CONTROLLING OPERATIONAL RISK
By Andrew Webb
It’s official: operational risk management is now sexy. The sound of operational risk conference brochures thudding onto desktops around the world is testament enough to that. That other curious noise you hear is the sound of consultants and vendors scratching their heads. Market and credit risk were relatively straightforward challenges by comparison.
At this point, it looks like it could take years just to get within a mile of a consensus on a precise definition of operational risk.
The regulators certainly seem to agree. Late September 1998 saw the appearance of a slim document from the Basle Committee on Banking Supervision, succinctly titled “Operational Risk Management.” After interviewing some 30 banks, the report bluntly states: “At present, there is no agreed upon universal definition of operational risk.”
Some in the market define it as risk related specifically to operations such as clearing and settlement, possibly taking in technology risk (including year 2000 problems), as well as myriad other possibilities—with legal and reputational risk thrown in for good measure. Others simply argue that operational risk is anything that isn’t already categorized as market or credit risk. And some don’t see operational risk as something that can be neatly split away from the other risks at all.
Still others take an even more jaundiced view. “I think you could say that operational risk is anything that nobody else wants,” says Michael Ong, head of treasury business research at ABN Amro in Chicago. “As a result, it could include pretty much anything and everything, from a teller handing out too much change in a retail bank to a rogue trader.”
That in itself illustrates the conundrum facing the industry. While many banks might opt for a blanket definition, there are likely to be important differences. For example, some dealers might prefer to treat liquidity issues as a subset of market risk, while others would label them operational. Others might prefer to exclude physical risk (such as an earthquake, fire and so on) and place it in a category on its own. The bottom line is that without a common standard, any statistical measures are relatively meaningless when used for comparison between banks.
Hot spot: back office
Despite the lack of an agreed-upon definition, there seems to be some consensus when it comes to identifying some of the primary sources of operational risk. In many cases, one can simply substitute “operations risk” for “operational risk”—and the source is usually the back office, which in many institutions serves as a modern version of Dante’s Inferno.
|I don’t think that this is the kind of subject where you can steer with certainty strictly by the numbers. A black box is never going to be able to tell you everything you need to know.”
“There are probably a phenomenal number of operational failures that happen here—but never enter the public domain,” says Richard Watrasiewicz, a managing consultant at TCA Consulting in London. “It’s hardly a gripping topic, and therefore, it’s much less likely to interest senior management and gain momentum than something like a rogue trader.”
“People want to read about some villainous rogue trader,” says Ong. “Not about how Miss Sakomoto goofed on misplacing some zeros before the decimal point. I think one of the best ways to improve operational risk management practice would be to compel every member of the board to visit the back office. Just 10 minutes walking through it after the trading floors are empty, seeing the deplorable working conditions and noticing who stays late to sort out the failed trades and attempts to reconcile the trade tickets, should do the trick.”
The level of manual procedure that still exists in many back offices is an obvious culprit. Couple that with low status and pay, and huge staff turnover, and you have a recipe for a much more insidious problem than the Nick Leesons of this world—a slow and continual corrosion of the bottom line that in many institutions has been masked by margins on front-office activities. In most cases, the risk isn’t sabotage by disgruntled employees, but more mundane snafus and bungles caused by ignorance or by one person failing to pick up where another person left off.
“It’s often entirely innocent,” says Watrasiewicz. “I have sat and watched a back-office clerk enter numbers in a spreadsheet, pull out a calculator from a desk drawer and solemnly tot up the figures from the spreadsheet on the calculator. That’s the sort of thing that can beget bigger problems that might go unnoticed.”
“I’ve seen a situation in which someone, in an attempt to be helpful, liquidated a client portfolio on the basis of a phone message rather than waiting for the confirmatory fax,” says Kelsey Biggers of Micro Modeling in New York. “The client changed its mind the following day, but the clerk was too scared to say anything and hung on until just before the accounting statements came out 30 days later to own up. By that time, the consequential losses that the bank had to pay were up to $550,000. You don’t see this sort of screw-up in the media—but it happens all the time in the back office and could easily be cleaned up if you get operational risk best practice sorted out.”
In many cases, however, the institutional response is not to invest in the back office or improve practice. A more typical solution is to create a middle office to watch both the front and back offices. The reasoning seems to be based on the fact that it’s easier to get the funding to pay someone $150,000 a year in a risk management position than it is to get the funding to pay someone the same amount to run operations properly.
One solution to this problem that has been adopted by several banks is to outsource operations and perhaps technology. “Nobody really likes this side of the business, so it’s not surprising that outsourcing is becoming increasingly popular,” says Mark Heugly, senior vice president of operations at Affiliated Computer Services and former senior vice president of investment operations at Zions First National Bank. “But some banks assume that outsourcing absolves them of all responsibility to manage operations risk, which is simply untrue. On one level, they have simply swapped operations risk for vendor risk—but getting rid of the mechanical-function risk doesn’t get rid of the need to manage it.”
A good yardstick for measuring the potential operational risk from a back office is to look at how it categorizes its securities. In many cases, the largest group is “miscellaneous,” and portfolios with 70 percent of securities classified as miscellaneous are not uncommon. If securities are not being treated with appropriate attention to detail, it’s likely that operational liberties will be taken, with a lot of manual trimming to make things fit. For example, convertibles may be treated as straight bonds, with tranches being dropped or PERLs being doctored to make them fit.
Hot spot: technology
But the back office isn’t the only source of operational risk. Technology itself is often a culprit. While the obvious operational technology risk for most companies has been Y2K, less obvious technology risks and operational risk management shortcomings in other areas can combine to drastic effect.
A case in point is the situation revealed in recent litigation between First Utah Bank and a former client. In its eagerness to promote itself as a technology leader among community banks, the bank set up an electronic banking link for the client. Instead of allowing the client to transfer money between its accounts, however, the computer link gave it direct access to the bank’s own operations account.
The result was entirely predictable. In its complaint, the bank claimed that its money was used to fund an exotic lifestyle for its client’s principals, including a boat, a Dodge Viper and a new house. Because of limited back-office resources, reconciliations had apparently fallen behind, and it was the better part of 16 months before anything tangible was done to stop the drain. By that time, $12.7 million had bled away. “We may have left the front door open to the bank, but that never gave these folks the right to walk in and pick up the money,” claimed Gary Doctorman, an attorney for the bank.
|“The back office could easily be cleaned up if you get operational risk best practice sorted out.”
Wall Street may snigger, but the same story could be told of some of Wall Street’s best and brightest who overlooked mundane operational risk considerations in their desire to keep a certain near-defunct hedge fund as a client.
Although technological risks are easy to spot and rectify, the beast is hydra-headed: As soon as you hack off one problem, new ones appear. Take the recent growth in electronic trading, which has already spawned a variety of technological trading errors. One recently reported example in London involved a trader who double-clicked a mouse instead of single-clicking it. As a result, he bought 100 times the intended trade in natural gas futures, costing his trading house $400,000.
When it comes to finding solutions to effective operational risk management, it appears that once again SS Capital Markets and SS Insurance Markets are set to collide. The nature of operational risk is perceived in some quarters as best handled by those with experience in insurance risk management rather than market or credit risk. As banks’ CFOs have become increasingly concerned about earnings volatility and have started to become involved in these issues, the situation has been reflected both internally and among third-party vendors.
|JP Morgan’s Op Risk Framework
|At J.P. Morgan, operational risk is viewed as too tightly enmeshed with the other flavors of risk to be conveniently compartmentalized on its own. “We look at risk from five different perspectives: market, credit, revenue volatility, expense volatility and capital risk, with operating risk as a backdrop across the spectrum,” says Marie Marsina, a vice president with responsibility for advancing firm-wide operating risk management at Morgan.
The firm is a major advocate of pushing responsibility for operational risk management into individual business areas. To facilitate discussions within and between its businesses, Morgan has developed a control framework that covers five types of operational risk—execution, information, relationship, legal and regulatory, and personnel. The framework acts as a firm-wide template for identifying and mitigating risks.
One of the features of Morgan’s approach is a control self-assessment. What makes the tool particularly useful is that it is flexible enough to assess different situations across the firm’s various businesses, and yet it does so within an approach that promotes consistency. For example, if a particular business was to move into a new market or country, the tool would be able to capture those new risks and assess them in a way that fits into a standard format.
In addition to any risk assessments driven by particular events, each business conducts a routine control self-assessment every six months. The results are used by the internal audit team and governance boards to assess the progress the business is making in managing its operational risk. The firm also has a monthly operational risk committee meeting, chaired by Morgan’s chief administrative officer and attended by some 20 senior managers. In addition to examining the health of the various businesses in operational risk terms, the objective is also to share best practices.
This process has evolved over the last five years, with the ongoing objective of establishing a program of policies and procedures that provides guidelines for managing operational risk. In the firm’s experience, the types of low-level operational risks found in every organization are often a result of people simply not understanding procedures. To combat the problem, Morgan has built a corporate standards database designed to keep staff aware of policies and standards.
Marsina is somewhat skeptical of any quantitative, industry-wide approach to operating risk management. “I don’t think this is the kind of subject where you can steer with certainty strictly by the numbers,” she says. “For example, a black box is never going to be able to tell you everything you need to know.”
Although common issues exist across firms and industries (for instance, EMU and Y2K), Marsina says an individual company’s strategy, culture, risk profile, previous capital investments and market position all factor into how it will manage operational risk. Given those factors, it is extremely difficult to set up a “one size fits all” approach to managing and measuring operational risk. Nevertheless, Marsina says that Morgan is always open to new ideas and best practices from any source, be it industry leaders or people inside the firm.
“One of the things we have learned is that the success of managing operating risk comes down to people,” she says. It’s about “their knowledge, training, ability to identify and communicate issues, comply with policies and procedures, and, most of all, their integrity.”
Using insurance cover to neutralize specific operational risks is another growing area, but it comes with a caveat. “Insurance is generally not very useful for any bank trying to maximize shareholder wealth,” says Robert Herrick, managing director of Sedgwick Global Insurance Advisors. “The possible exception is the long-term creeping loss resulting from such things as bad lending habits or discrimination against certain borrower classes that can pile up over time and make a big loss out of a lot of small ones.”
The reasons for this are apparent. The insurance industry has fairly clear evidence that the stock market doesn’t really care about big catastrophic events, such as a rogue trader, if a bank can show that it is able to manage the aftermath effectively, but cares a great deal about long-term incremental costs—partly because of what it says about management and also because it’s seen as a recurring discount off earnings and thus gets factored into the share price. As a result, if a bank can lay off or cap that with insurance, the effect will be beneficial on price/earnings ratios. The message, therefore, seems to be, Don’t buy insurance for protection—buy it for what it says about management.
A number of specific insurance products are now emerging to service the operational risk markets. Contingent equity puts are a product designed for an institution that is subject to external regulation—such as an insurer or bank that’s regulated on the basis of its capital vs. liabilities. The product is essentially a contingent put option on shares triggered by a specific occurrence—such as a rogue trader event in excess of a billion dollars. Then the policyholder has the right to put preferred shares to a market or investor at a predetermined rate and coupon. Although they are probably closer in appearance to debt than preferred shares, denominating them as such allows them to qualify as Tier 1 equity. The principal benefit of this is that, in the event of a triggering event, a lot of money is immediately punched into Tier 1 equity, where it’s really needed.
“Another solution involves buying an out-of-the-money option that, on a triggering of, say, a Y2K event, essentially allows you to put losses to an investor,” says Herrick. “In exchange, you grant the investor an income stream tied to future revenues. It appears that because the payback is in effect a percentage of future revenues, it’s not something for which an accounting accrual can be put up. So you effectively put the losses as if they were insurance and then you pay back in a way that would seem to be outside the ordinary accounting rules for retrospective reinsurance.”
At present, preventative operational risk management measures appear to focus primarily on developing best-practice policies and sticking to them. “I think that proactive human resources management is the key,” says Ong. “To some extent, it’s a policy of deterrence. If, for example, people in the cash management or settlement area know that someone will be calling on them on a regular or irregular basis and making detailed inquiries into errors, then they will pay more attention to the procedures. That doesn’t require quantification—it requires enforcement.”
Although most banks have not bothered to operate a centralized operational risk management scoring scheme, a number of individual business areas are developing their own. Micro Modeling is currently working on a rating system (initially for the buy side) that examines key operational risk areas within an organization. The rating system is based on a detailed questionnaire that buy-side firms complete. To avoid the obvious possibility that respondents will try to pick the “correct” answer, a company that conducts consumer surveys has arranged the questions in order to identify such “gaming.” In addition, there will be random on-site audits, with cheating having consequences for the respondent’s operational risk rating.
The new interest in addressing operational risk is likely to result in some interesting new developments. The back office may benefit from improved investment and status, as banks realize the direct impact that poorly managed risk here can have on the bottom line. The lot of the middle office may also improve, since much of the control of operational risk will devolve there. And a closer scrutiny of operational risk may necessarily involve a certain amount of business process reengineering as loopholes are plugged.
At present the incentive to address operational risk remains largely internal, and the Basle paper is being viewed as a warning shot fired across the bow. With the Capital Adequacy Directive accord 10 years old and creaking at the seams, the BIS clearly has plenty else to keep it busy.
Nevertheless, some regulatory movement toward addressing this issue is likely in the early part of the next decade. In view of that possibility, some banks will no doubt jump on the simultaneous opportunity to pep up the bottom line and be seen as virtuous. For the others, probably the majority, it looks as if it will be a case of jump only when pushed.
|Op Risk Goes High-Tech
|Operational risk control in banks has traditionally grown out of the insurance function, the physical security function or the operations area. Because there is no general means of quantifying or even identifying and describing operational risk at present, the focus has been on profit-and-loss issues constraining losses and seeking ways to improve operations in banks.
One British bank, however, is taking a wider view and looking at operational risk as a discrete discipline. The bank has divided the risk into 12 high-level categories, which it believes are sufficiently generic to apply to any commercial enterprise—even a supermarket. Each of the individual business units in the bank is responsible for considering its business processes, weak linkages and the controls it is using—anything from insurance to contingency planning.
The risk managers in each business unit produce a report using standardized terminology and software. Then, using the bank’s proprietary operational risk methodology, it consolidates those reports into a group-wide report, which allows the most significant risk areas to be identified across the bank.
Risk is analyzed on the basis of both severity and frequency. For example, a severe risk will get a score of 1, while a trivial one will score 0.1. If a problem is a frequent occurrence, it will score 1, while if it’s infrequent, it will score 0.1. The goal is to get a gross risk estimate, and then consider the control mechanisms that are in place to address that gross risk. The control mechanisms are scored for efficacy on a similar scale. A score of 0.7 on the first round, for example, might be tempered by a score of 0.5 on the control mechanism to give a net figure of 0.2.
The process makes no distinction between a big risk that is well-controlled or a small one not controlled—the net score is what counts. As the data accumulate, the bank hopes it will be possible to detect and monitor trends in, among other things, risk areas and the effectiveness of controls.
Operational risks might appear on the bank’s radar screen in a number of ways. If someone estimates a loss of $5,000 a month for a particular risk and it turns out to be $50,000, that will be spotted on the profit-and-loss report. The problem, however, is that the information is retrospective, which isn’t much help with low-frequency, high-impact events.
An audit can also be a good source of information about operational risk when it addresses areas where controls aren’t functioning but no loss has as yet occurred. This approach, however, tends to focus on the specific rather than the general; it may not detect a particular class of risk increasing on a firm-wide basis.
To get around these limitations, the bank has added a second tier of 60 risk categories. Human resources, for example, might have six different subheadings. Individual businesses are then allowed to customize a third tier, making a grand total of 150 classified risks. These are then matched with the P&L returns attributable to those exposures. The bank then tries to determine whether unexpected losses arose from an overly optimistic initial risk assessment, a control that was less effective than anticipated or a new previously unconsidered risk.
The bank also attempts a simple triangular distribution, by comparing the risk manager’s estimate for a risk’s monthly loss, the lowest actual figure for that risk in the last year and the worst possible example of it that can be remembered. The result is an expected value for the loss. By comparing this figure with the actual one in the P&L, the bank can then see the skew in expectations.
The bank is even working on an analysis of something called self-organized criticality—a concept that posits that all complex systems exist in an inherently unstable situation. When a little event happens, for example, it can turn into an avalanche or a minor disturbance. With an idea of the distribution, frequency and consequence of high-frequency, low-impact events, a bank may be able to extrapolate about what could happen with extreme tail events with much better accuracy.
|Was this information valuable?|
Subscribe to Derivatives Strategy by clicking here!