Operational risk has emerged as a pervasive business and regulatory challenge for the banking industry. “The risk of operational failure is embedded in every activity and product of an institution,” according to Comptroller of the Currency Thomas J. Curry. “Operational risk is heightened when these systems and procedures are most complex.1” Even the most well-thought-out systems can be affected by internal and external events that can significantly increase operational risk. Further, an increase in operational risk that is not properly managed typically implies operating environments prone to underperformance, either because of frequent reworks, fragmented workflows, manual activities and repetitive reconciliations, or ineffective controls. These factors add unnecessary costs to doing business and inhibit profitability.
Among other industry risk management and regulatory frameworks, the Basel Committee states that operational risk is “the risk of a change in value caused by the fact that actual losses, incurred for inadequate or failed internal processes, people and systems, or from external events (including legal risk), differ from the expected losses.2”
The Office of the Comptroller of the Currency and other major regulators (e.g., the FDIC, the CFPB, the Federal Reserve and the SEC) have also provided guidance to help banks focus on the areas of highest concern. According to Curry, banks need to take strong action. “It is critical that banks and thrifts instill strong cultures and oversight processes. Management needs to focus on key controls and maintain knowledgeable and sufficient staff. We can never underestimate the determination and ingenuity of our adversaries — and we must be equal to that risk as it evolves.3”
Media attention: The public is watching
The fines and claim settlements that are frequently associated with operational risk events continue to draw an outsized amount of coverage in the media. For example, a leading global financial group was recently fined for client account control failures. The event featured heavily in the news and the associated penalties — amounting to millions of dollars — were disclosed for public consumption.
When a large institution experiences an operational risk event, public awareness is high (incidents at smaller banks garner less attention). As a result, failure to properly manage operational risk can trigger serious business consequences, such as reputational damage.
How banks can successfully comply
As new regulatory requirements continue to shape the industry, banks face both uncertainty and added operational complexity. Given this environment, operational risk management has become even more critical to a robust and customized enterprise-risk management (ERM) framework.
It is essential for banks to understand which elements of their business will be affected by the regulations. As they work through these decisions, banks must also take the next step and address operational issues by identifying root risk factors and mitigating negative impacts on profitability.
Here are five tips for achieving an effective operational transformation that reflects current regulatory demands and may further address business imperatives.
- Make an executive mandate. The importance of cross-functional operational leadership — especially for compliance, risk management, operations and IT — can’t be overstated. Change management is critical; yet this function often lacks the resource accountability and authority to ensure tasks and responsibilities are executed as planned. Additionally, strong governance and control at the top are essential to ensure that both long-term and day-to-day goals are met. An executive mandate should commission an effective enterprise program charter with the sole purpose of developing a strategy to achieve long-term regulatory compliance. Once every stakeholder understands the leadership’s expectations, the culture and business strategy can be aligned with those expectations.
- Allow sufficient time, investment and planning. Streamlining processes and implementing proper system solutions can involve approval from many layers of management, which can be time-consuming. Additionally, corporate dollars intended to support regulatory compliance initiatives are often budgeted for shorter timelines, rather than the longer term needed for a specific regulation. For large organizations, compliance will require many incremental steps over a long period of time and will span multiple budget cycles, different governance structures, IT changes and shifts in stakeholders. It is therefore critical to engage in comprehensive, long-term planning and strategic budgeting in order to achieve lasting success.
- Understand the data. Poor data management can tack an additional 8%-10% onto existing operating costs. Getting a handle on data is critical, but difficult when dealing with an array of application architectures, database structures, integration platforms and system owners all embedded in a complex IT network. Much of that legacy technology is decades-old, making it difficult to maintain and even harder to modify to conform to today’s standards. In order to take stock of the organization’s technology infrastructure, it’s useful to conduct an enterprise-wide data rationalization initiative or master data management (MDM) program. The MDM analysis will reveal redundancies and inconsistencies due to multiple sources and associated reporting inefficiencies. It will help build awareness of the impact of upgrading legacy systems versus investing in replacement systems, and it will clarify integration requirements and consolidation systems. In conjunction with an MDM initiative, organizations may also consider collaborative disclosure management (CDM), which can integrate with any source system at the last stage of regulatory reporting, providing powerful and lasting capabilities with a limited investment.
- Minimize short-sighted decision-making. Given the high degree of legacy technology, it is not surprising that organizations are reluctant to invest in upgraded platforms. Instead, they layer new technologies on top of old systems. Companies often do this to meet compliance requirements without taking the big picture into account, including downstream ramifications. For example, compliance is deemed achievable by modifying existing technology. A short-term patch on the old infrastructure may need to be revisited when other requirements necessitate further decisions, including the possibility that the entire system will have to be replaced. This tactic can backfire when a legacy system fails and access to contributing data is lost. What organizations do not realize is that the investment they make today in lasting technology changes can be beneficial in multiple ways. These benefits can include streamlined, flexible and real-time reporting using the technology infrastructure that Dodd-Frank compliance required, for example, which can also be leveraged to run the business.
- Invest strategically. As financial institutions begin to incorporate regulatory stress testing and scenario-analysis techniques (in response to, for example, the Basel III regulatory standard, the Comprehensive Capital Analysis and Review [CCAR] and Dodd-Frank Act Stress Testing [DFAST] requirements), they can simultaneously improve their capabilities to assess, measure and manage key risk operational factors that ultimately will support sounder capital planning and management-related actions.
Operational risk management can enhance regulatory capital management initiatives and significantly improve business performance.
What banks should do now
In addition to improving profitability levels in a more competitive and uneven playing field, there is an overwhelming number of regulations and requirements that banks must comply with on a daily basis. Here’s what banks should be doing now to recalibrate their operations and upgrade their operational risk management capabilities for long-term success:
- Fine-tune the lines of defense to optimize regulatory compliance (i.e., business, compliance, ERM, risk management and internal audit)
- Upgrade the organization’s existing ERM program, embedding advanced operational risk measurement and modeling constructs to support heightened risk assessments and to address regulatory stress-testing requirements
- Strengthen the overall risk culture via top-down initiatives that address shortcomings in governance principles and practices
- Establish a monitoring mechanism
- Improve monitoring and reporting processes (for example, optimize operational risk dashboards by level and function)
- Implement automated tools that can assist in maintaining an effective, less-manual risk-monitoring process (e.g., GRC and internal audit systems) • Improve risk data aggregation capabilities and overall risk reporting
- Assess and address shared-services and partnership alternatives to improve overall business performance
- Create a process for third-party assessment of the operating effectiveness of the risk-mitigating controls
A compliance exercise and performance improvement tool Implementing a robust operational risk program is often a reactionary process, in response to enhanced regulatory requirements (i.e., CCAR and/or DFAST regulations in the U.S.), following stress tests and/or adhering to capital requirements. If done strategically (taking into consideration enterprise-wide needs), operational risk programs can bring the added benefit of improving transformation cost management initiatives — a boon for institutions that must do more with less in today’s highly competitive environment. As regulatory stress testing and scenario-based techniques are being gradually assimilated by many institutions, proper operational risk programs that improve capabilities to assess, measure and manage key risk indicators ultimately are anchoring sounder capital planning processes and related capital management actions.
The bottom line: Sound operational risk management capabilities are key to the continued success of all organizations. For optimal effect, programs should be embedded in the institution’s overall strategic plan, mandated from the top down and supported by a robust change management initiative with adequate funding, as investment in technology and data management solutions may be necessary. Those firms that succeed will draw important regulatory compliance efficiencies and enjoy significant improvements in their business indicators.
1 Remarks by Thomas J. Curry, comptroller of the currency, before the Exchequer Club, May 16, 2012.
2 Basel Committee on Banking Supervision. Consultative Document: Operational Risk, January 2001.