Eyeing the Many Facets of Risk

When the four U.S. banking regulators announced in 2004 a new capital framework for the country’s banking industryu00e2u20ac”developed by the Basel Committee on Banking Supervision and generally referred to as Basel IIu00e2u20ac”among its many provisions was the requirement that large banks set aside capital for operational risk, just as they do for market and credit risk. The rulemaking process for Basel II has already fallen behind the schedule U.S. regulators laid out 18 months ago, and once they have been fully implemented, the new regulatory capital rules may not apply to more than a dozen of the largest U.S. banks. But the Basel II initiative has served to focus more attention on the importance of operational risk management throughout the industry, even among those smaller banks that will never have to adopt its requirements.

And this is ironic, because operational risk has been a part of banking for as long as there have been…well, banks. The term applies to an infinite array of problems that can afflict virtually any institution in the country, ranging from natural disasters and robberies to major systems failures and worker compensation claims. But even asthe industry has adopted more modern management practices over the past several decades, operational risk never seemed to demand quite as much attention as did credit or market risku00e2u20ac”which have long been understood to pose a significant threat to a bank’s solvency if not handled carefully.

A period of transition

But all this began to change as the industry entered a period of intense deregulation and consolidation, which started in the 1980s and continues today. Indeed, the operational risk provisions in Basel II are simply recognition of the industry’s evolution over that period of time. As U.S. banks have grown larger and more complex, their operational risk profile has changed and become more difficult to manage. Moreover, external events like Hurricane Katrina and the corporate fraud scandals of the recent past have also contributed to a growing awareness among senior bank executives and their boards of directors that they must pay closer attention to operational losses.

“As we get better at managing credit risk and market risk, operational risk is emerging as the one area where we don’t do terribly well,” says Charles Taylor, director of operational risk management at the Risk Management Association (RMA) in Philadelphia. For example, a recent quantitative impact study conducted by the four federal banking regulators as part of the Basel II proposal found that 26 participating U.S. banks had approximately $25 billion in operational losses between 1999 and 2004u00e2u20ac”or about $5 billion a year. “Those are huge, hard-dollar losses,” says Yousef Valine, head of operational risk management at Charlotte-based Wachovia Corp.

The good news is that a growing number of banks are beginning to develop comprehensive programs to manage operational risk just as they traditionally have managed credit and market risk. In some instances they have established standing committees at the board level to manage the institution’s overall risk profile, including its operational risk. Herb Hilliard, executive vice president for risk management at Memphis, Tennessee-based First Horizon Corp., says many of the recent enforcement actions federal regulators have taken against banks have been for operational issues. “If you look at the things that get you on the front page of the newspaper, they’re operational issues,” says Hilliard.

Defining the terms

The problem with understanding the scope of operational risk is that there are seemingly an infinite number of examples. Credit and market risk tend to be more discrete and emanate from a smaller number of activities within the bank. Operational risk, on the other hand, is spread across the entire organization. “Unlike credit risk and market risk, where risks are taken by a few people, everybody takes operational risk,” says Taylor. “Market risk and credit risk are technical processes while operational risk is a very close cousin of general management.” Adds Susan Schmidt Bies, a governor at the Federal Reserve Board in Washington, D.C. “Operational risk management is process management in its broadest sense.”

In February 2003, the Bank for International Settlements, which oversaw the development of the Basel II Capital Accords upon which the new U.S. framework for bank regulatory capital will be based, issued “Sound Practices for the Management and Supervision of Operational Risk,” a report that provides a valuable overview of this emerging discipline. The report tried to define operational risk by dividing it into seven primary categories:

Internal fraud. This includes such things as employee fraud and insider trading for an employee’s own account.

External fraud. Examples include robbery, forgery, and damage from computer hacking.

Employment practices and workplace safety issues. These range from traditional workers compensation claims to a wide variety of general liability situations like a slip-and-fall accident involving a customer on an icy sidewalk.

Clients, products, and business practices. Incidents include fiduciary lapses, release of confidential customer information, and money laundering.

Damage to physical assets. Terrorism, vandalism, fire, floods, and hurricanes all fall into this category.

Business disruption and system failures. Examples would be hardware and software failures and telecommunications problems.

Execution, delivery, and process management. Possible incidents include data-entry errors, unapproved access to client accounts, and vendor disputes.

Operational risk is so ubiquitous because it is the unavoidable consequence of virtually every activity in the bank. “Your imagination can run wild in this job,” says Ken Weinstein, senior vice president for operations risk management at People’s Mutual Holdings, the parent company of $11 billion Peoples Bank in Bridgeport, Connecticut. And because operational risk is a by-product of a bank’s underlying processes, the industry keeps producing new forms of risk all the time.

In its report on operational risk management, the Basel Committee on Banking Supervision observed that greater use of automated technology has the potential to turn manual processing errors into system failure risks. The dramatic growth of electronic commerce presents a variety of fraud and security concerns, while large-scale acquisitions test the effectiveness of integrated systems. As the industry has gone through a gradual process of deregulation over the past two decades, it has moved into previously forbidden product lines like investment banking, mutual funds, and insurance brokerage services, all of which have expanded its operational risk profile. Even when a small community bank offers a new product like trust services, free checking, or debit cards, it takes on additional operational risk.

Regulation also creates new forms of operational risk. Stricter enforcement of the Bank Secrecy Act and its anti-money-laundering provisions after the 9/11 terrorist attacks has greatly increased the likelihood that an institution might fail to file a suspicious activity report with the U.S. Treasury Department. And the Sarbanes-Oxley Act of 2002 required all public companies to strengthen their controls for financial reportingu00e2u20ac”and includes stiff fines and even prison terms as possible consequences for executives who violate the law’s provisions.

Wrestling the beast

A comprehensive risk management program must extend from the board of directors down into the furthest reaches of the company. Because operational risks are so pervasive, the program’s scope must be as well. To be effective, the program also must be supported by a “strong operational risk culture,” which the Basel Committee on Banking Supervision defines as “the combined set of individual and corporate values, attitudes, competencies, and behavior” that shapes and informs a company’s approach to operational risk management. “It’s all about the culture of the institution,” agrees Valine. “It’s about business ethics. It’s about transparency and openly talking about risk.” Indeed, one goal of an effective program is to identify as many operational risks as possible and make them transparent, which means, counterintuitively, making them fully visible. “A no-surprise environment is what you shoot for,” says RMA’s Taylor.

Perhaps one of the biggest challenges in managing operational risk is to not let the complexity of the underlying task result in a risk management program that is so hopelessly complicated it ends up looking like a Rube Goldberg machine. Not only are credit and market risks imbedded in a relatively smaller number of business activities, banks also have been managing them through formalized programs much longer. By comparison, the industry is still learning to bring the same comprehensive approach to operational risk management. “[Credit and market risk] can tell their story in four or five slides,” says Wachovia’s Valine. “How do we tell our story in four or five slides? How do we boil our risks down to what the board and management need to know?”

To be successful, an operational risk management program must have the strong support of senior management and the company’s directors. Moral authority comes from the top and the ultimate accountability for sound risk managementu00e2u20ac”as with all things in a corporate environmentu00e2u20ac”lies with the board. Directors are not themselves risk managers, but they must understand the program and have confidence in its effectiveness. “The role of the board is to make sure it understands how the institution manages its operational risk,” says Bies.

Assigning ownership

Weinstein’s People’s Bank has established a standing operational risk committee of the board, which meets at least six times a year and oversees “the implementation of a firmwide framework to explicitly manage operational risk as a distinct risk to the bank’s safety and soundness,” according to its charter. Below this is a management operational risk committee, which meets monthly and includes People’s chief executive officer and several senior executives.

Wachovia uses a somewhat similar organizational structure despite beingu00e2u20ac”at $532 billionu00e2u20ac”many times larger than People’s Bank. A board-level risk committee meets six times a year to review the company’s exposures across the entire enterprise, including operational risk. Valine makes a presentation to the committee when it meets. The next step down is a management-level senior risk committee, which reviews risk across the organization from the same perspective. Valine makes regular presentations to this committee as well. And below this group is an operational risk committee, which Valine chairs. Wachovia has divided itself into 10 primary business units and each business has its own operational risk committee as well.

Unlike People’s Bank and Wachovia, First Horizon has given governance responsibility for operational risk to its audit committee. Hilliard, who oversees risk management for the $37 billion bank, says First Horizon has a relatively small, 11-person board and decided against establishing another committee that would further tax its existing resources. Also, audit committees generally have oversight responsibility for their company’s internal auditing process, which plays an important role in operational risk management. Even though audit committees have also been stretched by the implementation of Sarbanes-Oxleyu00e2u20ac”which requires them to assume the lead role in managing their company’s relationship with its external auditoru00e2u20ac”Hilliard says the arrangement still works for First Horizon. “We’ve found that the audit committee can handle both of those responsibilities.”

John Brackett, director of risk management at Bloomington, Minnesota-based consulting firm RSM McGladrey, says smaller institutions often rely on executive management and the board of directors for operational risk oversight. “I tend to see a lot of questions coming from management and the board,” he says. Still, Brackett believes it’s an emerging best practice to set up a separate board-level committee to handle operational risk issues in the company.

If the tone is set at the top, the operational risks themselves are usually “owned” by the business units in which they reside. This is perhaps the greatest distinction between the management of credit and market risk on the one hand and operational risk on the other. Credit and market risks are generally handled through a parallel process where a separate credit analysis or risk management infrastructure provides an independent review and actively manages the risk. But at People’s Bank, Weinstein and a single staff member provide technical advice and support to 40 different business units throughout the bank. Valine has a significantly larger staff at Wachovia, although it’s still comparatively small given the enormous size and complexity of the organization.

And such is the case at the vast majority of banks today, where the business units are responsible for managing their operational risk with an assist from corporate staff executives like Weinstein and Valine. “They are the real risk managers,” says Weinstein. At Wachovia, Valine has the authority to step in if he believes a business unit is taking on too much risku00e2u20ac””but that doesn’t mean we manage the risk [on an ongoing basis],” he says. “You can’t make operational risk management work from the top down,” adds Hilliard. “The execution has to be from the bottom up. Any organization that doesn’t have line units responsible for managing operational risk is asking for trouble.”

Engineering a system

Another critical element of any operational risk management system is the risk-assessment process, which consists of identifying and prioritizing all potential operational risks in the organization. Many banks do this through a self-assessment process where line personnel evaluate their business unit’s inherent operational risk through the use of standardized questionnaires and scorecards. Both Wachovia and People’s Bank rely on self-assessments to identify their operational risk. “Are the risks clearly understood in the company?” says Valine. “Does management clearly understand the risks it faces?”

It’s also crucial that banks have a monitoring system in place whereby the business units can review risk profiles and material exposures to losses. “Regular monitoring activities can offer the advantage of quickly detecting and correcting deficiencies in the policies, processes, and procedures for managing operational risk,” according to the Basel Committee on Banking Supervision’s report on operational risk. Combined with this monitoring system should be an internal control system designed to mitigate all known risks as much as possible. Examples would include segregation of duties, clear lines of reporting and adequate operating procedures. And backing up the entire risk management process should be a strong internal auditing environment, where auditors provide independent validation of business-unit self-assessments, control effectiveness, adherence to policies, and problem resolution. “Internal auditing should play the role of being the champion of operational risk management,” says RSM McGladrey’s Brackett.

The collection of operational loss data is a significant aspect of the proposed Basel II rules on operational risk management, since the very large banks that must adopt the new framework will have to base their regulatory capital allocations for operational risk on a thorough analysis of their own data. But even banks that may never adopt the new frameworku00e2u20ac”such as Cincinnati-based Fifth Third Bancorpu00e2u20ac”believe that efforts to track operational data will improve their risk management efforts. Malcolm Griggs, Fifth Third’s chief risk officer, has created an operational loss database that enables him to track loss patterns within the organization. “It gives us the ability to dig down to reveal the cause,” he says.

And it is vitally important that banks view operational risk management as a dynamic exercise that must keep pace with their strategic growth. This same caution applies to credit and market risk as well, but operational risk is perhaps more insidious because it comes from a wider array of sources. Every time a bank adds a new product, invests in a new system, or enters a new business line, it expands its operational risk profile. And the risk management process needs to expand correspondingly. “Be methodical about managing change,” says Taylor at RMA. “Being methodical has value. Little things materialize as big losses in the operational risk world.”

And this may be the single most compelling reason to take operational risk management seriouslyu00e2u20ac”operational losses cost money and can negatively affect a bank’s profitability. Taylor says institutions above $1 billion in assets, which are large enough to have complex risk profiles, are beginning to put more resources into their operational risk management efforts. And the reason is money. “They think they might get an economic return,” he says. One person who has no doubt about that is Hilliard at First Horizon, who declines to provide too much detail about the bank’s efforts in this area. The reason? “Good operational risk management definitely gives you a competitive advantage,” he says.

Join OUr Community

Bank Director’s annual Bank Services Membership Program combines Bank Director’s extensive online library of director training materials, conferences, our quarterly publication, and access to FinXTech Connect.

Become a Member

Our commitment to those leaders who believe a strong board makes a strong bank never wavers.