ORM within financial services – the state of play
December 2016 | COVER STORY | BANKING & FINANCE
Financier Worldwide Magazine
The importance of an organisation’s operational risk management (ORM) function – particularly for financial institutions (FIs) – should not be misunderstood nor undervalued.
Since the financial collapse of 2007-2008, calls for financial firms to maintain a robust operational risk framework have been frequent and unremitting. This requirement is bolstered by frequent reminders of the consequences of prior risk management failings and the shadow they still cast.
ORM is clearly an issue that matters. However, it must be recognised that to a large extent ORM is a fluid notion with inexact boundaries – a concept in search of a definition, if you like. Broadly-speaking though, an organisation’s ORM facility is tasked with identifying external or internal sources of operational risk, and then determining how these may impact overall business activities.
According to Brenda Boultwood, senior vice president of industry solutions at MetricStream, an organisation’s ORM function is increasingly seen as the place where non-financial risks (NFR) – risks other than those relating to market and credit, such as third-party, IT, compliance with regulatory and legislative changes, legal, HR and other qualitative risks – are brought together. “Regulatory compliance integration is becoming more common as ‘operational’ and ‘compliance’ risks become more interrelated,” she adds.
State of play
The effective management of NFR issues such as regulatory compliance, misconduct, suspect technology or planning and operations, is a growing challenge for FIs. Much of the challenge is provided by a regulatory landscape riddled with frameworks and accords that FIs are required to get to grips with, such as AMA (Advanced Measurement Approach), SMA (Standardised Measurement Approach), BI (Business Indicator approach), Pillar 2 and the Internal Capital Adequacy Assessment Process (ICAAP), SOX (Sarbanes-Oxley Act), as well as the current and forthcoming Basel risk measurement and capital standards.
“The overall operational risk exposure for the majority of FIs has continued to increase,” observes Manoj Kulwal, an operational risk management expert at Eureka Financial Ltd. “This is due to the ever-increasing pressure to optimise the overall cost structure to deliver better returns to shareholders.” He identifies the ever-increasing threat of cyber attack; the search for new products, customers and revenue; competition from FinTech organisations; and the complex regulatory compliance landscape as further key factors behind the increase in operational risk exposures facing FIs.
The ORM function has become a big agenda item, addressing adverse developments attributable to factors such as customers, inadequately defined controls, system or control failures and unmanageable events. Other discussion points include regulatory change and compliance, management and mitigation, risk modelling and governance, and emerging risks. But perhaps the greatest area of concern is cyber risk, which a recent Risk.net survey found to be the most important operational risk for 2016.
Faced with this growing raft of risks, FIs need effective risk quantification techniques to measure them. “It has proven to be very difficult to model operational risk,” says Simon Goldsmith, head of risk solutions for SAS UK & Ireland. He cites a consultative document on the Standardised Measurement Approach (SMA) for operational risk, issued by the Basel Committee on Banking Supervision (BCBS) in March 2016, which proposes to remove the Advanced Measurement Approach (AMA) for calculating operational risk capital.
“AMA calculations are both inherently complex and lack comparability across banks and operational risk classes,” states Mr Goldsmith. “As a result, there is a lack of confidence or trust in the measures produced. BCBS is proposing that all operational risk regulatory capital requirements are calculated using SMA – be it with some basic sensitivity adjustments to reflect the particular bank concerned.”
To be sure, there are inherent difficulties in quantifying the ‘big four’ ORM issues – regulatory issues, cyber threats, financial crime and risk culture, according to Mike Finlay, chief executive of RiskBusiness. “Regulatory fines have little resemblance to the ‘crime’, they are much more a factor of what the regulator thinks is appropriate for the firm in question, political pressure and previous fines levied, while cyber often has no direct monetary impact, often being viewed by IT specialists almost as an accepted cost of being in business,” he says.
For Peter Docherty, a certified member of the Institute of Risk Management and spokesperson for the IRM, the ability to assess and quantify operational risks cannot be understated, primarily due to the lack of historical loss data and emerging threats that have yet to be experienced across the industry. “The impact of a cyber breach of the nature of TalkTalk – where an attack on the company’s website in late 2015 saw the banking and personal details of thousands of TalkTalk customers stolen – in the financial sector would be substantial,” he says. “We have seen the reputational and financial consequences of the inability to maintain compliance with sanctions regulations, which would be difficult to accurately measure as financial penalties of that scale have never been applied historically.”
Measuring the potential likelihood and impact of the range of operational risks facing FIs is one thing. But integrating a risk framework into an organisation’s systems that establishes an effective hybrid, incorporating the appropriate use of data such as risk reporting, is quite another.
“There is no ‘one-size-fits-all’ approach to building an ORM framework, as each will be based upon an enterprises’ own needs and internal operating environment, but it is a never-ending process,” suggests Ms Boultwood. “ORM needs to be agile, able to adapt quickly to incorporate new risks, regulatory change and internal developments. Frameworks need to permeate down and be integrated into the day-to-day functioning of all departments. It is not simply about templates and policies.
“A prerequisite to comprehensive ORM is a data model that allows linkages between operational risk events, risk assessments and metrics with other data-heavy functions, such as audits, control tests, third-party risk assessments and IT risk assessments. This enables greater transparency so that businesses can identify and manage risk holistically. Without this access to high-quality relevant data, the ability to gain insight and respond quickly to scenarios is incredibly difficult,” she adds.
According to Justin McCarthy, chairman of the global board at the Professional Risk Managers’ International Association (PRMIA), formulating a quick response can be helped by good reporting driven by a solid understanding of data. “Having a risk taxonomy in place as part of the operational risk framework can aid in this,” he opines. “Agreeing beforehand what the operational risks are and organising them into simple to understand categories can help in spotting patterns in areas like operational loss events. This can then lead to better reporting to the senior stakeholders on the success of the operational risk framework implementation and will allow a communication on the benefits achieved.”
Moreover, according to Mr Finlay, a refocus is required. There is a need to move away from trying to identify risk to a focus on identifying and managing causal factors which result in risk and exposure occurring. “By focusing on cause, the risk management function becomes proactive and is better able to implement preventative controls,” he says. Risk management frameworks need to accommodate a risk type which is continuously morphing and which is as intrinsic to the firm’s strategic and business plan, as is the concept of risk and reward. “To successfully and proactively manage operational risk, the firm needs risk intelligence, enriched data from both within and from outside, then to determine all possible implications for the firm’s risk profile under various levels of stress and to facilitate decision-making accordingly,” he concludes.
Trends and developments
The ORM space has been a hive of activity over the past 12 months or so, with emergent trends and developments casting some doubt on the ability of FIs to cope with the overall risks they encounter.
“The two notable trends of late are regulation and operational risk,” says Mr McCarthy. The first of these centres on the BCBS’s surprising decision to potentially scrap the AMA. The second is dominated by the increasing threat of cyber crime for banking and finance industry organisations. “With a slow and constant bleed of details on presidential candidate Hilary Clinton having had an impact on the US presidential election, many are thinking of the damage a similar campaign could cause to their own institutions,” notes Mr McCarthy. “With successful attacks including the likes of an attack on Bangladesh’s central bank resulting in $101m being stolen, this is no idle threat.”
Another trend is for qualitative risk aggregation and reporting to be driven through a common data model. As Ms Boultwood points out, this strategy is becoming increasingly popular due to new data integrity regulations such as BCBS 239 on ‘Principles for effective risk data aggregation and risk reporting’. “This empowers an organisation’s ORM team to more easily analyse all information to improve processes, risks, controls, products, regulations and assets,” Ms Boultwood expounds. “A further notable development is increasing end-user adoption. Risks need to be managed closest to where they are taken, which is often in a business’ first line of operation or defence. Firms must facilitate this new process through easy to understand language and functions, and simple, consumerised technology.”
ORM today is also concerned with threats from terrorism, conduct risk and regulatory compliance failures, according to Mr Goldsmith. “What is clear is that institutions need better methods for identifying potential risks, capturing relevant information and developing efficient management plans to address these ongoing challenges,” he affirms. “Companies that invest in deeper analytics and streamline their processes will be better prepared to deal with emerging, as well as ‘routine’, operational risks.”
Financial services face a wealth of challenges to their ORM function – all of which are likely to escalate in the months and years ahead. The ORM landscape could remain at a very concerning level, with operational risk losses and resultant reputational impacts becoming a common occurrence, and no longer treated as a surprise.
“The finance and banking fraternity is not currently prepared to prevent large-scale operational risk losses due to the disconnect between business objectives and operational risk management, as well as the lack of integration of ORM within the business decision-making process,” suggests Mr Kulwal. “A significant overhaul of operational risk methodologies, processes and the skill set of operational risk departments will be needed to achieve this. With current business pressures, most organisations will be reluctant to make such changes.”
Mr Doherty believes that ORM is probably the least advanced of the risk disciplines. The evolving nature of the risk landscape will continue to place pressure on the evolution of risk frameworks, reporting and people to ensure risks are managed within appetite. “The risk management profession will play an important part in driving forward enhancements and the demand on appropriately qualified individuals,” he surmises. “Technology developments in the ORM field will also be essential to drive the ability to provide effective insight and drive appropriate mitigation. The challenge for the next few years is an extension of the recent past – the threats and risks are constantly evolving and the reliance on robust ORM frameworks, supported by highly skilled and qualified risk management professionals, driven by a positive risk culture, will position FIs positively to deal with key risks facing the industry.”
What will be challenging for FIs going forward is the need to anticipate the unknown risks they face, in addition to identifying and estimating known operational risk types. As Mr Goldsmith points out, cyber risk is a good example of a relatively new risk that had had little attention paid to it for many years. “Given the magnitude of potential losses from hacking corporate systems and infrastructure, holding entire systems or data hostage, leaks or theft of confidential or proprietary information and intellectual property, companies are now realising that they need to at least catch up with, if not try to get ahead of, putting the appropriate protections and safeguards in place to ensure their systems and information is safe,” he says.
As a discipline, ORM appears to be at a crossroads. For some, it could prove to be a failed experiment, superseded by compliance, information security, financial crime and other specialist functions. Or, as Mr Finlay maintains, ORM could claim its rightful place as a common framework under which many different manifestations of what is, in essence, people risk, are managed.
“Time will tell which way the discipline goes,” he says. “I believe that, with the unending stream of regulatory change and political noise, the compliance function will remain strong in banking, but that does not mean firms are better prepared. Rather, I see firms lurching from crisis to crisis until such time as they reorganise their risk governance structures, embed accountability and become proactive in managing risk.”
For FIs exposed to operational risk at the sharp end, having recourse to an ORM framework which can alert them to the myriad risks they may encounter, and which can then be utilised as a legitimate source of competitive advantage, is extremely beneficial.
In a complex and volatile global environment, the debate surrounding ORM – and what it means for FIs – will continue until there is no doubt as to the legitimacy of the function as a cornerstone of mitigation strategies deployed by the financial community.
Ultimately, the challenge facing FIs is to not only identify and estimate the types of known operational risk, but to anticipate their unknown counterparts – an altogether more taxing proposition.
© Financier Worldwide