New challenges for operational risk after the financial crisis

Managing operational risks efficiently has become crucial, especially in times of crisis and financial turmoil. Operational risks are encountered in several areas of business operations, and financial institutions are facing a continuous increase in related regulations.

by Professor Caspar Rose, Copenghen Business School, Denmark

Download article as pdf

The Capital Requirements Directive (CRD) was formally adopted on 14 June 2006, building on the new Basel Accord. It affects banks and building societies and certain types of investment firms. The new framework consists of three ‘pillars’. Pillar 1 of the new standards sets out the minimum capital requirements firms will be required to meet for credit, market, and operational risk.

While the management of operational risk has always been a fundamental element of banks’ risk management programmes, Basel II introduced a new dimension in the form of separate capital requirements and heightened expectations for the management of operational risk. Improvements in the internal governance and other aspects of a bank’s risk management and measurement framework are expected to coincide with the increased focus on operational risk.

THE NATURE OF OPERATIONAL RISK

Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk. Legal risk is included, but is not limited to, exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements. The generic causes cover: people, processes, systems and external events. Operational risks cover a wide range of different events such as:

  • IT disruptions or failure of external service/product providers
  • fraud (both external and internal)
  • theft of confidential data and hacking/insider trading
  • external robbery and theft
  • erroneous credit models/input data
  • rogue trading and self-dealing
  • errors in legal documents/ compliance processes
  • loss of key personnel
  • mis-selling/incorrect advice or failure to assess product suitability.

Operational risks are calculated by three different methods in a continuum of increasing sophistication and risk sensitivity: (i) the Basic Indicator Approach; (ii) the Standardised Approach; and (iii) Advanced Measurement Approaches (AMA). Banks are encouraged to move along the spectrum of available approaches as they develop more sophisticated operational risk measurement systems and practices. Under the AMA, the regulatory capital requirement will equal the risk measure generated by the bank’s internal operational risk measurement system using both the quantitative and qualitative criteria. Use of the AMA is subject to supervisory approval.

To illustrate the magnitude of capital allocated to operational risk, Deutsche Bank reported in its annual accounts for year-end 2007 that capital for credit, market and operational risks, including diversification benefits across risks, amounted to €13.310 billion in total. Operational risks accounted for €3.974 billion, which demonstrates how significant it is.

KEY OPERATIONAL RISKS IN TIMES OF CRISIS

In times of economic recession or financial crises, there is a higher risk that certain operational risk events materialise such as rogue trading, fraud and mis-selling / incorrect advice. For instance, asset managers may be tempted to manipulate their earnings and financial statements to avoid reporting huge losses.

To illustrate, Société Générale, one of the largest banks in Europe, was thrown into turmoil in January 2008 after the chairman revealed that a rogue employee had executed a series of ‘elaborate, fictitious transactions’ that cost the company more than $7 billion, the biggest loss ever recorded in the financial industry by a single trader. Further, on December 10, 2008 FBI agents arrested the former chairman of NASDAQ Bernard Madoff and charged him with one count of securities fraud. According to federal charges, Madoff said that his firm has “liabilities of approximately US$ 50 billion.” Banks from outside the U.S. have announced that they have potentially lost billions in dollars as a result.

Moreover, customers who have seen their returns diminish substantially due to an economic recession may sue financial institutions claiming that they have received incorrect advice from asset managers, including failure to assess product suitability. In times of an economic recession where the likelihood of default increases, recovery from collaterals becomes pivotal. Therefore it is important that the internal legal processes that are in placed to ensure security over collateral are robust and checked carefully. A small legal technicality may be crucial as recovery may turn out to be legally impossible.

As a consequence, the governance of operational risks involves more than just calculating the yearly operational risk capital. As economies and financial conditions change over time, so does the operational risk exposure. This entails that a number of specific operational risk events may become even more likely, which in times of crises requires the attention of top management.

TAILORING THE OPERATIONAL RISK MANAGEMENT FRAMEWORK

The focus is on how to optimise the value of the risk owners’ input, meaning that each business unit / platform delivers a comprehensive description of their own major risks. Optimisation entails tailoring the communication from group operational risk department (group OR).

Managing operational risk efficiently requires that the financial institution aims for AMA although it should be recognised that the best AMA model is no better than the input supplied by the bank’s risk owners. Efficient risk management lowers the operational capital requirements, but it also facilitates a more efficient internal risk allocation. In other words, those units that are associated with high operational risks are charged accordingly, whereas other units, for instance retail banking, may observe that their operational risk capital is lowered. This means that capital is allocated more precisely to the risk owners, which face the largest operational risks.

From the perspective of the risk owners, group OR consumes their time (opportunity costs), and they may ask “what’s in it for me?” The value of their input is not immediately recognised or associated with any positive bottom-line impact from their immediate perspective. Therefore, the main challenge when seeking to implement an efficient operational risk framework is to motivate and incentivise the various risks owners to participate actively in the process. As a consequence, in communicating with the risk owners, group OR should focus on the benefits. A consistent group-wide framework will deliver better insight and reporting on:

  • top risks within the business unit (BU) subsidiary or platform
  • top risks owned by platforms but affecting the BU / subsidiaries.

This allows the BU/subsidiary to get greater assurance that for risks with a big impact on them:

  • critical processes across the group are working at the right standard;
  • mitigation is in place across the group and is regularly checked.

Risk owners are not only supposed to identify their key risks but also to do so on a continuous basis to report to the group on how these risks evolve over time. As a consequence, there is often a need to appoint a liaison person.

When tailoring the operational risk framework, communication is vital:

  • balancing the need for a comprehensive risk description versus information overloading;
  • preparing the meeting participants’ expectations prior to a meeting when sending out material in advance (distinguishing ‘nice to know’ from ‘need to know’ information);
  • making sure that the bank’s top management actively communicates that OR is of high priority for the group;
  • ensuring that the risk owner is able to observe some clear advantages of the project – even if this means that more capital must be allocated.

MANAGING OPERATIONAL RISKS EFFICIENTLY WHEN SERVICES ARE OUTSOURCED

Outsourcing is increasingly used as a means of both reducing costs and achieving strategic aims. Its potential impact can be seen across many business activities, including information technology (for instance applications development, programming and coding), specific operations (for instance aspects of finance and accounting, back office activities and processing), administration and contract functions (for instance call centres). Industry research and surveys by regulators show financial firms outsourcing significant parts of their regulated and unregulated activities. These outsourcing arrangements are also becoming increasingly complex. For instance, IT disruptions may impact the entire group if a financial institution relies on a single common IT platform. To illustrate, Danske Bank experienced severe IT integration problems when it in 2007 acquired the Finnish Bank Sampo. Failure to integrate a different IT system into the single platform concept had severe negative impacts on the bank’s ability to serve its customers and facilitate transactions in the entire Danske Bank group.

Outsourcing has the potential to transfer risk, management and compliance to third parties who may not be regulated, and who may operate offshore c.f. ‘Outsourcing in Financial Services’ issued by the Basel Committee (2005). The increased reliance on the outsourcing of activities may impact on the ability of regulated entities to manage their risks and monitor their compliance with regulatory requirements. Among the specific concerns raised by outsourcing activities is the potential for over-reliance on outsourced activities that are critical to the ongoing viability of a regulated entity as well as its obligations to customers.

As a consequence, national banking supervision authorities all have requirements as well as issued guidelines on outsourcing. For instance, in early 2005, new provisions were introduced in France in regulation 97-02 relating to internal control in credit institutions and investment firms. These provisions cover both material and non-material outsourcing and set up specific requirements for outsourcing core activities. Outsourcing has to be established in a written contract which must explicitly allow for on-site visits by the financial institution and by the Commission Bancaire. Outsourced activities and their related risks must be a specific part of the reporting to the board of directors. In addition, the UK Financial Services Authority (FSA) sets out its guidelines for banks and in the Interim Prudential Sourcebook for banks where it states that a firm should always notify the FSA prior to entering into a material outsourcing arrangement.

The Basel Committee has formulated a number of specific recommendations that address outsourcing by financial institutions, specifically:

  • The board of directors or equivalent body retains responsibility for the outsourcing policy and related overall responsibility for activities undertaken under that policy.
  • The regulated entity should establish a comprehensive outsourcing risk management programme to address the outsourced activities and the relationship with the service provider.
  • The regulated entity should ensure that outsourcing arrangements neither diminish its ability to fulfil its obligations to customers and regulators, nor impede effective supervision by regulator.
  • Outsourcing relationships should be governed by written contracts that clearly describe all material aspects of the outsourcing arrangement, including the rights, responsibilities and expectations of all parties.
  • The regulated entity and its service providers should establish and maintain contingency plans, including a plan for disaster recovery and periodic testing of backup facilities.

Outsourcing services may offer sound financial benefits due to economics of scale or specialisation. However, a prerequisite is that top management is aware of the increased operational risks that are associated with outsourcing, especially if the services are performed in other parts of the world, for instance when an European bank outsources some of its IT services to firms located in Asia. The following case study illustrates that regulators may issue specific instructions when outsourcing fails.

CASE STUDY

OUTSOURCING UNIT PRICING FOR MANAGED FUNDS

In 1999, a major Australian institution outsourced its unit pricing and custody arrangements to a custodian that was part of the overall group. The custodian was eventually sold to another party but the outsourcing arrangement remained in place. In January 2004, it was discovered that tax credits had not been claimed for the relevant funds over a number of years and that unit prices had been underestimated as a result. When the problem was discovered, the institution had to compensate investors, costing approximately AUD $90 million, and the regulators instructed the institution to carry out an overall review of its systems and processes to ensure that the problem did not recur (generic example on outsourcing risks illustrated in the Basel Committee’s report on outsourcing, 2005).

GENERAL LESSONS FOR OPERATIONAL RISKS AFTER THE CRISIS

Financial institutions have always been exposed to operational risk events as failure in people, processes, systems and external events are an inherent part of conducting financial services. However, there is strong reason to believe that the exposure to operational risks in the future will increase. The reason is that systems, financial products and IT solutions tend to become increasingly complex and interconnected, especially if financial institutions decide to outsource vital parts of their services.

One of the main reasons for the occurrence of the current crisis is the widespread use of complicated and non-transparent financial products that were developed during the last decade. Often they were structured as synthetic products that were bundled and resold several times to investors on a global scale. However, this has important consequences for the governance of operational risks. The key message is that when financial engineering increases in complexity, management needs to be focused on the management of operational risks. If top management neglects this task or accepts inefficient operational risks controls, this may lead to fatal consequences for any financial institution.

Caspar Rose (M.LL., Ph.D.) is professor at Copenhagen Business School, Department of International Economics & Management and Centre for Corporate Governance. He holds a background as a lawyer as well as a financial economist. Caspar Rose has served as special legal advisor for the Confederation of Danish Industries (Dansk Industri) as well as for Danske Bank where he worked as chief analyst in the Operational Risks Group.