Last spring, Comptroller of the Currency Thomas J. Curry gave a speech about risk at the Exchequer Club in Washington D.C. Though the credit risk failures of the previous few years still cast a shadow over the industry, Curry did not single them out as the topic of his speech. Rather, he pointed to operational risk as “currently at the top of the list of safety and soundness issues for the institutions we supervise.”
Perhaps unnecessarily, he added, “This is an extraordinary thing.”
In the wake of a credit crisis that brought the global financial system to its knees, the idea that operational risk could eclipse credit risk is extraordinary indeed. But the concern is valid. With Basel II defining operational risk as stemming from inadequate processes, people and systems, it’s a risk that exists in every department of the bank, encompassing a daunting range of activities. Everything from teller shortchanging to rogue trading, fraud, cybercrime, reputational damage, legal liability and external events like natural disasters all fall under the category of operational risk.
“It’s everywhere in everything you do,” says Edward J. DeMarco, Jr., general counsel and director of regulatory relations and operational risk at Philadelphia-based The Risk Management Association (RMA). “It’s the only risk that everyone in the bank takes, from the time you turn on the lights in the morning until you go home at night.”
Curry made his speech just days after New York-based JPMorgan Chase & Co. disclosed trading losses that ultimately reached $6 billion stemming in part from a lack of controls related to a single trading position, a clear failure of operational risk measures. Headlines since then have read like a steady drumbeat of operational risk debacles: Several global banks were fined for manipulating the London Interbank Offered Rate (LIBOR); two large U.S. banks were sued for not following mortgage-loan modification guidelines; fraudsters working in concert heisted $45 million in a matter of hours from ATMs around the globe.
While each of these events is radically different in nature, they all lead back to a failure of operational risk. “It’s really anything that can go wrong in the bank other than a bad loan or a bad strategic decision,” says Ken Weinstein, senior vice president at Newtown, Connecticut-based Newtown Savings Bank, with $950 million of assets. He adds, “If operational risk were a Jeopardy category, it would be ‘potpourri.’”
Not only is the category broad, but the losses associated with it are typically outsized. “The losses can just be devastating,” says Phillip Hinkle, chief IT security examiner at the Texas Department of Banking, based in Austin. Further, he notes, banks typically don’t have a reserve set up to deal with these one-time disasters, resulting in an immediate, direct hit to capital.
Rather than a focus on measuring operational risk for capital calculation purposes, as dictated by Basel II, banks need to develop a bank-wide plan for managing the risks.
To that end, RMA about a year ago issued a framework to help banks develop an approach to operational risk management. By design, it is shaped in a continuous circle, not a pyramid or a flow chart, emphasizing that operational risk management is a way of thinking, not a process. “You may never get to the top of the pyramid,” DeMarco says. The circle design also illustrates that institutions should jump in at any point, to avoid being overwhelmed by the prospect of just getting started.
Newtown Savings overcame that hurdle earlier this year, having recently completed a pilot of an operational risk management approach. The process requires each business area of the bank to consider the level of operational risk they have in seven categories, from employment and safety practices, to process and technology failures. “I tell each area that to get started I need 15 hours of their time over three to four weeks,” Weinstein says. “The goal is not to get to perfection; it’s to add value to the organization.”
Once the risk assessments are complete bank-wide, Newtown Savings will conduct periodic updates to identify changes and emerging risks. Ultimately, each team will be tasked with identifying its biggest risks and from those, the top risks across the enterprise will be reported to the board, probably on an annual basis. Previously, only senior management had reported to the board on top risks. “This is more of a bottom-up process,” Weinstein says.
Just as important, the process is expected to make employees across the bank much more aware of the risks in their businesses. “We don’t want people to not take risks,” Weinstein says. “But we want to make sure they make thoughtful decisions around all the risks they do take.”