need to develop clear programmes on how to manage operational risk. These not only help prevent losses, but can also add efficiencies. A recent Morgan Stanley study found that banks delivering superior risk management could reduce capital requirements by 40% and boost working capital. One of the most talked about developments in this area is enterprise risk management (ERM), which offers an integrated framework for risk management across corporate governance and IT governance. The banking industry is relatively advanced in implementing ERM concepts, as shown in a recent study of financial services providers from Cisco that found 49% of respondents had implemented or were implementing an ERM policy. Protiviti’s Beaumier notes one advantage of ERM is that “it provides the means for rationalising the multiple risk management processes and systems that exist in many banks.” This can help eliminate duplicative efforts and identify any continuing gaps in these processes.
Consistency of approach is something that Sander van Tol, at Zanders, Treasury & Finance Solutions, rates highly in Corporate Risk Management Framework: Definition of Policy and Strategy (Step 3). He advises corporates: “use a limited number of defined terms and metrics in the risk management policy and also use the same ones in the document to eliminate any errors of interpretation. Defined terms in a risk management policy can be compared with the defined terms of loan documentation, for example.” Certain defined terms that should be included are definitions of risk measurement, calculations/formulas, reporting standards and hedging instruments.
Particular importance should be given to the metrics of the risk management policy. A metric is an overall measure of quantitative/financial objectives so in the previous section, for example, reported earnings can be seen as the metric. Although the end goal is to create shareholder value, one could use reported earnings as a more practical measure. There are other financial measures that are of interest to a company and can be used as metrics as well. A significant one is cash flow and/or the key financial covenants that are included in the loan or bond documentation. “The benefit of defining metrics in your risk policy is that it requires risks to be treated as a portfolio and modeled in conjunction. Often, a budget plan or financial planning model is used to measure the impact of financial risks on the specified metrics,” explains van Tol.
A coherent strategy is key to tackling operational risk and extracting the maximum benefits that can be achieved. In his article Reputational Risk: A Company’s Most Valuable Asset, Jeff DeRose, at OpenPages, offers a three step framework for tackling reputational risk that is also largely transferable to other areas of operational risk: identify and assess; manage and mitigate; monitor and report. The first stage, identify and assess, should include protocols such as operational risk and control self-assessments, compliance assessments, internal policy reviews, vendor management policies and assessments, marketing and customer satisfaction surveys, investor relations and IT governance. “The assessment process should be coordinated for consistency, shedding light on interdependencies and hidden risks, helping to prioritise and focus mitigation efforts,” suggests DeRose. This leads straight into the second stage, manage and mitigate, where operational risk policy should be transparent and coordinated, with a specific member of staff (DeRose suggests the chief risk officer) designated to the role of monitoring and managing the risk. Finally, the monitor and report stage should be constant and ongoing, with the appointed staff gathering and analysing key risk indicators and regularly appraising senior board members of the results.
Technology should also be leveraged as part of an operational risk strategy. A converged platform that offers IT risk control over all areas of operational strategy can help take advantage of overlaps in risk and regulation and reduce compliance costs. Parm Sangha, at Cisco, looks at four key areas such a platform should address, in his article The Cost and Complexity of ORM and Compliance. These are business continuity, business security, recording and archiving, and finally knowledge management. “This approach to ERM allows institutions to tap into these shared services – increasing return on assets and, importantly, shortening the timeframe needed to meet future regulatory requirements,” says Sangha. Being prepared for future compliance needs is one of the most important factors of any operational risk policy, and an outlay on technology and planning now may help avoid future financial penalties.
Six Sigma is another methodology that can be used to manage organisational risk, according to Bidyut Kaishan, at i-flex Consulting, in his article Managing Operational Risk With Six Sigma. The Six Sigma technique of process mapping (flow charts) can be used to analyse processes in granular detail, identify gaps in processes and the associated risks. As well as risk identification, Kaishan also describes how the Six Sigma methodology can be used to measure, indicate, mitigate and manage operational risk. “Banks will be able to improve risk perception and, as a result, reduce capital requirement towards operational risk,” he argues.
What is clear from all of these examples is that your business needs a clear, transparent and defined approach to operational risk. New technology and risk models can help in the quest to manage operational risk and compliance issues. By being proactive, companies can offset potentially damaging losses in efficiency, reputation and, most importantly, bottomline results in the future.
Europe’s introduction of the General Data Protection Regulation (GDPR) next May will have implications for businesses around the world and US corporates should start getting ready if they haven’t already done so.
The recent NotPetya cyberattack underlined the need for organisations to address their exposure and how to mitigate the risk.
Accidental data breaches are causing almost as much concern as the steady rise in ransomware attacks, reports insurer Beazley.
The statement issued by the bank also suggests that fiat currencies are superior, due to their price stability.